DHS forms first-ever Cyber Safety Review Board

The Department of Homeland Security launched the inaugural Cyber Safety Review Board, and its first order of business will be addressing Log4j vulnerabilities.

In a blog post Thursday, DHS said the public-private initiative will "review and assess significant cybersecurity events" starting with the flaws discovered last year in the widely used Java logging tool from the Apache Software Foundation. The Cyber Safety Review Board (CSRB) will consist of 15 members from the government and private sector. Robert Silvers, under secretary for policy at the DHS, will serve as chair and Heather Adkins, Google's senior director for security engineering, as deputy chair.

The Cybersecurity and Infrastructure Security Agency (CISA) will play its own role by managing, supporting and funding the initiative. CISA director Jen Easterly will be responsible for appointing CSRB members, according to the blog.

More private-sector board members include Dmitri Alperovitch, co-founder and chairman of Silverado Policy Accelerator and co-founder and former CTO of CrowdStrike; Katie Moussouris, vulnerability disclosure expert and founder of Luta Security; Chris Novak, co-founder and managing director of the Verizon Threat Research Advisory Center; Tony Sager, senior vice president and chief evangelist at the Center for Internet Security; Kemba Walden, assistant general counsel for Microsoft's Digital Crimes Unit; and Wendi Whitmore, senior vice president of Unit 42 at Palo Alto Networks.

Government representatives include Bryan Vorndran, assistant director of the FBI's Cyber Division, and Rob Joyce, director of cybersecurity for the National Security Agency.

"At the president's direction, DHS is establishing the Cyber Safety Review Board to thoroughly assess past events, ask the hard questions and drive improvements across the private and public sectors," DHS Secretary Alejandro Mayorkas said in the blog.

As a collaborative effort, their job is to "deliver strategic recommendations to the president and the secretary of Homeland Security." The first recommendations will revolve around Log4Shell, which according to the blog is "one of the most serious vulnerabilities discovered in recent years." With an increasing number of cyber threats over the last year, it appears there was a list to choose from.

"Together, the White House and DHS determined that focusing on this vulnerability and its associated remediation was the most important first use of the CSRB's expertise," the blog said.

In a Twitter thread Thursday, while announcing his seat on the board, Alperovitch referred to Log4Shell as "one of the most impactful cyber vulnerabilities in recent memory."

Last month, the Federal Trade Commission warned companies to mitigate, stating it was "critical" that they act now to avoid any legal action. In December, CISA issued a Log4Shell vulnerability guidance as a response to its "active, widespread exploitation."

The CSRB's first report is set to be delivered this summer and according to the blog will include a review and assessment to measure known impacts. Additionally, it will highlight actions taken by both the government and private sector to mitigate the impact of associated vulnerabilities and recommendations for any ongoing threat activity, as well as ways to improve incident response practices and policy. One function it will not have is regulatory powers.

The CSRB said it is committed to transparency, which has been a growing issue between the private and public sectors following cyberattacks.

"To the greatest extent possible, the CSRB will share a public version of the report with appropriate redactions for privacy and to preserve confidential information," the blog said.