The Homeland Security Department is establishing a Cyber Safety Review Board that will convene after major cyber events to review and act on them, according to a Federal Register notice.
The notice brings to fruition an idea long circulated among cybersecurity policymakers and thinkers, one set in motion by an executive order President Joe Biden signed in May 2021. The idea is to mimic the National Transportation Safety Board that reviews civil aviation accidents.
The board (CSRB) will have no more than 20 members, with one each required from DHS, its Cybersecurity and Infrastructure Security Agency, the Department of Justice, the National Security Agency and the FBI. The DHS undersecretary for strategy, policy and plans — a post held by Rob Silvers — will serve as the inaugural two-year chair.
It will kick into effect when an incident prompts formation of a Cyber Unified Coordination Group, a National Security Council-established organization for unifying government response to cyber incidents such as those that hit critical infrastructure owners and operators. The 2020 SolarWinds breach, which caused the compromise of both federal agencies and major tech companies, led to a public announcement of a coordination group forming.
Alternately, the secretary of DHS or leader of CISA can initiate a meeting of the CSRB.
“Upon completion of its review of an applicable incident, the CSRB may develop advice, information, or recommendations for the Secretary for improving cybersecurity and incident response practices and policy,” the notice states.
Its first report will address vulnerabilities surrounding the Log4j software library, vulnerabilities which CISA officials have estimated could affect hundreds of millions of devices, DHS announced Thursday.
The board won’t be subject to the federal law requiring open meetings of federal advisory committees, according to the notice, since members will sometimes review classified and otherwise sensitive data.
Still, the notice reads, “Whenever possible, the CSRB’s advice, information, or recommendations will be made publicly available, with any appropriate redactions, consistent with applicable law and the need to protect sensitive information from disclosure.”
Some advocates of creating the board were disappointed that the executive order contained no mandate for public reporting, which could help avert future incidents.
At times the CSRB might draw on nongovernmental representatives, such as cybersecurity or software suppliers.
“Members shall consist of subject matter experts from appropriate professions and diverse communities nationwide, be geographically balanced, and shall include representatives of a broad and inclusive range of industries,” according to the notice.
On Thursday DHS announced its initial 15-member roster of board members. Besides Silvers, the members include Its deputy chair, Heather Adkins, who is senior director for security engineering at Google; Dmitri Alperovitch, chairman of the Silverado Policy Accelerator; John Carlin, principal associate deputy attorney general at DOJ; Federal Chief Information Security Officer Chris DeRusha; Chris Inglis, national cyber director; Rob Joyce, director of cybersecurity at the NSA.
Further members are Katie Moussouris, CEO of Luta Security; David Mussington, executive assistant director for infrastructure security CISA; Chris Novak, managing director of the Verizon Threat Research Advisory Center; Tony Sager, senior Vice President and chief evangelist at the Center for Internet Security; John Sherman, chief information officer at DOD; Bryan Vorndran, assistant director of the FBI’s cyber division; Kemba Walden, assistant general counsel of Microsoft’s Digital Crimes Unit; and Wendi Whitmore, senior vice president of Unit 42 at Palo Alto Networks.
Updated 2/3/2022: to include the agenda for its initial report and full membership.