The U.S. Department of Homeland Security (DHS) established the Cyber Safety Review Board (CSRB), as directed in President [Joe] Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity. DHS stated the CSRB is an unprecedented public-private initiative that will bring together government and industry leaders to elevate our nation’s cybersecurity.
The CSRB will review and assess significant cybersecurity events so that government, industry, and the broader security community can better protect our nation’s networks and infrastructure. The CSRB’s first review will focus on the vulnerabilities discovered in late 2021 in the widely used log4j software library. These vulnerabilities, which are being exploited by a growing set of threat actors, present an urgent challenge to network defenders. As one of the most serious vulnerabilities discovered in recent years, its examination will generate many lessons learned for the cybersecurity community. Together, the White House and DHS determined that focusing on this vulnerability and its associated remediation process was the most important first use of the CSRB’s expertise.
The CSRB will provide a unique forum for collaboration between government and private sector leaders who will deliver strategic recommendations to the president and the secretary of Homeland Security. The CSRB is composed of 15 highly esteemed cybersecurity leaders from the federal government and the private sector. Robert Silvers, DHS Under Secretary for Policy, will serve as chair and Heather Adkins, Google’s senior director for security engineering, will serve as deputy chair. DHS’ Cybersecurity and Infrastructure Security Agency (CISA) will manage, support, and fund the board with CISA Director Jen Easterly responsible for appointing CSRB members, in consultation with the DHS Under Secretary for Policy Rob Silvers, and for convening the board following significant cybersecurity events.
The CSRB’s first report, which will be delivered this summer, will include:
- A review and assessment of vulnerabilities associated with the Log4j software library, to include associated threat activity and known impacts, as well as actions taken by both the government and the private sector to mitigate the impact of such vulnerabilities.
- Recommendations for addressing any ongoing vulnerabilities and threat activity; and,
- Recommendations for improving cybersecurity and incident response practices and policy based on lessons learned from the Log4j vulnerability.
The CSRB will share a public version of the report with appropriate redactions for privacy and to preserve confidential information.
DHS stated the CSRB is committed to transparency and will conduct its review in the public interest. Board meetings are limited to members, staff, and invited subject matter experts. Whenever possible, the CSRB’s advice, information, or recommendations will be made publicly available, with any appropriate redactions, consistent with applicable law and the need to protect sensitive information from disclosure. The CSRB does not have regulatory powers and is not an enforcement authority. Instead, its purpose is to identify and share lessons learned to enable advances in national cybersecurity.