Why an NTSB Wouldn’t Be Helpful For Ransomware

ntsb cyber

Twitter is great for quick ideas that may or may not be useful. I had one the other day:

After posting it and reading a few comments I realized why the analogy of plane crashes and ransomware events don’t really match. At least not yet. I thought the reason they don’t match was worth a short piece.

Basically, the reason the NTSB is so effective at its job comes down to 2 things:

  1. The number of variables it’s looking at are relatively known and finite

  2. They have the influence to actually affect change in the airline industry

Taking the first one, planes haven’t changed all that much in the last four decades. They’re getting bigger and more technologically advanced, of course, but a plane from the 1980s largely functions the same way as a plane in the 2020s. The plane is controlled the same way, i.e., by adjusting thrust combined with flaps on the wings and the tail.

The other area for fault is even more similar: humans—namely the pilots. So the knowledge largely accumulates when it comes to stopping crashes, and when something goes wrong we have a good idea of where to look.

And secondly, if the NTSB or any similar agency were to find a fault in a technical system, or in the procedures that humans use to fly planes, they could write a scathing report and people are likely to listen. Especially if they have evidence that an accident was caused by this issue.

Not so with ransomware.

First, the number of variables in IT is overwhelming. Business IT systems are not tubular fuselages with wings, a tail, and flaps that haven’t changed much since the 1960s. Sales and accounting could be analogs to those things, but they’re not represented physically anymore like on a plane.

If anything, modern IT systems are a virtual airplane that can be changed—or even deleted—via code. So while modern airplanes might have computer control systems, they at least still have actual wings and flaps, which interact with actual air outside the plane.

Even more different are the humans involved. In air travel, humans are locked down to specific behaviors that are strictly controlled by internationally approved checklists. Pilots used to bring their raw training and talent into the cockpit, and planes crashed a lot. Now everything is checklists and they crash very rarely.

So if a plane does crash, one of the first things the NTSB looks at is whether the pilots deviated from standard operating procedure. And that procedure is extremely specific. Everyone takes off the same. Everyone lands the same. Etc.

Plus they have massive amounts of data from all the systems on the plane to be able to find deviations from baseline.

And that’s the key right there. With flying there is a normal. There’s a standard—both for the tech of the airplane and for the humans that are running it.

With IT it’s a wonder anything works at all. It’s a Mad Max scene on a rock floating in a magma river.

All the tech is virtual, not actual metal interacting with air. If Salesforce goes down you no longer have a plane. You’re just people sitting in the sky. In chairs.

And people running business tech don’t generally have unified checklists. Or more specifically (and horrifically), there are lots of unified checklists. If things were standardized we wouldn’t a constant migration of collaboration tools in the industry, with today’s documentation Valhalla being tomorrow’s graveyard.

Basically, the average business running day-to-day on IT systems is a dumpster fire inside of a wood chipper—but all inside of Minecraft.

So if you called a Cyber NTSB into a business that had been hit with ransomware, they wouldn’t be able to help much.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

They couldn’t ask for logs because they may or may not exist. They couldn’t ask for deviations of protocol because the protocol is YOLO. And there’s no physical black box or plane to inspect because that was all code that may have been changed or deleted during the incident.

In short, we don’t have an industry that’s serious and adult enough to get use out of an NTSB. They need a haystack to look for needles in, and we’re not mature enough to provide one.

I think we’re going to see a big market for “Assumption of Total Loss” solutions in the SME space. ATL Solutions.

Basically a unified solution for everything across CRM, Finances, Scheduling, Computing Environment, etc., all of which is being constantly saved offline.

So if the business ever gets disrupted you just zap the whole thing and get a fresh image. New machines, an up-to-date instance of your books, calendars, data, etc.

Of course these systems will also be attacked by ransomware.

Fire? Earthquake? Ransomare? Remote employees? Onsite employees? Doesn’t matter. Zap and restore.

This will only work for relatively new businesses that are small enough to have everything in such a system, or companies that are willing to go through the hard process of migrating into that kind of solution, but I think the ransomware threat might actually push us in this direction.

Anyway, back to the NTSB.

It’d be nice to have one for cyber, but it’s not realistic right now and probably won’t be for a very long time.

If the only thing they could do is show up and tell you that you’re a soup sandwich, that’s not providing much value.


  1. I thought of this old post of mine while I was writing this, and it came up in my Related Posts plugin as well. Worth the read if you’re willing to be even more depressed: Technical Professions Progress from Magical to Boring