New Cyber Safety Board Pivots to Tackle log4j Vulnerabilities

The Biden administration is turning its new Cyber Safety Review Board, formed in response to the hack known as “SolarWinds,” to the fresher problem of a critical vulnerability in log4j, the commonly used open-source software library.

“Given the various reviews that both the federal government and the private sector conducted of the Solar Winds compromise over the past year, the White House and the Department of Homeland Security have determined that the best use of the Cyber Safety Review Board’s expertise is to focus its initial review on the vulnerabilities in log4j software library and associated remediation process,” a DHS spokesperson told Nextgov. “The widespread use of the software, the ease of exploitation, and the potential impact by an adversary on a network make this an incredibly serious vulnerability.”

House Homeland Security Committee Chairman Bennie Thompson, D-Miss., was “pleased to see the Biden Administration taking this proactive step to investigate, understand and learn from significant cyber incidents, and log4j vulnerabilities specifically,” according to a release from his office Thursday.

President Joe Biden called for creation of the CSRB in a May 2021 executive order after a massive intrusion campaign—revealed in Dec., 2020—compromised at least nine federal agencies and about 100 private firms. Bringing together the interagency for coordinated response, it was called ‘SolarWinds’ because hackers penetrated the ubiquitous IT management firm’s systems to distribute their malware. But it also leveraged a design element in Microsoft’s cloud federation service, and cyber scholars say such features deserve more attention across major cloud vendors. The executive order said studying the issue should be the first order of business for the CSRB. 

“The Board’s review and recommendations will take into consideration existing findings and recommendations related to the activities that prompted the December 2020 Cyber Unified Coordination Group (i.e., “the SolarWinds incident”) to include any elements related to the existence and exploitation of vulnerabilities or the response to the events,” the DHS spokesperson said.

DHS Secretary Alejandro Majorkas announced the members of the board Thursday. Heather Adkins, senior director for security engineering at Google, will be the deputy chair. The chair for the board’s first two years is Rob Silvers, DHS undersecretary for strategy, policy and plans. If that role switches to the private sector in future years, then the deputy chair must come from the government, according to the executive order.  

“At the President’s direction, DHS is establishing the Cyber Safety Review Board to thoroughly assess past events, ask the hard questions, and drive improvements across the private and public sectors,” Mayorkas said.

Longtime proponents of the board hoped it would look more like the National Transportation Safety Board, a government agency empowered to collect information from private entities while investigating plane crashes and other high-profile incidents in the sector and to make recommendations for preventing similar cases.

“It’s only a matter of when, not if, we face another widespread cyber breach that threatens our national security,” Sen. Mark Warner, D-Va., said in a press release. “I was glad to see this NTSB-like function included in the President’s May [2021] executive order on cybersecurity, and this is a good first step to establishing such a capability. I look forward to monitoring how this board develops over the coming months.”

For the CSRB to be as effective as the NTSB, lawmakers and others on the Cyberspace Solarium Commission, including National Cyber Director Chris Inglis, have called for the creation of a Bureau of Cyber Statistics and incident reporting laws for the private sector. But legislative provisions for both have failed amid jurisdictional and timing issues.

“I’m glad to see ongoing implementation of President Biden’s executive order to improve the nation’s cybersecurity, because understanding and learning from major cyber incidents like SolarWinds is important for preventing future similar high-level incidents,” Rep. Jim Langevin, D-R.I., told Nextgov. “It’s also important that we do more to understand the causes and consequences of malicious cyber activity more broadly, and that requires better data.  That’s why having a statistical agency like the Bureau of Cyber Statistics is so important, so we can better model, understand and ultimately mitigate cyber risk through more effective and empirically informed policy.”