News Insights: DHS Launches First-Ever Cyber Safety Review Board.

DHS Launches First-Ever Cyber Safety Review Board. The 15-member group will focus on significant cybersecurity events and recommend improvements.

The CSRB’s first report, which will be delivered this summer, will include:

• a review and assessment of vulnerabilities associated with the Log4j software library, to include associated threat activity and known impacts, as well as actions taken by both the government and the private sector to mitigate the impact of such vulnerabilities.
• recommendations for addressing any ongoing vulnerabilities and threat activity; and,
• recommendations for improving cybersecurity and incident response practices and policy based on lessons learned from the Log4j vulnerability.

CISA Director Jen Easterly said, “A continuous learning culture is critical to staying ahead of the increasingly sophisticated cyber threats we face in today’s complex technology landscape. Over two decades in the Army, I learned the importance of a detailed and transparent After Action Review process in unpacking both failures and successes.”

News Insights:

George McGregor, VP, Approov: “We welcome this initiative. It will be important for the board to consider two major reports published last year (https://www.fiercehealthcare.com/tech/report-shows-patient-data-vulnerable-to-hacks-third-party-aggregators) that found that that no effective shielding solutions were in place in mobile health apps: secrets could be acquired from mobile health apps and used to attack APIs directly. The research also highlighted well known vulnerabilities found in some APIs and it was possible to use one user’s (genuine) credentials to access (many) other people’s PHI data. Effective run-time shielding can eliminate these risks.”

Curtis Preston, Chief Technical Evangelist at Druva: “The Homeland Security Department establishing the Cyber Safety Review Board makes it clear that strengthening the nation’s cyber resilience is a top priority in 2022. Cyber attacks unfold very quickly, and hackers are constantly evolving their methods of attack. That means in order for the board to be successful, it will be critical to devise ways to review major incidents at a quick and speedy pace; otherwise, their findings will be outdated and ineffective. In the meantime, organizations should proactively be taking steps to help minimize the impact of the inevitable cyber attack. Every organization should: back up their data securely, monitor their environment for unusual activity, and test their playbook for a speedy and successful recovery. A defense-in-depth strategy that advances an organization’s resilience is the best and only way to fight back.”

Tim Erlin, VP of Strategy at Tripwire: “We’ve all seen cyber attacks grow from a primarily commercial concern to the level of a national security issue. When you have incidents that can shut down pipelines or impact the water supply, it becomes necessary to provide more rigorous investigation and greater transparency. We’ve certainly reached that point with cybersecurity.

The comparison to the NTSB is useful, but won’t be entirely accurate. For example, trying to extend this comparison to their first target, the Log4j vulnerabilities, highlights the differences quickly. Log4j is hard to investigate as a single incident, especially given that it’s not really over yet. Still, there’s plenty to learn and we should expect the findings to shape legislation and regulation going forward.

Cyber security incidents will require very different tools and skills to investigate, and we should all be prepared for some less than satisfying conclusions, especially at the start. The formation of this review board should serve not only to deliver reports, but to continuously improve the best practices for these types of investigations.”