Discovery and Incident Identification This section captures findings on how a board can discover that incidents have occurred and how to determine whether they merit investigation. The workshop identified many fascinating research questions, some very broad and others quite specific. For readability, we have enumerated research questions at the end of the document.
How Can A Board Become Aware Of Incidents? Any investigator needs mechanisms by which they become aware of incidents to investigate. Unlike in aviation or surface accidents, most cyber incidents are not kinetic in nature — there is no explosion or crash site. Therefore, in order for a board to investigate it will first need to discover that an incident took place. In aviation, the existence of pilot certificates and the ability for authorities to revoke them is a powerful incentive for pilots to comply with reporting requirements. Airlines are wary of crossing the FAA. More important, however, is that the lives of pilots, passengers, and people on the ground are at stake in any aviation accident. In contrast, there is a culture of secrecy around cybersecurity incidents due to fear of liability on the part of companies. Given this reality, the first challenge for any cyber investigative board is going to be discovery.
FINDING: Existing Incident Reporting Mechanisms Could Inform a Board There are many requirements to report certain cybersecurity incidents to either regulators or the public. Yet there are also broad categories of incidents that do not require reporting and judgement calls that companies can make about when to report incidents. Those judgement calls impose hard-to-measure limits on what fraction of incidents are reported. An
Belfer Center for Science and International Affairs | Harvard Kennedy School
19
