Cyber Safety Review Board will start with Log4j report

The heads of the new Cyber Safety Review Board detailed how the new public-private advisory body will work to bolster national cybersecurity by immediately conducting a review of the Log4J software vulnerability and offering recommendations for businesses and federal agencies. 

The CSRB was established under President Joe Biden's cybersecurity executive order signed last year, which gave the board 90 days to conduct an initial review which assesses threat activity and offers recommendations for improved cybersecurity practices. 

On Thursday, Department of Homeland Security Undersecretary for Policy and CSRB Chair Rob Silvers will also issue publicly available reports and recommendations to drive cybersecurity advancements throughout the public and private sectors, with its first report set to include an assessment of vulnerabilities associated with the Log4j software library and related mitigation efforts across sectors, according to DHS. The report is also expected to contain recommendations for ongoing vulnerabilities and improving incident response practices based on lessons learned from the Log4j vulnerability.

"The diversity of views is one of the benefits of the board," Silvers said at BlackHat's cybersecurity event series about the 15-person organization announced earlier this month, noting that one of his top goals "is going to be to achieve consensus wherever we can." 

"As we all know in the cybersecurity community it's in many ways the norm to have differing views," he added. "We'll welcome that, we'll disagree respectfully and we will develop reports that will note where there are differing views."

The advisory board includes Dmitri Alperovitch, co-founder of Crowdstrike and chair of the Silverado Policy Accelerator, Rob Joyce, director of cybersecurity at NSA and Chris DeRusha, Federal Chief Information Security Officer for OMB as well as representatives form private sector firms including Microsoft and Verizon.

Heather Adkins, senior director of security engineering for Google, serves as the deputy chair of the board.  She said the CSRB was in part modeled after the National Transportation Safety Board, to serve a foundational mission of investigating major cyber incidents and creating actionable recommendations.

"We've adopted digital technology the way we have transportation: This is going to be a forever thing," Adkins said. "Getting to the foundations of making sure we have a national view on the kinds of ways that technology fails us and how to improve it I think is super important."

However, the CSRB may run into potential roadblocks in getting the private sector to provide critical information about cyber incidents without mandated reporting requirements, as some experts had hoped would be included as a component of the board. The CSRB also lacks the authority to issue mandatory guidelines for agencies and the private sector; both issues Silvers suggested he was considering ahead of its first meeting.

"I could see some companies not being familiar with this new body and asking, 'Why would I voluntarily talk to or cooperate with a new organization like this?'" he said Thursday. "The Cyber Safety Review Board has no authority to regulate. It has no authority to issue fines or penalties. It's not a criminal investigative, or any investigative body at all. It's totally forward-looking, and we're adopting a framework, and a principle … of blameless post-mortems." 

Rather than penalizing companies for failing to take appropriate actions against known cyber vulnerabilities, Silvers said the goal for the board will be to steer both sectors towards new improvements and collaborative methods to thwart attacks. Companies can also provide the board with information under confidentiality protections as part of the executive order, which Silvers said will "help get the buy in we need."

The CSRB's first review is expected to be released later this summer.