The US Department of Homeland Security established the Cyber Safety Review Board (CSRB) on Thursday, tasking the 15-member group with an investigation into the response and handling of the Log4j vulnerability late last year.
The CSRB, whose creation was mandated by the Biden administration's Executive Order 14028 issued last May, is tasked with reviewing and assessing "significant cybersecurity events so that government, industry, and the broader security community can better protect our nation’s networks and infrastructure," the DHS states. Initially, the panel will investigate the industry, community and government response to the vulnerabilities found in the Log4j software library in December 2021.
The goal is to make recommendations that can help both public and private sectors improve their response to vulnerability disclosures in the future, says CSRB member Dmitri Alperovitch, co-founder and chairman of the Silverado Policy Accelerator. In that way, the CSRB will differ from other government review boards, such as the National Transportation Safety Board (NTSB).
"The most useful thing to do is not specifically focus on one particular company or an individual investigation, but to look at this in terms of what can be done better as an industry," says Alperovitch, who is also co-founder and former chief technology officer of CrowdStrike. "Looking at that holistically, how do we help people get better at this and get the resources they need to them faster?"
The CSRB is the latest step taken by the US government to improve the response to cyber incidents and disclosures of critical vulnerabilities. In 2016, the Obama administration issued a presidential policy directive (PPD-41) for US Cyber Incident Coordination that requires necessary government agencies to work with private industry in a Cyber Unified Coordination Group (CUCG) for any major cyber incident. The Biden administration's executive order mandates that the Cyber Safety Review Board meet following any incident that required the creation of a CUCG.
The board will issue a report by this summer that more completely reviews and assesses the Log4j vulnerability, recommends further actions to mitigate any ongoing threat, and suggests practices and policies to improve future cybersecurity and incident responses.
"A continuous learning culture is critical to staying ahead of the increasingly sophisticated cyber threats we face in today’s complex technology landscape," said CISA director Jen Easterly, in the statement announcing the board. "Over two decades in the Army, I learned the importance of a detailed and transparent After Action Review process in unpacking both failures and successes ... [Our] first ever Cyber Safety Review Board [will] take on the comparable challenge of ensuring that we fully understand and learn from significant cyber events that may threaten our nation."
The major cyber events of the past decade usually have a common pedigree: a popular open source library or component managed by a small team or under the umbrella of a larger open source project. In 2014, when researchers found the Heartbleed vulnerability in OpenSSL, there was a single full-time maintainer, another part-time maintainer, and less than $2,000 a year in donations, according to a blog post by an OpenSSL consultant. The Apache Foundation has responsibility for the Log4j package, but most of the vulnerability footprint due to the issue comes from other open source projects, which are the responsibility of their maintainers and could take years to fully eliminate from every vulnerable project.
Most of these maintainers are experts in managing code, but not in handling vulnerability disclosures or managing the mitigation process, says Katie Moussouris, founder and CEO of Luta Security and a member of the new CSRB. Vulnerability response is something that requires specialized knowledge and labor, she says.
"It is not the same as finding the bug — that is one set of skills. And it is not the same as fixing the bug — that is a different set of skills. It is something else," Moussouris says. "It is organized specialty labor that does not exist outside of very few pockets in some of the largest companies that have been forced to develop this skill — the ability to analyze the vulnerabilities all the way down to its root cause and create a fix that is not easily bypassed."
Educating and hiring professionals with that specialized knowledge is hard enough. Expecting maintainers of open source projects to have those skills as well may be unrealistic. But it certainly is necessary, she says.
"Without specialist knowledge and skills built into the program by the maintainers, we will see this over and over again," Moussouris says. "Even companies like Microsoft, that had to develop the specialty analysis capabilities early on, they're not a perfect track record exemplar either. You look at how many times Microsoft has to reissue patches — this is not a trivial skill set to get right and to get consistently right."
Both Alperovitch and Moussouris declined to provide opinions of how well the industry handled the Log4j disclosure and mitigation. Both requested that the public wait for the CSRB's final conclusions.
Alperovitch did note that the tools to detect and mitigate such vulnerabilities are available, but, even so, the road to eliminating the issue will likely be long.
"This was such a significant vulnerability, the most impactful I've seen in the course of my career, and we will be seeing for years to come because of how deep it is embedded in software," he says. "That said, it is important to determine with something that has this impact, how do we do better in the future?"