DHS establishes Cyber Safety Review Board to elevate cybersecurity

The U.S. Department of Homeland Security has announced the establishment of the Cyber Safety Review Board that will bring together government and industry leaders to elevate cybersecurity.

The establishment of the CSRB is the result of a Biden Administration executive order in May that ordered that the board be created. Robert Silvers, DHS Under Secretary for Policy, will serve as chair of the board, with Heather Adkins, Google LLCs senior director for security engineering serving as deputy chair.

DHS’s Cybersecurity and Infrastructure Security Agency will manage, support and fund the board with CISA Director Jen Easterly responsible for appointing CSRB members.

The CSRB will review and assess significant cybersecurity events so that government, industry and the broader security community can better protect networks and infrastructure. The board will deliver strategic recommendations to the President and the Secretary of Homeland Security based on cybersecurity incidents that the board studies.

First out of the gate for the CSRB will be a review of the Apache Log4j vulnerabilities discovered in December. Hackers subsequently targeted the vulnerabilities, presenting what DHS describes as an urgent challenge to network defenders. The board examination will generate lessons learned from the cybersecurity community, with the White House and DHS determined that focusing on this vulnerability and its associated remediation process was the most important first use of CSRB’s expertise.

The report into Log4j will include a review and assessment of vulnerabilities associated with the Log4j software library, recommendations for addressing any ongoing vulnerabilities and threat activity and recommendations for improving cybersecurity and incident response practices and policy based on lessons learned from the Log4j vulnerabilities.

“The focus of the newly formed Cyber Safety Review Board on analyzing past incidents to help prevent future ones is a welcome change from focusing on who to blame when something goes wrong,” Mike Parkin, engineer at cyber risk remediation company Vulcan Cyber Ltd. told SiliconANGLE. “Its work will, hopefully, augment the work being done by other public/private partnerships, such as InfraGard.”

Ray Kelly, fellow at application security firm NTT AppSec Solutions Inc., noted that “the new Cyber Safety Review Board could be quite valuable.”

“In depth review of major security incidents with recommendations for remediation and incident response practices can certainly be useful for organizations,” Kelly said. “We will have to wait and see how the first report looks when they address the critical and ever-expanding Log4j vulnerability to determine if the level of detail and guidance is going to be helpful.”

Image: DHS