US DHS Establishes Cyber Safety Review BoardCSRB Set to Emulate NTSB, Which Investigates Transportation Accidents
U.S. Department of Homeland Security Secretary Alejandro Mayorkas confirmed on Thursday that DHS, in consultation with Attorney General Merrick Garland, is establishing a Cyber Safety Review Board, as directed by President Joe Biden's sweeping cybersecurity executive order signed in May 2021. The board, officials say, aims to mirror the work of the National Transportation Safety Board, which investigates aviation incidents.
In an entry to the Federal Register published on Thursday, Mayorkas writes that the CSRB will operate in an advisory capacity and will convene following "significant cyber incidents that trigger the establishment of a Cyber Unified Coordination Group," per the Obama-era Presidential Policy Directive 41, which sets forth principles governing the government’s response to cyber incidents. It can also be convened "as directed by the president" or as the director of the Cybersecurity and Infrastructure Security Agency "deems necessary."
In a statement, Mayorkas said: "At the president’s direction, DHS is establishing the Cyber Safety Review Board to thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors."
According to the Federal Register entry, the board will review applicable incidents and develop advice, information or recommendations to improve cybersecurity and incident response practices and policy. Mayorkas and Garland will then relay the board's findings to the president.
Its first review, DHS confirms, will be on the vulnerabilities discovered in late 2021 in the widely used Log4j software library. Its report, which will be finalized in summer 2022, will include associated threat activity, known impacts and mitigation steps taken by the public and private sectors.
CSRB's advice and recommendations will be made publicly available - "with any appropriate redactions" - when allowed under law. Some cases, the notice states, will expose board members to classified information and "sensitive law enforcement, operational, business, and other confidential information."
The board is comprised of 15 members appointed by CISA Director Jen Easterly, who will coordinate with DHS Under Secretary for Strategy, Policy, and Plans Robert Silvers, who will also serve as the inaugural chair on a two-year term. Heather Adkins, Google’s senior director for security engineering, will serve as deputy chair.
Silvers said of the board: "This is a once-in-a-generation opportunity to reshape how we draw lessons from cyber events and improve for the future."
Nongovernmental members of the CSRB will be considered "special government employees," and may be required to obtain security clearance and sign a nondisclosure agreement, the DHS notice states.
A representative from the Office of Management and Budget will participate in CSRB activities "when an incident under review involves federal civilian executive branch information systems, as determined by the CISA director."
Mayorkas also writes that other individuals "may be invited to participate in CSRB activities on a case-by-case basis depending on the nature of the incident under review."
And, Mayorkas says, it is incumbent on the DHS secretary to "extend the life of the CSRB every two years."
Aside from Silvers and Adkins, the full board includes:
- Dmitri Alperovitch, co-founder and chairman, Silverado Policy Accelerator; co-founder and former CTO of CrowdStrike;
- John Carlin, principal associate deputy attorney general, Department of Justice;
- Chris DeRusha, federal CISO, Office of Management and Budget;
- Chris Inglis, national cyber director;
- Rob Joyce, director of cybersecurity, National Security Agency;
- Katie Moussouris, founder and CEO, Luta Security;
- David Mussington, executive assistant director for infrastructure security, CISA;
- Chris Novak, co-founder and managing director, Verizon Threat Research Advisory Center;
- Tony Sager, senior vice president and chief evangelist, Center for Internet Security;
- John Sherman, CIO, Department of Defense;
- Bryan Vorndran, assistant director, cyber division, FBI;
- Kemba Walden, assistant general counsel, digital crimes unit, Microsoft;
- Wendi Whitmore, senior vice president, Unit 42, Palo Alto Networks.
Cybersecurity Executive Order
Biden's cybersecurity executive order spurred a governmentwide effort to instill security best practices, realize the benefits of cloud infrastructure and migrate to zero trust - the "never trust, always verify" security concept.
Through the directive, Biden also outlined this CSRB - managed by DHS - that would emulate the work of the NTSB, which has traditionally conducted thorough inquiries into aviation accidents and other transportation mishaps.
News of its formation follows headlines that circulated last week decrying the delay, since it has been nearly a year since Biden signed the executive order.
In January, experts said the board's delayed deployment had potentially slowed the U.S. government's ability to conduct thorough post-incident analyses and issue related guidance.
Officials have continued to point to the SolarWinds software supply chain attack - carried out via malicious software updates and affecting 100 organizations globally and nine federal agencies - as a driver to update systems. SolarWinds, too, was the inspiration behind much of Biden's May order.
'Capacity to Force Action'
Prior to the announcement, the cybersecurity community pointed to the dangers of any continued delay.
"The delay … is a big win for potential cyberattackers," Neil Jones, cybersecurity evangelist for the firm Egnyte, told ISMG late last week. "Imagine a world in which transportation incidents like plane crashes were never deeply investigated by expert panels such as the NTSB, meaning we'd never learn key lessons from the incidents that could be applied to prevent future issues."
Jones cited a need for government and industry to more closely collaborate, for organizations to pursue data-centric security strategies, and for smaller organizations to "remain vigilant."
"I strongly recommend that [the board] begin reviewing cybersecurity incidents and sharing its findings with the industry ASAP," he said.
Upon news of its formation, Tim Wade, a former network and security technical manager with the U.S. Air Force, and current technical director for the firm Vectra AI, told ISMG: "Fundamentally, we have to ask ourselves: Is there a lack of analysis toward lessons learned that is perpetuating cyber risks, or a lack of follow-through and accountability that is perpetuating cyber risks? That is to say, a need for the creation of new knowledge, or the will to implement existing knowledge?
"My personal bias is a belief toward the latter, so my expectations for the effectiveness of such a board hinge on its capacity to force action."