Signaling its commitment to blocking cyberattacks against U.S. critical infrastructure, the Department of Homeland Security last week stood up its first Cyber Safety Review Board (CSRB) to coordinate security efforts from the public and private sectors.
The CSRB is the product of an executive order issued by President Biden last year in response to the Colonial Pipeline ransomware attack. (See Biden Directs Federal Cybersecurity Overhaul.) At the time, the White House said Biden’s order was intended to “encourage private companies to follow the federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
The board’s chair is Robert Silvers, undersecretary for policy at DHS; the vice chair is Google Senior Director for Security Engineering Heather Adkins. Currently there are 15 members; according to the CSRB’s charter, up to 20 people can participate. Representation is required from the departments of Defense, Justice and Homeland Security; the Cybersecurity and Infrastructure Security Agency (CISA); the National Security Agency; and the FBI.
Appointees from Microsoft, Verizon, the FBI, the NSA and cybersecurity firm CrowdStrike have also joined the board, along with National Cyber Director Chris Inglis. The group’s responsibilities are “solely advisory in nature”; it reports to Homeland Security Secretary Alejandro Mayorkas through CISA Director Jen Easterly, who is also responsible for its budget and for convening its meetings.
The board’s objectives are to “review and assess … threat activity, vulnerabilities, mitigation activities and agency responses” relating to significant cyber incidents, which 2016’s Presidential Policy Directive 41 defines as a cyber incident or group of incidents that will likely cause harm to U.S. national security or economic interests, foreign relations, or the liberties or public health and safety of the American people.
‘Most Serious Vulnerability’ Targeted First
For its first review, the CSRB will investigate the Log4Shell vulnerability discovered in December, which Easterly has called “the most serious vulnerability that I have seen in my decades-long career.” The zero-day vulnerability (meaning it was publicly disclosed before the vendor was aware or a patch was available) in Apache’s Log4j software library could allow remote actors to take control of affected systems.
Log4j is open-source software and enables logging of both errors and normal system processes, making it a vital feature for software in industries from gaming to finance. This means it is present in millions of devices and applications worldwide, giving attackers a wealth of opportunities to target a flaw that security researchers say is relatively simple to exploit.
The CSRB plans to issue its first report this summer: The document will review all vulnerabilities associated with Log4j, including threat activity and known impacts; mitigating actions taken by the public and private sectors; recommendations for addressing ongoing vulnerabilities and threat activity; and recommendations for improving general cybersecurity and incident response policies learned from the Log4j vulnerabilities. A public version of the repot will be available “with appropriate redactions for privacy and to preserve confidential information.”
“This is a once-in-a-generation opportunity to reshape how we draw lessons from cyber events and improve for the future,” Silvers said in a press release. “My colleagues on the CSRB are luminaries in the field, and I am honored to serve alongside them as the board’s chair. Together, we will conduct a thorough review and issue recommendations that will enable both our national leaders and the private sector to better secure our country.”
