New DHS Cyber Safety Review Board will investigate major incidents
By Geneva Sands and Sean Lyngaas, CNN
The Department of Homeland Security has established a Cyber Safety Review Board to examine “significant cybersecurity events,” a move aimed at ramping up protection of US networks and infrastructure.
The board, which will include government officials and outside cybersecurity executives, will assess past incidents and provide recommendations to the White House and DHS.
The panel’s first review will focus on the critical flaw in the widely used Log4j software that was uncovered and made public late last year, DHS said Thursday in a news release about the new board.
The review board was established as part of a May 2021 White House executive order on improving cybersecurity but does not have regulatory powers and is not an enforcement authority.
The purpose is to “identify and share lessons learned” to advance national cybersecurity, DHS said.
According to DHS, the Log4j software is still “being exploited by a growing set of threat actors” and presents “an urgent challenge,” prompting the inaugural investigation. The executive order had said the board’s “initial review shall relate” to the devastating Russia-linked SolarWinds breach that was used to target at least nine US agencies. However, the White House and DHS determined that investigating the more recent Log4j software vulnerability was the best use of the new board’s expertise for the initial review, given the various federal government and private-sector reviews of SolarWinds already conducted, according to a DHS spokesperson.
“At the President’s direction, DHS is establishing the Cyber Safety Review Board to thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors,” Homeland Security Secretary Alejandro Mayorkas said in a statement.
The board will be made up of 15 members and chaired by DHS Under Secretary for Policy Robert Silvers. Heather Adkins, Google’s senior director for security engineering, will serve as deputy chair.
DHS’s Cybersecurity and Infrastructure Security Agency will manage and fund the board. That agency and Silvers will determine when to convene the board after significant cybersecurity events.
Other members include National Cyber Director Chris Inglis; Rob Joyce, director of cybersecurity for the National Security Agency; and Katie Moussouris, founder and CEO of Luta Security.
Moussouris told CNN that “one of the most important ongoing cybersecurity challenges” is addressing critical gaps in people, processes and tools to enable greater security resilience for the US.
“Open-source software suffers from chronic underinvestment in security, much like most private companies,” she said. “Today’s threats like Log4j represent the global frontier of complexity this board is poised to analyze to the benefit of all.”
The board’s first report will be delivered this summer, DHS said, and will include known impacts of the Log4j vulnerabilities and recommendations for addressing any ongoing threats.
The-CNN-Wire
™ & © 2022 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.