Consistent with our analysis back in November ’21 – “Cybersecurity and Cyber Incidents: Innovation and Design Lessons from Aviation Safety Models and a Call for a “Cyber NTSB”  – the DHS has now established a Cyber Safety Review Board.   The announcement was made today by the DHS.

According to the WSJ:  “The board, officials have said, is modeled loosely on the National Transportation Safety Board, which investigates and issues public reports on airplane crashes, train derailments, and other transportation accidents. The new panel’s authority derives from an executive order that President Biden signed in May to improve federal cybersecurity defenses.

The cyber board isn’t an independent agency like the transportation board and will instead reside within the Department of Homeland Security. It will have 15 members—three times as many as the full complement of the transportation board—from the government and the public sector who don’t need to be confirmed by the Senate. It lacks subpoena power, unlike the transportation board.

DHS Under Secretary for Policy will serve as Chair and Heather Adkins, Google’s Senior Director for Security Engineering, will serve as Deputy Chair. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) will manage, support, and fund the Board with CISA Director Jen Easterly responsible for appointing CSRB members, in consultation with the DHS Under Secretary for Policy Rob Silvers, and for convening the Board following significant cybersecurity events. (1)

The 15 CSRB Members are:

• Robert Silvers, Under Secretary for Policy, Department of Homeland Security (CSRB Chair)
• Heather Adkins, Senior Director, Security Engineering, Google (CSRB Deputy Chair)
• Dmitri Alperovitch, Co-Founder and Chairman, Silverado Policy Accelerator; Co-Founder and former CTO, CrowdStrike, Inc.
• John Carlin, Principal Associate Deputy Attorney General, Department of Justice
• Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget
• Chris Inglis, National Cyber Director, Office of the National Cyber Director
• Rob Joyce, Director of Cybersecurity, National Security Agency
• Katie Moussouris, Founder and CEO, Luta Security
• David Mussington, Executive Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency
• Chris Novak, Co-Founder and Managing Director, Verizon Threat Research Advisory Center
• Tony Sager, Senior Vice President and Chief Evangelist, Center for Internet Security
• John Sherman, Chief Information Officer, Department of Defense
• Bryan Vorndran, Assistant Director, Cyber Division, Federal Bureau of Investigation
• Kemba Walden, Assistant General Counsel, Digital Crimes Unit, Microsoft
• Wendi Whitmore, Senior Vice President, Unit 42, Palo Alto Networks

What Next?

1. The CSRB’s first review will focus on the vulnerabilities discovered in late 2021 in the widely used log4j software library. These vulnerabilities, which are being exploited by a growing set of threat actors, present an urgent challenge to network defenders. As one of the most serious vulnerabilities discovered in recent years, its examination will generate many lessons learned for the cybersecurity community. Together, the White House and DHS determined that focusing on this vulnerability and its associated remediation process was the most important first use of the CSRB’s expertise.
2. The CSRB’s first report, which will be delivered this summer, will include the following:
   • a review and assessment of vulnerabilities associated with the Log4j software library, to include associated threat activity and known impacts, as well as actions taken by both the government and the private sector to mitigate the impact of such vulnerabilities;
   • recommendations for addressing any ongoing vulnerabilities and threat activity; and,
   • recommendations for improving cybersecurity and incident response practices and policy based on lessons learned from the Log4j vulnerability.
3. It is to be seen how the nascent Cyber Safety Review Board (CSRB) will handshake with the newly-formed Office of the National Cyber Director, and CISA’s Joint Cyber Defense collaborative effort with the private sector.  Let’s hope silos and territorial squabbles do not become the norm.
4. As mentioned, the NTSB is not a standalone agency.  There is a clear history of how the NTSB was taken out of the Department of Transportation and made an independent agency in 1974.  How critical is this independence to the effectiveness of the NTSB?  And how soon before DHS policymakers consider the same autonomy in order for the CSRB to be effective?

A direct link to the DHS announcement:  DHS Launches First-Ever Cyber Safety Review Board

CSRB information over at CISA:  CSRB | CISA

The Cyber Safety Review Board Charter(.pdf, 199kb)

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community