The Department of Homeland Security this week finally announced the creation of a Cyber Safety Review Board (CSRB) a new body comprised of federal officials and private sector representatives who will look at cyber incidents after they’ve happened and make recommendations on policy to prevent similar incidents in the future.
The board's creation was first mentioned in President Biden's Executive Order 14028 on Improving the Nation’s Cybersecurity back in May but didn't get off the ground until this week with an announcement on Thursday.
When it was conceived, the idea behind the board was so it could convene following a significant cyber incident - under the White House’s definition, any incident that affects Federal Civil Information Systems or non-Federal systems, or pertains to threat activity, vulnerabilities, mitigation activities and agency responses. Think things like data breaches, ransomware, or high impact incidents like SolarWinds and log4j.
“At the President’s direction, DHS is establishing the Cyber Safety Review Board to thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors. I look forward to reviewing the Board’s recommendations regarding how we can better protect communities across our country as DHS works to build a more secure digital future," Secretary of Homeland Security Alejandro N. Mayorkas said Thursday.
For some experts and politicians, the formation of the group – modeled loosely after the National Transportation Safety Board – is long overdue.
The idea of such a board has been bandied about for years. Experts like George Washington University’s Paul Rosenzweig, as well as Columbia University’s Stephen Bellovin, have floated the idea previously but now it appears to finally be happening, after a slight hiccup.
Politicians began asking questions last month, eight months after Biden’s Executive Order, why the White House was taking so long to set up the group.
Senator Mark Warner (D-VA) who called for Congress to create the board following December 2020's SolarWinds hack was outspoken last month, questioning the delay and acknowledging that putting off forming the group could be harmful to the country’s national security.
“We will never get ahead of these threats if it takes us nearly a year to simply organize a group to investigate major breaches like SolarWinds,” Warner, who also leads the Senate Intelligence Committee said, “Such a delay is detrimental to our national security and I urge the administration to expedite its process.”
Warner celebrated the news Thursday morning, calling its official formation a good first step.
“It’s only a matter of when, not if, we face another widespread cyber breach that threatens our national security. I was glad to see this NTSB-like function included in the President’s May 2020 executive order on cybersecurity, and this is a good first step to establishing such a capability. I look forward to monitoring how this board develops over the coming months.”
Now that it's been formally established, the clock begins clicking.
The CSRB's first task will be looking into the log4j vulnerabilities uncovered last fall, the government’s response to the vulnerabilities, along with recommendations to address similar vulnerabilities later down the line.
It’s unclear if the board will still put together an analysis of the SolarWinds hack at this point. In May, Biden’s EO said the board’s first initial review would look into the hack – it was given 90 days to provide recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices as they relate to Solarwinds and third-party risk - but that was before log4j.
As it stands currently, the Cyber Safety Review Board (CSRB) will be comprised as follows:
- Robert Silvers, Under Secretary for Policy, Department of Homeland Security (CSRB Chair)
- Heather Adkins, Senior Director, Security Engineering, Google (CSRB Deputy Chair)
- Dmitri Alperovitch, Co-Founder and Chairman, Silverado Policy Accelerator; Co-Founder and former CTO, CrowdStrike, Inc.
- John Carlin, Principal Associate Deputy Attorney General, Department of Justice
- Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget
- Chris Inglis, National Cyber Director, Office of the National Cyber Director
- Rob Joyce, Director of Cybersecurity, National Security Agency
- Katie Moussouris, Founder and CEO, Luta Security
- David Mussington, Executive Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency
- Chris Novak, Co-Founder and Managing Director, Verizon Threat Research Advisory Center
- Tony Sager, Senior Vice President and Chief Evangelist, Center for Internet Security
- John Sherman, Chief Information Officer, Department of Defense
- Bryan Vorndran, Assistant Director, Cyber Division, Federal Bureau of Investigation
- Kemba Walden, Assistant General Counsel, Digital Crimes Unit, Microsoft
- Wendi Whitmore, Senior Vice President, Unit 42, Palo Alto Networks
