DHS adds review board to advise federal response to major cyberattacks
Dive Brief:
- The Department of Homeland Security has launched a Cyber Safety Review Board (CSRB), a 15-member advisory unit that will help the administration respond to significant cyber incidents, according to the Federal Register and a DHS announcement. The original Federal Register announcement called for up to for up to 20 members.
- The board was formed following President Biden's Executive Order, designed to bolster the nation’s defenses to insecure supply chains and vulnerable infrastructure. The board’s first major task is to review the Log4j vulnerability disclosed in December.
- The Under Secretary for Strategy, Policy and Plans Robert Silvers will serve as inaugural chair for a two-year period, with Heather Adkins, senior director, security engineering at Google, as deputy. CISA, DHS, the FBI, National Security Agency and the Defense and Justice Department each have a participating member, alongside the federal CISO and private sector experts.
Dive Insight:
The executive order in 2021 followed the historic supply chain attack against SolarWinds, the ransomware attack on Colonial Pipeline and the state-linked attack against Microsoft Exchange Server.
The order was designed to boost the nation's software security, and improve intelligence sharing between companies and the federal government. The goal was also to help government get a better grasp of what cyber risks were facing private industry and respond in real time.
Cybersecurity experts said the idea behind the board was to create a body modeled on the National Transportation Safety Board that would lead federal incident response similar to an aviation or rail accident.
The CSRB will convene after there is a major cyber incident that triggers the Cyber Unified Coordination Group, or upon request of the CISA Director, DHS Secretary or President via the assistant to the President for National Security Affairs.
"At the President's direction, DHS is establishing the Cyber Safety Review Board to thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors," DHS Secretary Alejandro Mayorkas said in the announcement.
The board will develop advice or policy recommendations and disclose that information publicly whenever possible. It may have to review some classified and other sensitive material from law enforcement agencies or businesses.
"As the federal government looks to build a more robust cybersecurity defense, retrospection and review of large scale breaches is critical," Allie Mellen, analyst, security and risk at Forrester said via email. "It's an incredibly important part of the incident-response process, and the Cyber Safety Review Board seems to be performing that function on a much larger scale."
In October, Robert Huber, chief security officer and head of research at Tenable, wrote a blogpost urging the DHS Secretary to make sure board members had a diverse set of qualifications and expertise.
Board members needed to have experience in security forensics and research, and deep technical knowledge of cybersecurity, for example CISOs or CTOs, Huber said. They also need firm knowledge of the alignment between business goals and cybersecurity investment.
Gloss