Following the SolarWinds incident that affected thousands of organizations in 2021, the United States government set out to better protect the nation's networks and critical infrastructure, starting with an Executive Order signed by President Biden.
Part of that Executive Order was establishing the Cyber Safety Review Board (CSRB), of which the Department of Homeland Security (DHS) announced the launch today.
According to the DHS, the CSRB "will review and assess significant cybersecurity events" so that both the public and private sector can improve their overall cybersecurity posture.
Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), shared her thoughts on the CSRB:
"A continuous learning culture is critical to staying ahead of the increasingly sophisticated cyber threats we face in today's complex technology landscape.
Over two decades in the Army, I learned the importance of a detailed and transparent After Action Review process in unpacking both failures and successes. I'm thrilled today to appoint the distinguished members of our first ever Cyber Safety Review Board to take on the comparable challenge of ensuring that we fully understand and learn from significant cyber events that may threaten our nation.
I'm looking forward to the Board's insight and the lessons we'll learn and implement together across the cybersecurity community."
The Board that Easterly refers to is comprised of some of the nation's top cybersecurity leaders. There are 15 in total:
- Robert Silvers, Under Secretary for Policy, Department of Homeland Security (CSRB Chair)
- Heather Adkins, Senior Director, Security Engineering, Google (CSRB Deputy Chair)
- Dmitri Alperovitch, Co-Founder and Chairman, Silverado Policy Accelerator; Co-Founder and former CTO, CrowdStrike, Inc.
- John Carlin, Principal Associate Deputy Attorney General, Department of Justice
- Chris DeRusha, Federal CISO, Office of Management and Budget
- Chris Inglis, National Cyber Director, Office of the National Cyber Director
- Rob Joyce, Director of Cybersecurity, National Security Agency
- Katie Moussouris, Founder and CEO, Luta Security
- David Mussington, Executive Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency
- Chris Novak, Co-Founder and Managing Director, Verizon Threat Research Advisory Center
- Tony Sager, Senior VP and Chief Evangelist, Center for Internet Security
- John Sherman, CIO, Department of Defense
- Bryan Vorndran, Assistant Director, Cyber Division, FBI
- Kemba Walden, Assistant General Counsel, Digital Crimes Unit, Microsoft
- Wendi Whitmore, Senior VP, Unit 42, Palo Alto Networks
Robert Silvers, who will serve as the CSRB Chair, shared his excitement to be part of such an integral team:
"This is a once-in-a-generation opportunity to reshape how we draw lessons from cyber events and improve for the future. My colleagues on the CSRB are luminaries in the field and I am honored to serve alongside them as the Board’s chair. Together, we will conduct a thorough review and issue recommendations that will enable both our national leaders and the private sector to better secure our country."
Cyber Safety Review Board examines Log4j
The CSRB will waste no time getting to work, as there is obviously quite a lot to look at in the threat landscape. The Board will start with what has been the biggest focus for many in cybersecurity this year, the Log4j vulnerabilities.
"The CSRB's first review will focus on the vulnerabilities discovered in late 2021 in the widely used log4j software library. These vulnerabilities, which are being exploited by a growing set of threat actors, present an urgent challenge to network defenders. As one of the most serious vulnerabilities discovered in recent years, its examination will generate many lessons learned for the cybersecurity community. Together, the White House and DHS determined that focusing on this vulnerability and its associated remediation process was the most important first use of the CSRB's expertise."
The CSRB will deliver its first report this summer, which will include a review and assessment of vulnerabilities associated with the Log4j software library, recommendations for addressing any ongoing vulnerabilities and threat activity, and recommendations for improving cybersecurity and incident response practices and policy based on lessons learned from the Log4j vulnerability.
For more information on the U.S. Cyber Safety Review Board and its objectives, see the Department of Homeland Security announcement.
