Every time there is a major accident the National Transportation Safety Board (NTSB) in the U.S. sends out a team to investigate not just what occurred but also better understand the circumstances that resulted in an unfortunate incident. The idea, naturally, is to learn from past mistakes to prevent similar accidents in the future.
The U.S. Department of Homeland Security (DHS) is now applying that model for preventing accidents to cybersecurity. The agency has launched a Cyber Safety Review Board (CSRB) to assess major cybersecurity incidents and make recommendations for improvements. The first incident of the CSRB list to investigate is the Log4jShell zero-day vulnerabilities that were recently discovered in open source logging software used widely in Java applications.
The CSRB is being set up to provide a forum for collaboration between government and private sector leaders to create strategic recommendations to the President and the Secretary of Homeland Security. It is made up of 15 cybersecurity leaders from the federal government and the private sector. Robert Silvers, DHS Under Secretary for Policy, will serve as Chair and Heather Adkins, senior director for security engineering, will serve as Deputy Chair.
The Cybersecurity and Infrastructure Security Agency (CISA) will manage, support, and fund the CSRB, with CISA Director Jen Easterly responsible for appointing its members in consultation with the DHS Under Secretary for Policy that serves as the board chair.
A forthcoming review and assessment of vulnerabilities associated with the Log4j software library due this summer will include threat activity and known impacts, as well as the actions taken by both the government and the private sector to mitigate the impact of such vulnerabilities. It will also include recommendations for addressing any ongoing vulnerabilities and threat activity and recommendations for improving cybersecurity and incident response practices and policy.
CSRB also plans to share a public version of the report with appropriate redactions for privacy and preservation of confidential information. The CSRB does not have regulatory powers and is not an enforcement authority. Board meetings are limited to members, staff, and invited subject matter experts. When feasible, any future advice, information, or recommendations provided by the CSRB will be made publicly available, with any appropriate redactions, consistent with applicable laws and the need to protect sensitive information.
It remains to be seen what impact this effort will have. Whenever there is a security breach time is of the essence. Fortunately, there’s never a lack of entities willing to share their analysis of those events. However, the CSRB does present an opportunity to aggregate and verify cybersecurity incident data. There is, however, still a need for a more collaborative approach to sharing cybersecurity intelligence in near real-time. The challenge has always been the reluctance to share information that might embarrass an organization or might be used to launch additional attacks.
One way or another, however, there will soon be more transparency into cybersecurity incidents. As such, organizations in the name of the collective good might as well share what they know sooner than later. After all, history has consistently shown the only thing generally considered worse than the incident itself is, of course, the attempt after the fact to cover up who knew about it when.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.