DHS launches first Cyber Safety Review Board

The U.S. Department of Homeland Security (DHS) announced the establishment of the first-ever Cyber Safety Review Board (CSRB), as directed in President Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity. The CSRB is a public-private initiative that will bring together government and industry leaders to elevate the nation’s cybersecurity.

“The Biden-Harris Administration has taken bold steps to meaningfully improve our cybersecurity resilience,” said Secretary of Homeland Security Alejandro N. Mayorkas. “At the President’s direction, DHS is establishing the Cyber Safety Review Board to thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors.”

The CSRB will review and assess significant cybersecurity events so that government, industry, and the broader security community can better protect U.S. networks and infrastructure. The CSRB’s first review will focus on the vulnerabilities discovered in late 2021 in the widely used log4j software library. These vulnerabilities, which are being exploited by a growing set of threat actors, present an urgent challenge to network defenders. As one of the most serious vulnerabilities discovered in recent years, its examination will generate many lessons learned for the cybersecurity community. Together, the White House and DHS determined that focusing on this vulnerability and its associated remediation process was the most important first use of the CSRB’s expertise.

The CSRB will provide a unique forum for collaboration between government and private sector leaders who will deliver strategic recommendations to the President and the Secretary of Homeland Security. The CSRB is composed of 15 cybersecurity leaders from the federal government and the private sector. Robert Silvers, DHS Under Secretary for Policy, will serve as Chair and Heather Adkins, Google’s Senior Director for Security Engineering, will serve as Deputy Chair. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) will manage, support, and fund the Board with CISA Director Jen Easterly responsible for appointing CSRB members, in consultation with the DHS Under Secretary for Policy Rob Silvers, and for convening the Board following significant cybersecurity events.

The CSRB’s first report, which will be delivered in the summer 2022, will include the following:

a review and assessment of vulnerabilities associated with the Log4j software library, to include associated threat activity and known impacts, as well as actions taken by both the government and the private sector to mitigate the impact of such vulnerabilities;
recommendations for addressing any ongoing vulnerabilities and threat activity; and,
recommendations for improving cybersecurity and incident response practices and policy based on lessons learned from the Log4j vulnerability.

“A continuous learning culture is critical to staying ahead of the increasingly sophisticated cyber threats we face in today’s complex technology landscape. Over two decades in the Army, I learned the importance of a detailed and transparent After Action Review process in unpacking both failures and successes. I’m thrilled today to appoint the distinguished members of our first ever Cyber Safety Review Board to take on the comparable challenge of ensuring that we fully understand and learn from significant cyber events that may threaten our nation,” said CISA Director Jen Easterly. “I’m looking forward to the Board’s insight and the lessons we’ll learn and implement together across the cybersecurity community.”

“When a major cyber incident occurs, it impacts all of us,” said CSRB Deputy Chair Heather Adkins. “The CSRB is a ground-breaking opportunity to conduct holistic reviews and provide forward-thinking solutions that cut across organizations and sectors. I am honored to serve with this diverse array of talent from both private companies and the U.S. government as we launch this inaugural review.”

The CSRB is committed to transparency and will conduct its review in the public interest. Board meetings are limited to members, staff, and invited subject matter experts. Whenever possible, the CSRB’s advice, information, or recommendations will be made publicly available, with any appropriate redactions, consistent with applicable law and the need to protect sensitive information from disclosure. The purpose of the CSRB is to identify and share lessons learned to enable advances in national cybersecurity.

CSRB Members:

Robert Silvers, Under Secretary for Policy, Department of Homeland Security (CSRB Chair)
Heather Adkins, Senior Director, Security Engineering, Google (CSRB Deputy Chair)
Dmitri Alperovitch, Co-Founder and Chairman, Silverado Policy Accelerator; Co-Founder and former CTO, CrowdStrike, Inc.
John Carlin, Principal Associate Deputy Attorney General, Department of Justice
Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget
Chris Inglis, National Cyber Director, Office of the National Cyber Director
Rob Joyce, Director of Cybersecurity, National Security Agency
Katie Moussouris, Founder and CEO, Luta Security
David Mussington, Executive Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency
Chris Novak, Co-Founder and Managing Director, Verizon Threat Research Advisory Center
Tony Sager, Senior Vice President and Chief Evangelist, Center for Internet Security
John Sherman, Chief Information Officer, Department of Defense
Bryan Vorndran, Assistant Director, Cyber Division, Federal Bureau of Investigation
Kemba Walden, Assistant General Counsel, Digital Crimes Unit, Microsoft
Wendi Whitmore, Senior Vice President, Unit 42, Palo Alto Networks

To learn more about the CSRB, visit CISA.gov.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.