Cyber Safety Review Board staffs up

Getty Images

The chair of the Cyber Safety Review Board has ambitious goals for the organization following its public review of the Log4j software vulnerability.

The chair of the Cyber Safety Review Board said he hopes the organization will become an "enduring institution in the cybersecurity ecosystem" as it expands its staff and plans for future reviews following its inaugural report on the Log4j software vulnerability. 

Rob Silvers, under secretary for policy at the Department of Homeland Security and the head of the CSRB, said Log4j was the right issue for the board to review when it first launched earlier this year because the widespread software flaw was a "fresh event" with "a lot to unpack for virtually every organization out there."

But now that the CSRB released its first report last month, which provided one of the most  detailed public timelines surrounding the Log4j vulnerability and featured 19 actionable recommendations for the public and private sectors, Silvers said the board is using its "off-season" to "build up permanent staffing and infrastructure" while refining procedures ahead of the next review.  

"There was an element to the first review that it was the initial test flight of the board: We had to address certain things, and procedural things, as they came up," Silvers said at the Black Hat computer security conference on Wednesday, adding that the CSRB had now reached its "maturation phase."

Silvers did not indicate when the board plans to conduct its next review, or how many reports CSRB may issue each year. The board was given 90 days to conduct its first review and offer recommendations under President Joe Biden's cybersecurity executive order.

DHS launched the CSRB in February after it was instructed to build a public-private effort aimed at bolstering national cybersecurity and learning from past events how to better protect U.S. digital assets. Led by Silvers and deputy chair Heather Adkins, senior director of security engineering for Google, the board includes 15 members from the public and private sectors within the cybersecurity field. 

"This is now about tuning this up for future reviews – which will surely come," Silvers said.

The first review CSRB conducted described the Log4j flaw as an "endemic vulnerability" that may last in some systems for up to a decade or longer. Its recommendations included establishing a government-coordinated working group to better identify software vulnerabilities, investing in training software developers on security issues and expanding the Cybersecurity and Infrastructure Security Agency's capabilities to publish authoritative cyber risk information.