The Department of Homeland Security (DHS) has officially formed the Cyber Safety Review Board called for in President Biden’s Cybersecurity Executive Order issued last year, and said the board’s first action will be to examine the log4j software library vulnerability that emerged in December 2021 and to generate lessons learned from that for the cybersecurity community.
“These vulnerabilities, which are being exploited by a growing set of threat actors, present an urgent challenge to network defenders,” DHS said. “Together, the White House and DHS determined that focusing on this vulnerability and its associated remediation process was the most important first use of the CSRB’s expertise.”
“At the President’s direction, DHS is establishing the Cyber Safety Review Board to thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors,” said DHS Secretary Alejandro Mayorkas. “I look forward to reviewing the Board’s recommendations regarding how we can better protect communities across our country as DHS works to build a more secure digital future.”
The board aims to deliver a report this summer covering:
- A review and assessment of vulnerabilities in the Log4j software library and associated threat activity and known impacts;
- Actions taken by the government and private sector to mitigate the impact of vulnerabilities;
- Recommendations to address ongoing vulnerabilities and threats; and
- Recommendations for improving security and incident response practices based on lessons learned from the Log4j vulnerability.
The board will share its findings with the public “to the greatest extent possible,” DHS said.
The CSRB features a who’s who of top Federal cybersecurity officials including: National Cyber Director Chris Inglis; Federal Chief Information Security Officer Chris DeRusha; Principal Associate Deputy Attorney General John Carlin; National Security Agency Cybersecurity Director Rob Joyce; Defense Department CIO John Sherman; FBI Cyber Division Assistant Director Bryan Vorndran; and David Mussington, executive assistant director for Infrastructure Security at the Cybersecurity and Infrastructure Security Agency (CISA).
CSRB members from the private sector include CrowdStrike co-founder Dmitri Alperovitch; Luta Security Katie Moussouris; Verizon Threat Research Advisory Center co-founder Chris Novak; Center for Internet Security Senior Vice President Tony Sager; Microsoft Assistant General Counsel-Digital Crimes Unit Kemba Walden; and Wendi Whitmore, Senior Vice President, Unit 42, at Palo Alto Networks.
“A continuous learning culture is critical to staying ahead of the increasingly sophisticated cyber threats we face in today’s complex technology landscape,” commented CISA Director Jen Easterly. “Over two decades in the Army, I learned the importance of a detailed and transparent After Action Review process in unpacking both failures and successes,” she said. “I’m thrilled today to appoint the distinguished members of our first ever Cyber Safety Review Board to take on the comparable challenge of ensuring that we fully understand and learn from significant cyber events that may threaten our nation.”