White House creates board to review cybersecurity incidents, members to start with Log4J

The Department of Homeland Security announced the creation of a new Cyber Safety Review Board that will bring together cybersecurity experts from public and private organizations to “review and assess significant cybersecurity events.”

The board was part of the executive order that President Joe Biden signed last year. Experts have long urged the federal government to create an organization for cybersecurity incidents akin to the National Transportation Safety Board, which investigates airplane crashes and transportation incidents. 

Homeland Security secretary Alejandro Mayorkas said the board will “thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors.”

DHS said the board will start its first work on issues related to Log4J because vulnerabilities associated with the software library “are being exploited by a growing set of threat actors” and “present an urgent challenge to network defenders.”

“As one of the most serious vulnerabilities discovered in recent years, its examination will generate many lessons learned for the cybersecurity community. Together, the White House and DHS determined that focusing on this vulnerability and its associated remediation process was the most important first use of the CSRB’s expertise,” DHS explained. 

When asked by ZDNet why the board was working on Log4J before examining the range of issues connected to the SolarWinds scandal, a DHS spokesperson said the federal government and private sector have conducted “various reviews” of the compromise over the past year and decided the best use of the Cyber Safety Review Board’s expertise is to focus its initial review on the vulnerabilities in Log4J software library and associated remediation processes.

They noted that the Log4J software library is used widely, is relatively easy to exploit and could cause significant impact on a network. The DHS spokesperson said the board’s review and recommendations “will take into consideration existing findings and recommendations related to the activities that prompted the December 2020 Cyber Unified Coordination Group (i.e., “the SolarWinds incident”) to include any elements related to the existence and exploitation of vulnerabilities or the response to the events.”

The board will have 15 members who will offer recommendations to DHS and the White House. DHS under secretary for policy Robert Silvers will serve as chair and Google’s senior director for security engineering Heather Adkins will be deputy chair. 

CISA director Jen Easterly will appoint the board’s members and will be in charge of managing, supporting and funding the effort. 

The first report from the board will be finished by the summer and will list actions taken by both the government and the private sector to mitigate the Log4J issue. 

The board’s members will also offer recommendations for how to address associated threat activity and more general advice for “improving cybersecurity and incident response practices and policy based on lessons learned from the Log4J vulnerability.”

A redacted version of the report will be released to the public, according to DHS. 

Silvers said he and the other members of the board “are luminaries in the field” and that he was honored to serve alongside them as the Board’s chair. 

“When a major cyber incident occurs, it impacts all of us,” Adkins added. “The CSRB is a ground-breaking opportunity to conduct holistic reviews and provide forward-thinking solutions that cut across organizations and sectors. I am honored to serve with this diverse array of talent from both private companies and the U.S. government as we launch this inaugural review.”

The other members of the board include Dmitri Alperovitch, co-founder and chairman of the Silverado Policy Accelerator, DOJ principal associate deputy attorney general John Carlin, federal chief information security officer at the Office of Management and Budget Chris DeRusha, National Cyber Director Chris Inglis, NSA cybersecurity director Rob Joyce, Luta Security founder Katie Moussouris, CISA executive assistant director for infrastructure security David Mussington, Verizon Threat Research Advisory Center co-founder Chris Novak, Center for Internet Security senior vice president Tony Sager, Department of Defense CIO John Sherman, FBI assistant director Bryan Vorndran, Microsoft assistant general counsel Kemba Walden and Palo Alto Networks senior vice president Wendi Whitmore. 

Experts lauded the creation of the cyber review board, with many noting that the country has long needed experts to review significant cyber events to provide unified responses to urgent situations. 

AttackIQ’s Jonathan Reiber, the former chief strategy officer for Cyber Policy in the Office of the US Secretary of Defense during the Obama administration, told ZDNet that officials need to learn from past events, codify lessons, and then communicate those lessons to the world.

“Having such a talented team of thinkers and communicators — from the likes of Dmitri Alperovitch to Kate Moussouris, to everyone else on the list — that reviews major cybersecurity events and shares recommendations will be a huge help,” Reiber said. “Their insights will help organizations in both the private and public sectors make strategic changes and improve cybersecurity readiness.” 

Other experts, like Bugcrowd founder Casey Ellis, lauded the board for starting with a problem like Log4J because it revealed a raft of adjacent and systemic weaknesses on a uniquely large scale. An examination of the issue will provide more information about open source supply chain security, dealing with unsophisticated and sophisticated adversaries at the same time, post-patch product recertification and regression analysis and more, according to Ellis. 

He added that it will be good to have an answer to the question: “what do we do if things hit the fan over the holiday season.”  

Vulcan Cyber engineer Mike Parkin noted that the board will have no regulatory authority, prompting further questions about how their recommendations will be used in the real world. 

Some took a more critical view of the effort, wondering whether the findings of the board will be translated into action. 

“Fundamentally, we have to ask ourselves — is there a lack of analysis towards lessons learned that is perpetuating cyber risks? Or a lack of follow through and accountability that is perpetuating cyber risks? That is to say, a need for the creation of new knowledge or the will to implement existing knowledge?” said Tim Wade, technical director at Vectra. 

“My personal bias is a belief towards the latter, so my expectations for the effectiveness of such a board hinge on its capacity to force action.”