At the direction of President Biden’s 2021 cybersecurity executive order, the Department of Homeland Security on Thursday announced the standup of a review board comprised of government and industry experts to conduct post-incident analyses of significant cyber events and provide advice and recommendations based on lessons learned to the broader security community.
The Cyber Safety Review Board (CSRB) will first take-up vulnerabilities discovered in late 2021 in the log4j software library that are being exploited by threat actors and represent an ongoing threat, DHS said. The board does not have enforcement authorities.
The first report is due this summer and will include threat activity and known impacts, mitigation actions taken by government and industry, recommendations to address ongoing concerns and for improving cybersecurity and incident response practices and policies.
“As one of the most serious vulnerabilities discovered in recent years, its examination will generate many lessons learned for the cybersecurity community,” the department said. The decision to focus on the log4j vulnerability was made by the White House and DHS, it said.
DHS said it will share a redacted public version of the report that protects privacy and confidential information.
The 15-member CRSB is chaired by Robert Silvers, DHS under secretary for policy, and Heather Adkins, senior director for security engineering at Google [GOOG], who is deputy chair. The board will be managed and funded by the DHS Cybersecurity and Infrastructure Security Agency (CISA) and its members appointed by Jen Easterly, the agency’s director.
“A continuous learning culture is critical to staying ahead of the increasingly sophisticated cyber threats we face in today’s complex technology landscape,” Easterly said in a statement. “Over two decades in the Army, I learned the importance of a detailed and transparent after-action review process in unpacking both failures and successes.”
Other board members include Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, John Carlin, principal associate deputy attorney general, Chris DeRusha, the federal chief information security officer, National Cyber Director Chris Inglis, Rob Joyce, cybersecurity director for the National Security Agency, Katie Moussouris, founder and CEO of Luta Security, David Mussington, executive assistant director for infrastructure security at CISA, Chris Novak, managing director of Verizon’s [VZN] Threat Research Advisory Center, Tony Sager, senior vice president, Center for Internet Security, John Sherman, chief information officer at the Defense Department, Bryan Vorndran, assistant director of the FBI’s Cyber Division, Kemba Walden, assistant general counsel, Digital Crimes Unit at Microsoft [MSFT], and Wendi Whitmore, senior vice president, Unit 42, Palo Alto Networks [PANW].
“The CSRB is a ground-breaking opportunity to conduct holistic reviews and provide forward-thinking solutions that cut across organizations and sectors,” Adkins said in a statement.