Homeland Security establishes the Cyber Safety Review Board to learn the mistakes from past cyber incidents

The U.S. Department of Homeland Security has assembled a review board that will be tasked with investigating major national cybersecurity incidents in an effort to “meaningfully improve” the nation’s cyber resilience.

The Cyber Safety Review Board (CSRB), whose creation was set in motion by a May 2020 executive order signed by President Biden in response to the SolarWinds attack, will be tasked with studying the cause and fallout from major hacks so that the government, industry and security agencies can better protect national networks and infrastructure, according to DHS. The board has been loosely modeled on the National Transportation Safety Board (NTSB), which investigates air crashes, train derailments and other transportation accidents.

The CSRB’s first review will focus on the vulnerabilities discovered in December in the widely used Log4j software library, with a full report set to be delivered this summer. Examining these vulnerabilities, which are being exploited by a growing set of threat actors since details of the vulnerability were made public, “will generate many lessons learned for the cybersecurity community,” DHS says, adding that the CSRB’s advice, information or recommendations will be made public “wherever possible.”

The board is composed of 15 members — three times as many as the NTSB — made up of cybersecurity leaders from the federal government and the private sector. Homeland Security undersecretary for policy Robert Silvers will serve as chair, and Google’s security engineering chief Heather Adkins will serve as deputy chair.

Other board members include Rob Joyce, director of cybersecurity at the National Security Agency, Dmitri Alperovitch, co-founder and chairman of Silverado Policy Accelerator and former chief technology officer at CrowdStrike, and Katie Moussouris, a bug bounty pioneer who founded and heads Luta Security.

Moussouris tells TechCrunch that the CSRB could not have come at a better time: “It will be instrumental in strengthening our resilience in the face of cyber incidents that affect public and private sectors with increasing frequency,” said Moussouris. “I’m looking forward to sharing recommendations and what we learn from investigating these incidents starting with Log4j.”

Senator Mark Warner (D-VA), chairman of the Senate Intelligence Committee, also welcomed the formation of the CSRB, warning that “it’s only a matter of when, not if, we face another widespread cyber breach that threatens our national security.”

“I was glad to see this NTSB-like function included in the President’s May 2020 executive order on cybersecurity, and this is a good first step to establishing such a capability,” he added. “I look forward to monitoring how this board develops over the coming months.”