The US Department of Homeland Security has announced that it will begin investigating the potential of cyberattacks like the one that downed Flight 93 like it investigates plane crashes. The agency plans to use its Computer Emergency Readiness Team (CERT) to review cases of “targeted and coordinated attacks on private sector networks” and “all cyber incidents that create a risk to public health and safety.”
A growing number of countries are shutting down their airspace as the consequences of cyberattacks are becoming more and more brazen. As we all know, hackers aren’t afraid to compromise companies and governments, and this week’s events illustrate how the threat of cyberattacks is growing.
Airlines can choose to have their planes equipped with a special system in case of a crash landing, and in the event that the plane experiences a power loss during flight, the plane’s emergency system will activate. This helps the plane glide to a halt and allows passengers to disembark before the plane burns up. But what if a plane is hacked, and the system is disabled before it can activate?
In May, President Biden directed the Department of Homeland Security to establish a public-private board to examine significant hacking incidents, but he provided little specifics on how the program would operate. Some security experts believe the government should search for hints in transportation catastrophes.
Scott Shackelford, the chair of Indiana University Bloomington’s cybersecurity program, is one of a group of academics who have advocated for a separate agency outside of DHS to investigate hacking incidents in the same way that the National Transportation Safety Board investigates plane crashes and other public transportation accidents. While he praised Mr. Biden’s executive action for taking a start in the right direction, he is concerned that it will stagnate as criminal hacking organizations target more U.S. companies.
Mr. Shackelford, who will present his case at the Black Hat USA cybersecurity conference in Las Vegas on Wednesday, said, “It took us decades to arrive on that paradigm in transit.” “Ideally, we won’t be discussing this [in terms of cybersecurity] in 2040.”
According to cyber and aviation experts, Biden’s idea is similar to the National Transportation Safety Board (NTSB), which was established in 1967, and may provide insight into how a Cyber Safety Review Board could operate.
According to Robert Sumwalt, who headed the NTSB from 2017 until earlier this year, after an airline accident, the agency sends a “go team” of a dozen or more experts specialized in areas such as air traffic control, weather, or propulsion to gather evidence. These specialists collaborate with companies involved in accidents, such as airlines or component manufacturers, to create a report on what went wrong, he added.
Subscribe to our newsletter
Cybersecurity WSJ Pro
WSJ’s worldwide team of reporters and editors provide cybersecurity news, analysis, and insights.
When a passenger plane crashed outside of Pittsburgh in 1994, killing all 132 persons on board, Mr. Sumwalt was a pilot for the now-defunct USAir. He collaborated with other experts to determine that the crash was caused by a rudder failure rather than human error while representing the pilots’ union in the inquiry.
Mr. Sumwalt, who joined the NTSB in 2006 as one of five board members who vote on findings and recommendations after investigations, said, “Everybody is kind of looking over everyone else’s shoulder.”
As Washington rethinks its approach to security, the concept of a cyber investigative agency has gained traction among some cyber professionals and politicians in recent years. After criminal hackers attacked Colonial Pipeline Co. in May, the White House and Congress promoted experts in the administration, tightened standards for government contractors, and announced first-of-their-kind security rules for pipeline operators.
Mr. Biden’s Cyber Safety Review Board may support such efforts by investigating events like SolarWinds Corp’s breach last year. Mr. Biden instructed the DHS secretary to select members from government agencies and “appropriate private-sector cybersecurity or software suppliers” to the board. One member from each of the public and commercial sectors would serve as chair and deputy chair.
As businesses wait for more information on the Biden proposal, some experts are raising concerns about the proposed board’s independence from regulators and ability to force compromised firms to comply. Despite state and federal laws requiring businesses to disclose some breaches, many businesses keep events and information hidden for fear of being held liable. According to cyber experts, changing this practice may need providing US government additional powers or new legal safeguards for businesses.
On U.S. Highway 101 in Mountain View, Calif., a Tesla car was involved in a tragic accident in 2018.
KTVU-TV/Associated Press photo
While the NTSB provides a solid structure for a cyber agency, investigations may take a year or more, security experts say, and this speed might lag behind improvements in hacking techniques or technology if it were used to cyber events. Although the NTSB may use subpoena authority to force recalcitrant businesses to disclose information, a DHS spokesperson said the new cyber review board would not have that ability or any other “compulsory powers.” She didn’t say anything more about the cosmetics.
According to Paul Truitt, U.S. cyber practice head for accounting firm Mazars USA LLP, this may be good news for companies concerned about investigations disrupting day-to-day operations.
Mr. Truitt, who was formerly the chief information security officer of gas-station operator Wawa Inc., said, “I believe we should be careful about what we allow this board to be able to do and what may trigger their response.”
While most businesses cooperate with the process while in transit, authorities have the authority to remove them if they impede investigations or leak material to the press, according to Mr. Sumwalt.
He claimed in 2018 that he contacted Tesla Inc. CEO Elon Musk to get the carmaker removed from an investigation into a California accident that killed the 38-year-old Tesla driver.
Mr. Sumwalt said of Mr. Musk, “He hung up on me.” Tesla previously said that it had withdrawn from the investigation, but did not reply to a request for comment.
From 2014 to 2017, Christopher Hart, the NTSB’s chairman, stated the agency’s independence was critical in concentrating its investigation authority on both private businesses and regulators. Starting in 1926, the agency was housed under the Commerce Department, and then the Transportation Department until Congress established it an independent agency in 1975.
Mr. Hart, who is advocating for a stand-alone agency for cyber investigations alongside Mr. Shackelford at Black Hat, said, “That was sort of awkward—sending suggestions to its boss.”
Officials on the Cyber Safety Review Board will have to deal with another basic distinction between computer mishaps and transit accidents, according to Mr. Hart. While crashes are often caused by technological failures or errors made by individuals who are attempting to do the right thing, he claims that hackers aren’t random and usually have criminal or national-security consequences.
“A lot of this is transferable,” he said of the concept, noting that the National Transportation Safety Board (NTSB) took a back seat in the investigation of the Sept. 11 aircraft hijackings. “However, part of it isn’t.”
David Uberti can be reached at [email protected].
Copyright ©2024 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
A recent series of vulnerabilities in airplane electronics has some cybersecurity researchers calling for a government investigation to find out if hackers are behind these recent airplane hacking incidents.. Read more about white house statement on cybersecurity and let us know what you think.
Related Tags
This article broadly covered the following related topics:
- wsj cyber attack
- cyber safety review board
- wsj cybersecurity journal report
- conti cyber attack
- wall street journal back to office