Some Cyber Experts Want to Investigate Hacks Like Plane Crashes

Scott Shackelford, chair of Indiana University Bloomington’s cybersecurity program, is among a group of academics who have advocated for a separate agency outside of DHS to dissect hacks the way the National Transportation Safety Board does plane crashes and other transit accidents. While he applauded Mr. Biden’s executive order for taking a step toward the idea, he fears it could stall as criminal hacking groups target more U.S. businesses.

“It took decades for us to land on that model in transit,” said Mr. Shackelford, who is presenting his case Wednesday at the Black Hat USA cybersecurity conference in Las Vegas. “Ideally, we won’t still be talking about this [for cybersecurity] in 2040.”

Cyber and aviation experts say the Biden proposal bears parallels to the NTSB, formed in 1967, offering hints on how a Cyber Safety Review Board might function.

After an airline crash, the NTSB dispatches a “go team” of a dozen or more people specializing in areas such as air-traffic control, weather or propulsion to collect evidence, said Robert Sumwalt, who chaired the agency from 2017 to earlier this year. Those experts study findings alongside firms involved in incidents, including airline carriers or parts makers, to produce a report on what went wrong, he said.

Mr. Sumwalt was a pilot for now-defunct USAir in 1994 when a passenger jet crashed outside of Pittsburgh, killing all 132 people on board. Representing the pilot’s union in the investigation, he worked with other analysts to deduce that the accident stemmed from a rudder malfunction rather than human error.

“Everybody is sort of looking over everyone else’s shoulder,” said Mr. Sumwalt, who joined the NTSB in 2006 as one of five board members who vote on reports and recommendations after probes.

The idea of a cyber investigative agency has gained prominence among some cyber experts and lawmakers in recent years as Washington rethinks its approach to security. The White House and Congress this year have elevated specialists in the administration, tightened requirements for federal contractors and unveiled first-of-their-kind security regulations for pipeline operators after criminal hackers targeted Colonial Pipeline Co. in May.

Mr. Biden’s Cyber Safety Review Board could complement such efforts by analyzing incidents such as last year’s hack of SolarWinds Corp. In his executive order, Mr. Biden told the DHS secretary to appoint representatives to the board from federal agencies and “appropriate private-sector cybersecurity or software suppliers.” A chair and deputy chair would also include one person apiece from the public and private sectors.

As businesses await details of the Biden initiative, some experts question the proposed board’s independence from regulators and authority to compel hacked companies to cooperate. Despite state and federal requirements that firms report certain breaches, many companies keep incidents and their details secret for fear of liability. Changing that behavior could require giving new authorities to U.S. officials or new legal protections for companies, cyber experts say.

While the NTSB offers a good framework for a cyber agency, its investigations often take a year or more, a pace that could fall behind changes in hacking tactics or technology if applied to cyber incidents, security experts say. And though NTSB officials can compel uncooperative companies to provide information through subpoenas, a DHS spokeswoman said the new cyber review board won’t have subpoena power or other “compulsory authorities.” She offered few other details on its makeup.

That could be welcome news to businesses that fear investigations could disrupt day-to-day work, said Paul Truitt, U.S. cyber practice leader for accounting firm Mazars USA LLP.

“I think we ought to be cautious about what we authorize this board to be able to do, and what can trigger their action,” said Mr. Truitt, formerly the chief information security officer of gas-station chain Wawa Inc.

While most firms play ball with the process in transit, Mr. Sumwalt said, officials can remove them if they obstruct inquiries or release information to the press.

In 2018, he said he called Tesla Inc. Chief Executive Elon Musk to boot the car maker from a probe into a California accident that killed the 38-year-old driver of a Tesla electric vehicle.

“He hung up on me,” Mr. Sumwalt said of Mr. Musk. Tesla, which didn’t respond to a request for comment, previously said it withdrew from the inquiry.

Christopher Hart, who chaired the NTSB from 2014 to 2017, said the agency’s independence was key in focusing its investigative power on both private companies and regulators. Earlier iterations of the agency sat within the Commerce Department, starting in 1926, and the Transportation Department, from 1967 until Congress made it an independent agency 1975.

“That was kind of awkward—sending recommendations to its boss,” said Mr. Hart, who is arguing for a stand-alone agency for cyber investigations alongside Mr. Shackelford at Black Hat.

There is another fundamental difference between computer incidents and transit accidents that officials on the Cyber Safety Review Board will face, Mr. Hart said. While crashes often stem from technical malfunctions or mistakes by people trying to do the right thing, he said, hacks aren’t accidents and typically carry criminal or national-security implications.

“A lot of this is transferable,” he said of the model, adding that the NTSB took a back seat in investigating the Sept. 11 plane hijackings. “But some of this isn’t.”

Write to David Uberti at [email protected]