The Department of Homeland Security (DHS) established the 15-person CSRB last week, fulfilling a promise in Biden’s May executive order. DHS Undersecretary for Strategy, Policy and Plans Rob Silvers chairs the group, and members come from federal agencies, nonprofits and private firms.
“This is a once-in-a-generation opportunity to reshape how we draw lessons from cyber events and improve for the future,” Silvers said in a statement.
A HIGH-LEVEL VIEW
CSRB is roughly the cyber equivalent of the National Transportation Safety Board and will likewise investigate when things go wrong and recommend ways to prevent repeat incidents.
An entity like the CSRB can fill this gap, however, and members aim to pour over some of the most worrying cyber events in recent history with an eye to what the incidents reveal about the larger cybersecurity landscape.
The objective isn’t to find technical fixes, but instead uncover root causes, systemic issues and areas where collaborations are needed, Sager said.
“I don’t think we’re going to find — when we look at any particular example — some startling new technical insight that someone hasn’t already thought of,” Sager said. “What I do think we will do is think about these systemic issues and try to sort out the short-term things from the long-term things, from the foundational things, from the expectations.”
One complexity is that plenty of disagreement still exists over how to consider the root causes of a breach, and what expectations to place on each stakeholder for ensuring defense. Observers of an incident could come to different conclusions over whether the underlying issue was an employee making a mistake; the company failing to have the right policies, tools or trainings to prevent the mistake; or a vendor developing software that required the employee to take certain actions in the first place, Sager said.
The CSRB will strive to reach agreement over how to think about cybersecurity issues and decide priorities. It’ll consider what incentives can be leveraged to shift the nation toward greater cybersecurity.
“Our goal is stand back from that and say, ‘What can we do to prevent the next one? Or to make the next one at least more understandable in terms of risk, so it doesn’t take us forever to figure out what the problem is? Where are the important leverage points to do something about this?’” Sager said.
LEARNING FROM LOG4J
CSRB is slated to meet this month, and its first assignment will be investigating vulnerabilities related to Log4j. The board will release a report this summer.
Sager said the Log4j vulnerabilities are a promising place for CSRB to start, because of the wealth of accessible information to look through.
“It will be a great first exercise because there’s a lot of great work that’s already been done and written about and [which is] available to the group. And so, we’ll get a chance to see lots of different views of how people saw it and what they did about it,” he said.
Members will examine attempts to exploit the Log4j vulnerabilities and the response efforts taken by public- and private-sector organizations as well as various proposals for how to deal with continued risks stemming from this incident and to prevent repeat events in the future, DHS announced.
Notably, the board lacks enforcement or regulatory powers. That means that getting its suggestions adopted depends, in part, on being able to communicate findings into clear and compelling action plans.
And that communication will need to home in on the entities that are in position to influence the wider ecosystem. Individual small businesses and the like cannot be expected to all become cybersecurity experts, so making lasting improvements to the nation’s cyber posture means getting action from regulators, insurers and similar organizations, Sager said. These are the entities that can incentivize safe behaviors and disincentivize risky ones, thus helping infuse good cyber practices throughout the landscape.
It also should help that many board members have key roles in government or other parts of the cybersecurity space. CSRB’s membership includes National Cyber Director Chris Inglis, for example, and nongovernment voices feature prominently, too, with Google Senior Director of Security Engineering Heather Adkins serving as deputy chair.
CSRB is also closely tied to the Cybersecurity and Infrastructure Security Agency (CISA), which will fund, oversee and support the board. CISA Director Jen Easterly is responsible for calling board meetings and, with Silvers’ input, appointing members, per DHS.
MEET THE BOARD
Chair
- Robert Silvers, Department of Homeland Security undersecretary for strategy, policy and plans
- Heather Adkins, Google, senior director for security engineering
- Dmitri Alperovitch, Silverado Policy Accelerator co-founder, chair; CrowdStrike, co-founder
- John Carlin, Department of Justice, deputy attorney general
- Chris DeRusha, Office of Management and Budget, federal CISO
- Chris Inglis, national cyber director
- Rob Joyce, NSA, director of Cybersecurity
- Katie Moussouris, Luta Security, founder and CEO
- David Mussington, CISA, executive assistant director for Infrastructure Security
- Chris Novak, Verizon Threat Research Advisory Center, co-founder and managing director
- Tony Sager, Center for Internet Security senior vice president and chief evangelist
- John Sherman, Department of Defense, CIO
- Bryan Vorndran, FBI, assistant director of the Cyber Division
- Kemba Walden, Microsoft, assistant general counsel of the Digital Crimes Unit
- Wendi Whitmore, Palo Alto Networks, senior vice president of Unit 42