Earlier this week, the U.S. Department of Homeland Security (DHS) announced the establishment of the Cyber Safety Review Board (CSRB), as directed in President Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity. The CSRB is a public-private initiative that will bring together government and industry leaders to elevate U.S. cybersecurity.
The CSRB will review and assess significant cybersecurity events, so that government, industry, and the broader security community can better protect our nation’s networks and infrastructure. The CSRB’s first review will focus on the vulnerabilities discovered in late 2021 in the widely used log4j software library. These vulnerabilities, which are being exploited by a growing set of threat actors, present an urgent challenge to network defenders. As one of the most serious vulnerabilities discovered in recent years, its examination will generate many lessons learned for the cybersecurity community. The White House and DHS determined that focusing on this vulnerability and its associated remediation process was the most important first use of the CSRB’s expertise.
The CSRB is composed of 15 cybersecurity leaders from the federal government and the private sector. Robert Silvers, DHS Under Secretary for Policy, will serve as Chair, and Heather Adkins, Google’s Senior Director for Security Engineering, will serve as Deputy Chair. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) will manage, support, and fund the Board with CISA Director Jen Easterly responsible for appointing CSRB members, in consultation with DHS Under Secretary for Policy Rob Silvers, and for convening the Board following significant cybersecurity events. The other CSRB members are:
- Dmitri Alperovitch, Co-Founder and Chairman, Silverado Policy Accelerator; Co-Founder and former CTO, CrowdStrike, Inc.
- John Carlin, Principal Associate Deputy Attorney General, Department of Justice
- Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget
- Chris Inglis, National Cyber Director, Office of the National Cyber Director
- Rob Joyce, Director of Cybersecurity, National Security Agency
- Katie Moussouris, Founder and CEO, Luta Security
- David Mussington, Executive Assistant Director for Infrastructure Security, CISA
- Chris Novak, Co-Founder and Managing Director, Verizon Threat Research Advisory Center
- Tony Sager, Senior Vice President and Chief Evangelist, Center for Internet Security
- John Sherman, Chief Information Officer, Department of Defense
- Bryan Vorndran, Assistant Director, Cyber Division, Federal Bureau of Investigation
- Kemba Walden, Assistant General Counsel, Digital Crimes Unit, Microsoft
- Wendi Whitmore, Senior Vice President, Unit 42, Palo Alto Networks
The CSRB’s first report, which will be delivered this summer, will include the following:
- a review and assessment of vulnerabilities associated with the Log4j software library, associated threat activity and known impacts, as well as actions taken by both the government and the private sector to mitigate the impact of such vulnerabilities;
- recommendations for addressing any ongoing vulnerabilities and threat activity; and,
- recommendations for improving cybersecurity and incident response practices and policy based on lessons learned from the Log4j vulnerability.