Reporting and Data Usage Any investigations board will maximize the impact of its investigations by publishing its reports to the extent practicable. Independent, thoughtful and reliable investigations are rare in cybersecurity. There is a lack of reliable data about incidents that can be used to build a coherent and consistent narrative about what has actually happened in cybersecurity, much less around which to build policy and incident response plans. Often, when reliable data is produced, it can disappear as links rot on the internet. There are few sources of truth, and little incentive to build careful history.
What values can be improved by public reporting? There is value in a shared narrative about the major events in cybersecurity. The lack of a shared set of facts of an incident in the immediate aftermath of that incident means that the defender community is often attempting to shift tactics and implement tools in response to an incident that they do not fully understand. In the case of the 2011 RSA hack, there was a great deal of contemporaneous reporting. However, a decade later when nondisclosure agreements expired, important new facts emerged about that incident. That reporting states multiple opportunities to detect and stop the attacker were missed. Many of these mistakes happened prior to the loss of the seed values for the then-heavily-relied on authentication devices sold by RSA.67 Rapid investigation with published results would have proved valuable. In many ways, the snarky Twitter hot take can appear to be the extent of analysis that’s published. Frequently, a claim is put forth that something that wasn’t done was “security 101.” It is unfortunately rare that those making those claims point to a list, such as an actual introductory (“101”) course. The disrespect and snark that are often heaped on victims are not helpful. Respectful, thoughtful analysis is rare.
67
40
Andy Greenberg, “The Full Story of the Stunning RSA Hack Can Finally Be Told,” Wired, May 20, 2021, https://www.wired.com/story/the-full-storyof-the-stunning-rsa-hack-can-finally-be-told/
Learning from Cyber Incidents: Adapting Aviation Safety Models to Cybersecurity
