Home / Blogs

Voluntary Reporting of Cybersecurity Incidents

Steven Bellovin

One of the problems with trying to secure systems is the lack of knowledge in the community about what has or hasn't worked. I'm on record as calling for an analog to the National Transportation Safety Board: a government agency that investigates major outages and publishes the results.

In the current, deregulatory political climate, though, that isn't going to happen. But how about a voluntary system? That's worked well in avaiation — could it work for computer security? Per a new draft paper with Adam Shostack, Andrew Manley, Jonathan Bair, Blake Reid, and Pierre De Vries, we think it can.

While there's a lot of detail in the paper, there are two points I want to mention here. First, the aviation system is supposed to guarantee anonymity. That's easier in aviation where, say, many planes are landing at O'Hare on a given day than in the computer realm. For that reason (among others), we're focusing "near misses" it's less — revelatory to say "we found an intruder trying to use the Struts hole" than to say "someone got in via Struts and personal data for 145 million people was taken".

From a policy perspective, there's another important aspect. The web page for ASRS is headlined "Confidential. Voluntary. Non-Punitive” — with the emphasis in the original. Corporate general counsels need assurance that they won't be exposing their organizations to more liability by doing such disclosures. That, in turn, requires buy-in from regulators. (It's also another reason for focusing on near-misses: you avoid the liability question if the attack was fended off.)

All this is discussed in the full preprint, at LawArxiv or SSRN.

By Steven Bellovin, Professor of Computer Science at Columbia University
Follow CircleID on

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

interesting, but Anthony Rutkowski  –  Dec 05, 2017 10:06 AM PDT

The article was published five years ago.  A quick observation is that the investigation of aircraft related incidents is profoundly more simple, and all the parties have similar strong incentives and relatively the same trust levels to exchange threat information and the remediations.  That does not exist in the rather vast complicated world of networks and information systems overlaying all the jurisdictions of the world.  In the aviation world, you also have a relative handful of vendors and carriers who are dealing with relatively stable, very closed systems.

What provides some solace and a move forward since 2012, is the emergence of STIX as a common platform among so many parties as a common platform for capturing and exchanging threat and remediation information.  Getting beyond that will remain a challenge, notwithstanding the threat exchange mandates enacted in the U.S. and Europe among other venues in 2015.

To post comments, please login or create an account.



Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias


Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

New TLDs

Sponsored byAfilias