DHS comments on review of inaugural proceedings of CSRB, legislative measure to codify the board

DHS comments on review of inaugural proceedings of CSRB, legislative measure to codify the board

The U.S Department of Homeland Security (DHS) commented on the self-assessment of the Cyber Safety Review Board (CSRB) of its ‘inaugural proceedings’ released last year. The agency also addressed the Biden-Harris administration’s legislative proposal to codify the board.

“Since it was formed last year, the Cyber Safety Review Board has delivered on its promise to drive change that improves our nation’s cybersecurity by providing actionable recommendations in the aftermath of significant cybersecurity incidents, Alejandro N. Mayorkas, Secretary of Homeland Security, said in a Monday statement. “The Board’s recommendations in its Review of Inaugural Proceedings provide a roadmap for ensuring that the Board endures as a sustainable, replicable, and professional model for public-private collaboration.” 

Codifying the Board into law will guarantee that the Board remains a permanent fixture in the cybersecurity ecosystem and continues its work to strengthen the cybersecurity of critical infrastructure owners and operators, no matter their size, location, or sector, Mayorkas added. “The Biden-Harris Administration supports this legislative proposal to establish the Board permanently and grant it authorities that will benefit our nation’s cybersecurity,” he added.

The CSRB had in October delivered the review, providing a comprehensive analysis of the Log4j event as a successful proof of concept for the board. The CSRB conducted its first review of the Log4j software vulnerability event between February and July last year. The CSRB followed a non-Federal Advisory Committee Act (FACA) advisory committee model, was resourced and staffed through existing CISA capabilities, and relied on voluntary participation by potential interviewees.

“In a short time, the Board reviewed one of the most significant cyber events in history, made significant factual findings that were previously unknown to the community, and issued actionable recommendations that will drive change to elevate our national cybersecurity,” the CSRB review identified. “Our focus in this report is to consider the lessons learned from our first review so that the Board will be positioned to build on our initial success through investment in a sustainable, replicable, and professional model for after-action review of the most significant cyber incidents,” it added. 

At the time, the board also recommended that Congress codify enhancements to the board’s authorities, including granting limited subpoena authority to the board. The board would also like to work with Congress to begin steady and predictable appropriations to mature the organization, build a permanent staff, and have budget certainty; CSRB staff, based on board feedback, are developing a proposed budget in parallel with this document to account for these evolving needs.

The CSRB was established pursuant to President Joe Biden’s Executive Order (EO) 14028 on ‘Improving the Nation’s Cybersecurity’ to serve a deliberate function to review major cyber events and make concrete recommendations that would drive improvements within the private and public sectors. The board’s construction is a collaboration of government and private sector members and provides a direct path to the Secretary of Homeland Security and the president to ensure the recommendations are addressed and implemented, as appropriate.

The Executive Order requires the board to provide recommendations in the CSRB report across eight categories, including identified gaps in, and options for, the board’s composition or authorities. The board’s proposed mission, scope, and responsibilities, its membership eligibility criteria for private sector representatives, board governance structure, including interaction with the executive branch and the Executive Office of the President, and thresholds and criteria for the types of cyber incidents to be evaluated. 

It also includes sources of information that should be made available to the board, consistent with applicable law and policy, an approach for protecting the information provided to the board and securing the cooperation of affected U.S. individuals and entities for the board’s review of incidents, and administrative and budgetary considerations required for the operation of the board.

In December, the DHS said that the CSRB would review the recent attacks associated with Lapsus$, a global extortion-focused hacker group. The CSRB will develop actionable recommendations for how organizations can protect themselves, their customers, and their employees in the face of these types of attacks. The Lapsus$ hacker group reportedly employed techniques to bypass a range of commonly-used security controls and successfully infiltrated a number of companies across industries and geographic areas. 

Last week, the DHS released the latest version of its Quadrennial Homeland Security Review (QHSR) document, which is updated every four years as required by law. The document comes at a time when cyber threats have evolved and increased since the founding of the department. It also informs existing departmental processes for translating priorities into resources, including the DHS Strategic Plan and the annual budget development process. The document identified that nation-state threat actors are becoming increasingly sophisticated, targeting federal, state, and local government agencies, critical infrastructure companies, and others. 

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Webinar: State of Zero Trust in the Industrial Enterprise

Register: April 10, 2024, at 8am PDT | 11am CDT | 5pm CEST

Related