New Cyber Safety Review Board Will Tackle Log4j Debacle First

DHS has launched the long-awaited Cyber Safety Review Board (CSRB) to assess major cybersecurity incidents and make recommendations for improvements. After a year in the making, the CSRB is first setting its sights on Log4j.

Patterned in part after the National Transportation Safety Board—that jumps into action after aviation or other transportation disasters—to investigate and recommend measures to prevent future incidents, the CSRB will probe cybersecurity incidents and offer an after-action review.

After a series of high-profile data breaches and cyberattacks including the SolarWinds campaign and a ransomware attack that prompted Colonial Pipeline to shut down a major pipeline servicing the east coast and much of the southern U.S., President Biden issued an executive order aimed at improving cybersecurity and calling for the creation of a CSRB made up of members from both the public and private sectors.

Calling the administration’s actions “bold steps to meaningfully improve our cybersecurity resilience,” Secretary of Homeland Security Alejandro N. Mayorkas said in a release that the board will “thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors. I look forward to reviewing the board’s recommendations regarding how we can better protect communities across our country as DHS works to build a more secure digital future.”

The board will aspire to provide insights and recommendations that aim to stem the tide of crippling attacks and keep history from repeating itself.

“A continuous learning culture is critical to staying ahead of the increasingly sophisticated cyber threats we face in today’s complex technology landscape. Over two decades in the Army, I learned the importance of a detailed and transparent after-action review process in unpacking both failures and successes,” said Jen Easterly, director of the Cybersecurity and Information Security Agency (CISA).

“The focus of the newly formed Cyber Safety Review Board (CSRB) on analyzing past incidents to help prevent future ones is a welcome change from focusing on who to blame when something goes wrong,” said Mike Parkin, engineer at Vulcan Cyber. Its work will, hopefully, augment the work being done by other public/private partnerships, such as InfraGard.”

When Biden first floated the idea of the CSRB, it was unclear who would populate the board, how it would operate and how it would get started. Last week’s announcement from DHS answered those questions, at least partially.

In its inaugural probe, the board will tackle Log4j and the vulnerabilities that sent security teams into a tizzy, scrambling to find and remediate instances of the ubiquitous software library. The board will explore the vulnerabilities and the threats associated with them as well as the impact they had on organizations. It also will assess the steps taken to mitigate the effect of the flaws by both the private and public sectors.

“Cyber safety is such an incredibly broad and evolving subject that I actually think it’s smart to pick a focal starting point. As a series of vulnerabilities, Log4J revealed a whole raft of adjacent and systemic weaknesses on a uniquely large scale—open source supply chain security, dealing with unsophisticated and sophisticated adversaries at the same time, post-patch product recertification and regression analysis, even having a good answer to the question ‘What do we do if things hit the fan over the holiday season?’” said Casey Ellis, co-founder and CTO at Bugcrowd. “Hopefully, the Cyber Safety Review Board will focus on these broader lessons and consequences, and not just Log4J itself.”

Security pros offered their own wish lists for the board. “We welcome this initiative. It will be important for the board to consider two major reports published last year that found that no effective shielding solutions were in place in mobile health apps: Secrets could be acquired from mobile health apps and used to attack APIs directly,” said George McGregor, vice president at Approov. “The research also highlighted well-known vulnerabilities found in some APIs and it was possible to use one user’s  genuine credentials to access many other people’s PHI data.”

The board is expected to release a report on its findings in the summer, including recommendations for dealing with the ongoing threat from Log4j—as ongoing exploits and a recent CISA warning underscore, it’s not over yet—and additional guidance to boost cybersecurity and incident response practices and policy learned as a result of Log4j.

“The new Cyber Safety Review Board could be quite valuable. In-depth reviews of major security incidents with recommendations for remediation and incident response practices can certainly be useful for organizations,” said Ray Kelly, fellow at NTT Application Security. “We will have to wait and see how the first report looks when they address the critical and ever-expanding Log4j vulnerability to determine if the level of detail and guidance is going to be helpful.”

Garret Grajek, CEO at YouAttest, hopes that identity will be a part of that report. “I am positive the CSRB will have many references to identities and the unfortunately sloppy way they are created, managed and reviewed in today’s enterprise. Hackers not only look for vulnerabilities in our infrastructure but also for our dormant, ghost and over-privileged accounts,” said Grajek. “These are serious vulnerabilities that the hackers exploit by using these accounts to stay persistent and laterally move across the enterprise seeking valued resources. In addition, they use their knowledge of the enterprise and often execute malware to escalate privileges. A mention of these identity issues surely will be in the CSRB report.”

But Parkin pointed out that the board has no regulatory authority. “It will be interesting to see how their results and recommendations are used in the real world.”

And Tim Wade, technical director, CTO Team, Vectra, said that a review and recommendations might not be enough. “Fundamentally, we have to ask ourselves, is there a lack of analysis toward lessons learned that is perpetuating cybersecurity risks? Or a lack of follow-through and accountability that is perpetuating cybersecurity risks?” said Wade. “That is to say, a need for the creation of new knowledge or the will to implement existing knowledge?  My personal bias is a belief towards the latter, so my expectations for the effectiveness of such a board hinge on its capacity to force action.”

The composition of the board also is no longer a mystery. Easterly revealed a roster of respected industry and government cybersecurity experts:

  • Robert Silvers, undersecretary for policy, Department of Homeland Security (CSRB Chair)
  • Heather Adkins, senior director, security engineering, Google (CSRB Deputy Chair)
  • Dmitri Alperovitch, co-founder and chairman, Silverado Policy Accelerator; co-founder and former CTO, CrowdStrike, Inc.
  • John Carlin, principal associate deputy attorney general, Department of Justice
  • Chris DeRusha, federal chief information security officer, Office of Management and Budget
  • Chris Inglis, national cyber director, Office of the National Cyber Director
  • Rob Joyce, director of cybersecurity, National Security Agency
  • Katie Moussouris, founder and CEO, Luta Security
  • David Mussington, executive assistant director for infrastructure security, Cybersecurity and Infrastructure Security Agency
  • Chris Novak, co-founder and managing director, Verizon Threat Research Advisory Center
  • Tony Sager, senior vice president and chief evangelist, Center for Internet Security
  • John Sherman, chief information officer, Department of Defense
  • Bryan Vorndran, assistant director, cyber division, Federal Bureau of Investigation
  • Kemba Walden, assistant general counsel, digital crimes unit, Microsoft
  • Wendi Whitmore, senior vice president, Unit 42, Palo Alto Networks
Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson