The Department of Homeland Security launched the country's first Cyber Safety Review Board this month, a private-public initiative designed to improve cybersecurity.
The CSRB will start by looking at the past, specifically, the Log4Shell vulnerability disclosed this past December.
Liza Craig, government contracts partner at Reed Smith and a former senior associate counsel with the Department of the Navy Office of the General Counsel, said that the new board will assess significant past cyber events that affected the federal government and industry.
The reports the CSRB produces will include actionable recommendations to improve the country's cybersecurity in the future, she said.
"That is the purpose of the Board," she told Data Center Knowledge. "To assess these incidents and provide guidance regarding how to develop the appropriate defenses.”
Defending the nation
The board is composed of cybersecurity leaders from across the federal government and the private sector and will include senior experts from the DHS itself, CISA, the NSA, the Department of Defense, the Department of Justice and other agencies.
On the private industry side, the board will include representatives from Google, Microsoft, Verizon, and cybersecurity firms CrowdStrike, Palo Alto, and Luta Security.
Some experts have questioned just how useful the board's reports are going to be.
The organization won't have any regulatory authority, said Mike Parkin, engineer at Vulcan Cyber.
"It will be interesting to see how their results and recommendations are used in the real world," he told Data Center Knowledge.
On the other hand, the focus on analyzing past incidents to help prevent future ones is a welcome change from focusing on finding someone to blame, he added.
"We’ll have to wait and see how the first report looks when they address the critical and ever expanding Log4j vulnerability to determine if the level of detail and guidance is going to be helpful," said Ray Kelly, fellow at NTT Application Security, a San Jose, Calif.-based application security vendor.
It could prove to be very valuable, he said.
"In depth review of major security incidents with recommendations for remediation and incident response practices can undoubtedly be valuable for organizations," Kelly told Data Center Knowledge.
One way the board can help move things forward is in creating a unified federal platform to share security information and best practices, said Barrett Lyon, co-founder and chief architect at Netography.
Today, the United States is squandering its technological advantage with aging, insecure technologies.
"That is coupled with every agency acting on its own, causing nearly every branch of government to be its own island reinventing the wheel," he told Data Center Knowledge.
Whether the board is successful in its mission should be measured by how much critical information is stolen, he said.
Success will also depend on how fast the board is able to move, said W. Curtis Preston, chief technical evangelist at cybersecurity firm Druva.
"Cyber attacks unfold very quickly," he told Data Center Knowledge. "And hackers are constantly evolving their methods of attack."
The board will need to figure out how to review major cybersecurity incidents quickly.
"Otherwise, their findings will be outdated and ineffective," he said.
The board was originally proposed in President Joe Biden's executive order last May. The fact that it took eight months to set up is a troubling sign.
Part of the problem, according to John Yeoh, global vice president of research at Cloud Security Alliance, is that there currently isn't an efficient way to address cybersecurity threats.
"The current method for many security professionals is a collection of phone calls and message threads with colleagues," he told Data Center Knowledge.
They scroll through Twitter and other social media feeds, and check multiple vulnerability platforms.
"It is a piecemeal process to uncover where you're vulnerable, discover new types of attacks, and collect enough details for defense and remediation," he said.
The CSRB could potentially put in the work to review exploits and eliminate inconsistent findings, he said. The resulting reports could then be used to help both government agencies and private companies develop their own response plans.
Cybersecurity has moved up the agenda
The CSRB is only one of recent steps that the government has been taking with respect to improving the country's cybersecurity posture. Last May, President Joe Biden signed an executive order designed to remove barriers to sharing threat information, modernize the government's cyber defenses, and improve software supply chain security.
In August, CISA launched the Joint Cyber Defense Collaborative, an effort to coordinate cyber defense actions across multiple agencies, state and local governments, and private companies.
And last month, the Office of Management and Budget announced a plan to move the US government to a zero-trust architecture.
Some lawmakers want more action.
Last week, senators Gary Peters and Rob Portman introduced the bipartisan Strengthening American Cybersecurity Act.
It requires all critical infrastructure owners and operators, which includes many data centers and Internet infrastructure providers, to notify CISA of ransomware payments within 24 hours, and of substantial cyberattacks within 72 hours.
Russia has been behind some of the biggest recent cyberattacks. With tensions rapidly heating up in Eastern Europe, the US can expect to see more of the same. It's long past time to start doing something about it.
