What we can already learn from the Cyber Safety Review Board

By Mark Lanterman

In my last article, I discussed the recently discovered Log4j vulnerability that has left experts concerned about the cybersecurity postures of most organizations (“The Log4j vulnerability is rocking the cybersecurity world. Here’s why,” B&B Jan./Feb. 2022). Essentially, this incredibly pervasive flaw (it’s rooted in readily available open-source software) allows attackers easy access to networks and data. Since the problem has become known, organizations have been urged to determine how they are affected and to implement patches as they become available. But the ubiquitous nature of the vulnerability makes accurately evaluating the potential scope of the impact no easy task. Worse yet, as I also noted last month, it’s possible (or probable?) that attackers have already placed backdoors in many systems to facilitate future attacks even after the original vulnerability is mitigated. 

Though this vulnerability has posed a grave risk for many, and the future ramifications are still unclear, there is a silver lining. In keeping with the 2021 Executive Order on Improving the Nation’s Cybersecurity,1 the U.S. Department of Homeland Security (DHS) established the Cyber Safety Review Board (CSRB) last month.2 A primary goal of the CSRB is to combine the efforts of the public and private sectors to more efficiently combat the growing number of cyber threats and risks faced by the United States today. 

A thorough assessment of the Log4j vulnerability will be the main topic of the CSRB’s first report, which is to be delivered this summer and will include “a review and assessment of vulnerabilities associated with the Log4j software library[;]… recommendations for addressing any ongoing vulnerabilities and threat activity; and, recommendations for improving cybersecurity and incident response practices and policy based on lessons learned.”3 Strong cybersecurity cultures, whether within an organization or on a national level, require top-down management support and a commitment to education. Learning from past events (as the CSRB has highlighted) with the purpose of creating actionable goals for improvement is a promising foundation for this initiative. 

While it remains to be seen what the first official report will contain, and what measures will be proposed, marshaling the combined expertise of the private and public sectors is certainly a step in the right direction. Choosing to center on the Log4j vulnerability as the topic of the CSRB’s preliminary assessment is altogether appropriate given the number of organizations, companies, and agencies affected and its potential for causing future damage. This focus will be a good starting point for collaboration between its public and private sector members, including Robert Silvers (under-secretary for policy, Department of Homeland Security) as its chair and Heather Adkins (senior director of security engineering, Google) as its deputy chair. Other agencies and companies represented include the Department of Justice, the National Security Agency, Microsoft, the FBI, and Palo Alto Networks, among others. This multitude of backgrounds and perspectives will undoubtedly be helpful in analyzing the Log4j vulnerability from various angles to provide the most comprehensive review and set of recommendations possible. 

Developing strong security cultures hinges on our ability to learn from past mistakes—and past successes. When it comes to advocating for best practices and pushing for the implementation of proactive measures, oftentimes the most important resource to draw upon is your organization’s own history in handling cyber events. Ask yourself questions like: What elements of our incident response plan were well-communicated and practiced prior to the event(s) occurring? What was the response timeline, from initial reporting to identification to mitigation? What aspects of our security posture either positively or negatively contributed to our handling of the event(s)? What new considerations are there moving forward, such as regulations or industry-specific cyber threats, that should be shaping our current response procedures? 

Retrospectives following cyber events gather invaluable information but are frequently skipped or poorly documented. In addition to regularly scheduled security assessments, allotting time for review and lessons learned allows for a real-life understanding of existing weaknesses, strengths, and attitudes regarding cybersecurity. One potential issue that may become apparent? Empty seats at the table for key cybersecurity stakeholders, from the IT department and upper management to HR and accounting. As many of us look forward to this summer’s first report, we can take a cue from the Cyber Safety Review Board’s inclusive approach to security planning today.

Mark Lanterman is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.  mlanterman@compforensics.com


1 https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ 

2 https://www.dhs.gov/news/2022/02/03/dhs-launches-first-ever-cyber-safety-review-board 

3 Id.