Featured Video
This Week in Quality Digest Live

More Videos

Risk Management Features
Inside Quality Digest Live for June 15, 2018
Dirk Dusharme @ Quality Digest
Smart factories, smart software, smarter people
Building the Story of Quality
Tim Lozier
Integration, harmonization, and risk-based thinking
NIST Updates Risk Management Framework to Incorporate Privacy Considerations
NIST
Helps organizations assess and manage risks to their information and systems
Sino-U.S. Trade: Truth From the Shop Floor
Ryan E. Day
We went to the gemba, and this is what we learned
Made in China: From Scary Bad to Scary Good
Dirk Dusharme @ Quality Digest
Part two: Chinese quality is improving. Fast!

More Features

Risk Management News
Dairy Giant Continues to Deliver With AuditComply
The audit solution provides 360-degree, real-time visibility into nonconformance status and completion
Innovative Change Management (ICM)
Preparing your organization for the new innovative culture
Webinar: New ISO Quality People Management Standards and ISO 10018 Certification
Standard recognizes that everyone is critical to a successful quality management process.
Support 5S and Safety Goals With Custom Personal Protection Equipment Signage
You won’t get lean until you get visual
Pharma Companies Expect Role of Quality Management Teams to Evolve in 2018
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals
Hands-On Workshops at IVT’s Quality Risk Management and Change Control 2018
Feb. 27–March 1, 2018, in San Diego
Information Management and Data Quality for Pharma Sector Conference
Nov. 27–29, 2017, in Berlin
ETQ Announces Acquisition by TCV
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy
Seven Systems Principles You Need to Know Before Implementing IIoT
If you want to understand a system, try and change it

More News

Scott Shackelford

Risk Management

How Airplane Crash Investigations Can Improve Cybersecurity

The case for a cybersecurity safety board

Published: Wednesday, March 7, 2018 - 13:03

While some countries struggle with air safety, U.S. airplane travel has lately had a remarkable safety record. In fact, from 2014 through 2017, there were no fatal commercial airline crashes in the United States.

But those years were fraught with other kinds of trouble: security breaches and electronic espionage affected nearly every adult in the United States, as well as the power grid in Ukraine and the 2016 U.S. presidential campaign, to name a few. As a scholar of cybersecurity policy, I think it’s time that my own industry took some lessons from one of the safest high-tech transportation methods of the 21st century.

Similar to cybersecurity today, the early days of U.S. air travel weren’t regulated particularly closely. There were a huge number of accidents. Only after public tragedies struck did changes occur. In 1931, a plane crash in Kansas killed legendary Notre Dame football coach Knute Rockne. And in 1935, U.S. Sen. Bronson Cutting of New Mexico died in the Missouri crash of TWA Flight 6. These events helped contribute to the 1938 creation of the first U.S. Air Safety Board. However, it took until 1967 for the Department of Transportation to be created with an independent National Transportation Safety Board (NTSB).

Since then, the NTSB has rigorously investigated all airplane crashes and other transportation incidents in the United States. Its public reports about its findings have informed changes in government regulations, corporate policies, and manufacturing standards, making air travel safer in the United States and around the world.

As cybersecurity incidents proliferate around the country and the globe, businesses, government agencies, and the public shouldn’t wait for an inevitable disaster before investigating, understanding, and preventing cybersecurity breaches. Nearly a century after the original Air Commerce Act of 1926, calls are mounting for the information industry to take a page from aviation and create a cybersecurity safety board.

The flight plan to safer skies

The creation of the NTSB was the first independent agency charged with investigating the safety of various transportation systems, from highways and pipelines to railroads and airplanes. Since 1967, the NTSB has investigated more than 130,000 accidents.

These investigations are vital because they help establish the who, what, where, when, how—and perhaps why—behind an incident. After the facts are determined, policymakers can back up, and often have backed up, NTSB recommendations with new regulations. Failing that, it is common for air carriers, for example, to voluntarily implement changes the NTSB suggests. A similar approach could help improve the internet, a new technology that, like airplanes, is tying the world closer together even as it threatens our shared security.


Independent federal investigators study the causes of airline crashes and other transportation disasters.

The case for a cybersecurity safety board

Two elements of the NTSB may be particularly useful for enhancing cybersecurity. First, it separates fact-finding proceedings from any questions of legal liability. Second, these investigations are broad, involving various stakeholders like manufacturers and airline companies. Cyber space is similarly made up of a wide range of companies and technologies.

A cybersecurity safety board need not, in fact, be national. It could begin from the bottom up, with companies partnering to protect their customers by sharing best practices.

Critics of establishing a cybersecurity safety board would likely contend that the speed at which technologies change makes it difficult for any recommendations, even if they were quickly implemented, to sufficiently protect organizations from cyber attacks. NTSB investigations can take a year or more to ensure findings are still relevant, cybersecurity inquiries would need to be faster, such as by streamlining cyber forensics and relying on widely used tools such as the National Institute for Standards and Technology’s Cybersecurity Framework.

Other challenges include standardizing terminology across the industry and identifying the right experts to look into data breaches, which might be easier said than done, given the talent shortage among cybersecurity professionals. Broad-based cybersecurity educational programs, like a new partnership between the law, business, and computer science schools here at Indiana University, should be encouraged to help address this shortfall.

A path forward

Additional measures would likely be required to make a cybersecurity safety board successful, such as launching investigations only for serious breaches like those involving critical infrastructure.

More nations and regions, including the European Union, are imposing stringent requirements on companies that suffer data breaches, including mandatory reporting of cyber attacks within 72 hours and more rigorous preventive measures. Businesses, governments, and scholars around the world are working on how to improve data security. If they came together to support a global network of cybersecurity safety boards, their efforts could promote cyber peace for people and institutions alike.

The ConversationAll that is needed is the will to act, the desire to experiment with new models of cybersecurity governance, and the recognition that we should learn from history. As President Franklin D. Roosevelt famously said, “It is common sense to take a method and try it: If it fails, admit it frankly and try another. But above all, try something.”

This article was originally published on The Conversation. Read the original article.

Discuss

About The Author

Scott Shackelford’s picture

Scott Shackelford

Scott Shackelford is an associate professor of business law and ethics; the director of the Ostrom Workshop Program on Cybersecurity and Internet Governance; and the Cybersecurity Program chair at IU-Bloomington, Indiana University.