(Bloomberg) — The Biden administration has created an advisory board to review major cybersecurity incidents in the hopes of minimizing the impact of future attacks.
The U.S. Department of Homeland Security said Thursday that the Cyber Safety Review Board will include leaders from government and the private sector to examine past events, with the goal of meaningfully improving the nation’s ability to respond to major hacks.
The board is modeled in part on the National Transportation Safety Board, which investigates airline crashes and other transportation accidents.
The board’s first order of business will be a review of a vulnerability in Log4j open source software, a protocol used by thousands of global companies.
The issue, which U.S. cyber officials said in December represented a “severe” flaw, could have allowed hackers to take complete control over an affected system.
The board is scheduled to deliver a report this summer including an assessment of known threats associated with Log4j, a review of the actions taken to reduce the vulnerabilities and share any lessons learned from the incident.
The board lacks the power to subpoena companies, meaning it will rely on voluntary disclosure from the private sector.
The Cyber Safety Review Board was created as a result of a May 2021 executive order signed by President Joe Biden in response to a hack on the software supply chain involving the federal contractor SolarWinds Corp.
In that breach, suspected Russian hackers compromised nine federal agencies, officials have said.
The May executive order stated that the board would be responsible for assessing “cyber activities” in December 2020 — the date when the SolarWinds hack was disclosed.
However, federal officials now believe the best use of the board is to focus on the widespread use of the Log4j software, the relative ease of exploitation and the potential impact of hackers exploiting the flaw, a department spokesperson said.
The Cybersecurity and Infrastructure Security Agency will fund the board, with Director Jen Easterly appointing as many as 20 members, according to a notice in the federal register.
It will function in an advisory capacity.
Robert Silvers, DHS undersecretary for policy, will serve as the inaugural chair, a term that lasts two years. Other members include Heather Adkins, senior director for security engineering at Alphabet Inc.’s Google, National Cyber Director Chris Inglis, Crowdstrike Inc.
Co-Founder Dmitri Alperovitch, and Katie Moussouris, an early developer of bug bounty and vulnerability management programs.
“We have a lot to work on, and Log4j is a complex issue” Moussouris said in an interview.
“We’ll all be bringing our experiences from different areas of cybersecurity, especially incident response.”
She added, “It’s something the federal government hasn’t considered before.”
(Adds remarks from board member in last paragraph.)
More stories like this are available on bloomberg.com
©2022 Bloomberg L.P.
