What cybersecurity investigators can learn from airplane crashes

Publication Type: 
Other Writing
Publication Date: 
February 21, 2018

While some countries struggle with safety, U.S. airplane travel has lately had a remarkable safety record. In fact, from 2014 through 2017, there were no fatal commercial airline crashes in the U.S.

But those years were fraught with other kinds of trouble: Security breaches and electronic espionage affected nearly every adult in the U.S., along with the power grid in Ukraine and the 2016 U.S. presidential campaign, to name a few. As a scholar of cybersecurity policy, I think it’s time that my own industry took some lessons from one of the safest high-tech transportation methods of the 21st century.

Like today in cybersecurity, the early days of U.S. air travel weren’t regulated particularly closely. And there were a huge number of accidents. Only after public tragedies struck did changes occur. In 1931, a plane crash in Kansas killed legendary Notre Dame football coach Knute Rockne. And in 1935, U.S. Sen. Bronson Cutting of New Mexico died in the Missouri crash of TWA flight 6. These events helped contribute to the 1938 creation of the first U.S. Air Safety Board. But it took until 1967 for the new Department of Transportation to be created with an independent National Transportation Safety Board.

Since then, the NTSB has rigorously investigated all airplane crashes and other transportation incidents in the U.S. Its public reports about its findings have informed changes in government regulations, corporate policies and manufacturing standards, making air travel safer in the U.S. and around the world.

As cybersecurity incidents proliferate around the country and the globe, businesses, government agencies and the public shouldn’t wait for an inevitable disaster before investigating, understanding and preventing these failures. Nearly a century after the original Air Commerce Act in 1926callsincluding my ownare mounting for the information industry to take a page from aviation and create a cybersecurity safety board.

Read the full piece at The Conversation