WSJ News Exclusive | Biden Administration Forms Cybersecurity Review Board to Probe Failures
WASHINGTON—The Biden administration has formed a panel of senior administration officials and private-sector experts to investigate major national cybersecurity failures, and it will probe as its first case the recently discovered Log4j internet bug, officials said.
The new Cyber Safety Review Board is tasked with examining significant cybersecurity events that affect government, business and critical infrastructure. It will publish reports on security findings and recommendations, officials said. Details of the board will be announced Thursday.
The board, officials have said, is modeled loosely on the National Transportation Safety Board, which investigates and issues public reports on airplane crashes, train derailments and other transportation accidents. The new panel’s authority derives from an executive order that President Biden signed in May to improve federal cybersecurity defenses.
The cyber board isn’t an independent agency like the transportation board and will instead reside within the Department of Homeland Security. It will have 15 members—three times as many as the full complement of the transportation board—from government and the public sector who don’t need to be confirmed by the Senate. It lacks subpoena power, unlike the transportation board.
Homeland Security Secretary
Alejandro Mayorkas
said in an interview that the cyber board was intended to draw solutions to future problems from past cybersecurity crises, rather than casting blame where shortcomings are identified.
“It is not a regulatory authority, it is not a board that is searching for or focused upon accountability or fault,” Mr. Mayorkas said. “We are going to be looking at ourselves, we are going to be looking at one another, and that really underscores the purpose of this board—to not focus on fault.”
Rob Silvers,
the undersecretary for policy at DHS and a lawyer with experience in cybersecurity issues, will chair the review board.
Heather Adkins,
senior director of security engineering at
Alphabet Inc.’s
Google, has been tapped as the vice chair.
Several government agencies, including the National Security Agency and other parts of DHS, have expansive cybersecurity missions that include protecting the federal government and assisting the private sector. Officials said the new board was necessary to combine the expertise of government officials and private-sector researchers to study high-profile cybersecurity episodes and share comprehensive findings with the public.
“This is something that has been missing from the ecosystem until now,” Mr. Silvers said of the Cyber Safety Review Board, which he said will draw personnel support and funding from the Cybersecurity and Infrastructure Security Agency, DHS’s cybersecurity wing.
Mr. Silvers said the board expects to finish by May its probe of the vulnerabilities related to the open-source software logging tool called Log4j. It is a free piece of code that logs activity in computer networks and applications, and officials have warned that it is likely one of the gravest cybersecurity vulnerabilities on record.
Researchers have said the Log4j flaw, publicly disclosed in December after its discovery by a Chinese security team, was particularly worrying because the free Java-based software is used in a range of products including security software, networking tools and videogame servers. The exact number of users of Log4j is probably impossible to know, but the software has been downloaded millions of times, according to the organization that builds it, Apache Software Foundation.
SHARE YOUR THOUGHTS
What should be the priorities of the cybersecurity review board? Join the conversation below.
Other members of the 15-person board include
Rob Joyce,
the top cybersecurity official at the National Security Agency;
John Carlin,
principal associate deputy attorney general; National Cyber Director
Chris Inglis
;
Dmitri Alperovitch,
co-founder of the Washington-based Silverado Policy Accelerator think tank; and
Katie Moussouris,
a security researcher who pioneered bug-bounty programs as an incentive for reporting computer flaws.
Kemba Walden,
assistant general counsel for
Microsoft Corp.
, and
Wendi Whitmore,
senior vice president of
Palo Alto Networks Inc.’s
cyber threat team, are also on the board.
Democratic Sen.
Mark Warner
of Virginia, chairman of the Senate Intelligence Committee and co-chairman of the Senate cybersecurity caucus, had pushed for the creation of such a review board to probe major cybersecurity crises.
“It’s only a matter of when, not if, we face another widespread cyber breach that threatens our national security,” Mr. Warner said. “I was glad to see this NTSB-like function included in the president’s May 2021 executive order on cybersecurity, and this is a good first step to establishing such a capability.”
Write to Dustin Volz at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
For all the latest Technology News Click Here
For the latest news and updates, follow us on Google News.