Cyber Safety Review Board

Last updated

The Cyber Safety Review Board (also called the CSRB) was established by United States Secretary of Homeland Security Alejandro Mayorkas on February 3, 2022. [1] [2] [3] [4] Modeled after the National Transportation Safety Board, the Board reviews significant cybersecurity incidents and issues reports. [5] [6] President Joe Biden directed the Board's creation through Section 5 of Executive Order 14028, issued on May 12, 2021. [7] [8]

Contents

Overview

The Board reviews and assesses significant cyber incidents and provides findings and recommendations to the United States Secretary of Homeland Security. The Board’s construction is a unique and valuable collaboration of government and private sector members, and provides a direct path to the Secretary of Homeland Security and the President to ensure the recommendations are addressed and implemented, as appropriate.

Executive Order 14028 provides that the Board is composed of up to twenty members, chosen by the Director of the Cybersecurity and Infrastructure Security Agency. [9] Those members must include representatives from various federal agencies, as well as individuals employed by the private sector. [9] The CSRB lacks subpoena power and instead relies on voluntary cooperation from organizations with relevant information, though the Biden Administration has published a legislative proposal requesting that Congress grant the CSRB subpoena power. [10]

Reports

As of 2024, the CSRB has issued three substantive reports.

Review of the December 2021 Log4j Event

On July 11, 2022, the CSRB published its first report, reviewing the Log4Shell vulnerability and associated incidents. [11]

On July 24, 2023, the CSRB published a report reviewing the Lapsus$ international hacker group. [12]

Review of the Summer 2023 Microsoft Exchange Online Intrusion

On March 20, 2024, the CSRB published a report detailing how in May 2023, a cyber threat actor classified by Microsoft as STORM-0558 compromised the mailboxes of a broad range of victims in the United States and United Kingdom, including email accounts in the U.S. Department of State, U.S. Department of Commerce, and U.S. House of Representatives. [13] The CSRB reported that STORM-0558 was able to compromise Microsoft's corporate network using unknown means and steal a Microsoft Services Account (MSA) key, which STORM-0558 then used to sign forged authentication tokens granting it access to specific mail accounts. [13] This malicious cyber activity was eventually detected by the U.S. Department of State, rather than by Microsoft itself.

The CSRB concluded that "Microsoft’s security culture was inadequate and requires an overhaul," noting that Microsoft "failed to detect the compromise of its cryptographic crown jewels on its own, relying instead of a customer." [13] This report was widely covered by traditional media and cybersecurity trade press. [14] [15] [16] [17]

Following the publication of the report, Microsoft CEO Satya Nadalla released a blog post acknowledging the CSRB's report and pledging to prioritize security in the future. [18]

Current Composition

The CSRB is composed of 15 cybersecurity leaders from the federal government and the private sector: [3]

Former Members

Private sector CSRB members serve for a term of two years, which may be renewed up to three times. [9] [19]

Related Research Articles

The United States Computer Emergency Readiness Team (US-CERT) was a team under the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security.

<span class="mw-page-title-main">National Cyber Security Division</span>

The National Cyber Security Division (NCSD) is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Formed from the Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the Federal Computer Incident Response Center, and the National Communications System, NCSD opened on June 6, 2003.

<span class="mw-page-title-main">Jeff Moss (hacker)</span> American computer security expert (born 1975)

Jeff Moss, also known as Dark Tangent, is an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.

The EINSTEIN System is a network intrusion detection and prevention system that monitors the networks of US federal government departments and agencies. The system is developed and managed by the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security (DHS).

<span class="mw-page-title-main">Director of the Cybersecurity and Infrastructure Security Agency</span>

The Director of the Cybersecurity and Infrastructure Security Agency is a high level civilian official in the United States Department of Homeland Security. The Director, as head of Cybersecurity and Infrastructure Security Agency at DHS, is the principal staff assistant and adviser to both the Secretary of Homeland Security and the Deputy Secretary of Homeland Security for all DHS programs designed to reduce the nation's risk to terrorism and natural disasters. The Director is appointed from civilian life by the President with the consent of the Senate to serve at the pleasure of the President.

<span class="mw-page-title-main">Alejandro Mayorkas</span> American attorney and government official (born 1959)

Alejandro Nicolas Mayorkas is an American attorney and government official who is the 7th United States Secretary of Homeland Security, serving since 2021. A member of the Democratic Party, Mayorkas previously served as director of United States Citizenship and Immigration Services from 2009 to 2013, and the 6th Deputy Secretary of Homeland Security from 2013 to 2016.

<span class="mw-page-title-main">Cybersecurity Information Sharing Act</span>

The Cybersecurity Information Sharing Act is a United States federal law designed to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes". The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate on October 27, 2015. Opponents question CISA's value, believing it will move responsibility from private businesses to the government, thereby increasing vulnerability of personal private information, as well as dispersing personal private information across seven government agencies, including the NSA and local police.

The Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

The National Cybersecurity and Communications Integration Center (NCCIC) is part of the Cybersecurity Division of the Cybersecurity and Infrastructure Security Agency, an agency of the U.S. Department of Homeland Security. It acts to coordinate various aspects of the U.S. federal government's cybersecurity and cyberattack mitigation efforts through cooperation with civilian agencies, infrastructure operators, state and local governments, and international partners.

Election cybersecurity or election security refers to the protection of elections and voting infrastructure from cyberattack or cyber threat – including the tampering with or infiltration of voting machines and equipment, election office networks and practices, and voter registration databases.

<span class="mw-page-title-main">Rob Joyce</span> American cybersecurity official

Robert E. Joyce is an American cybersecurity official who served as special assistant to the President and Cybersecurity Coordinator on the U.S. National Security Council. He also began serving as White House Homeland Security Adviser to President Donald Trump on an acting basis after the resignation of Tom Bossert from April 10, 2018, to May 31, 2018. He completed his detail to the White House in May 2018 and returned to the National Security Agency, where he served as the Senior Advisor to the Director NSA for Cyber Security Strategy, until July 2019 when he went to London and served in the US Embassy as the NSA's senior cryptologic representative to the UK. Joyce previously performed as acting Deputy Homeland Security Advisor since October 13, 2017. On January 15, 2021, the NSA announced that Joyce would replace Anne Neuberger as its Director of Cybersecurity.

<span class="mw-page-title-main">Cybersecurity and Infrastructure Security Agency</span> Agency of the United States Department of Homeland Security

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.

<span class="mw-page-title-main">Jake Braun</span> American political, cyber and national security expert

Jacob H. Braun is an American politician, cyber and national security expert. He was appointed by President Joseph Biden as the U.S. Department of Homeland Security (DHS) Secretary's Senior Advisor to the Management Directorate. Braun is also a lecturer at the University of Chicago’s Harris School of Public Policy Studies where he teaches courses on cyber policy and election security. He previously served as the Executive Director for the University of Chicago Harris Cyber Policy Initiative (CPI).

<span class="mw-page-title-main">Matthew Travis</span> American businessman & government official

Matthew Travis is a businessman and former American government official. He served as the Deputy Director for the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). Travis served as Deputy Under Secretary for the National Protection and Programs Directorate (NPPD) before the agency became CISA on November 16, 2018.

<span class="mw-page-title-main">Chris Krebs</span> American cybersecurity and infrastructure security expert (born 1977)

Christopher Cox Krebs is an American attorney who served as Director of the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security from November 2018 until November 17, 2020, when President Donald Trump fired Krebs for contradicting Trump's claims of election fraud in the 2020 presidential election.

Jack Cable is an American computer security researcher and software developer who currently serves as a Senior Technical Advisor at the Cybersecurity and Infrastructure Security Agency. He is best known for his participation in bug bounty programs, including placing first in the U.S. Department of Defense's Hack the Air Force challenge. Cable began working for the Pentagon's Defense Digital Service in the summer of 2018.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

<span class="mw-page-title-main">Jen Easterly</span> American government official

Jen Easterly is an American intelligence officer and former military official who is serving as the director of the Cybersecurity and Infrastructure Security Agency in the Biden administration. She was confirmed by a voice vote in the Senate on July 12, 2021.

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

References

  1. Sanger, David E.; Perlroth, Nicole; Barnes, Julian E. (2021-05-10). "Biden Plans an Order to Strengthen Cyberdefenses. Will It Be Enough?". The New York Times. ISSN   0362-4331. Archived from the original on 2021-10-16. Retrieved 2021-05-13.
  2. "Biden Signs Cybersecurity Executive Order Following Colonial Pipeline Hack". NPR.org. Archived from the original on 2021-06-24. Retrieved 2021-05-13.
  3. 1 2 "Cyber Safety Review Board website". Archived from the original on 2022-07-21. Retrieved 2022-08-10.
  4. "DHS Launches First-Ever Cyber Safety Review Board | Homeland Security". www.dhs.gov. Archived from the original on 2024-05-31. Retrieved 2024-06-01.
  5. "The New Cyber Executive Order is a Good Start, But Needs a Supercharge from Congress". Just Security. 2021-05-13. Archived from the original on 2021-09-26. Retrieved 2021-05-14.
  6. Katz, Justin (May 13, 2021). "Cyber EO lays a foundation for securing government". GCN. Archived from the original on 2021-05-14. Retrieved 2021-05-14.
  7. "Executive Order on Improving the Nation's Cybersecurity". The White House. 2021-05-12. Archived from the original on 2021-05-15. Retrieved 2021-05-13.
  8. Macias, Kevin Breuninger,Amanda (2021-05-12). "Biden signs executive order to strengthen U.S. cybersecurity defenses after Colonial Pipeline hack". CNBC. Archived from the original on 2021-10-19. Retrieved 2021-05-13.{{cite web}}: CS1 maint: multiple names: authors list (link)
  9. 1 2 3 "Cyber Safety Review Board Charter | CISA". www.cisa.gov. 2023-09-21. Archived from the original on 2024-06-14. Retrieved 2024-06-01.
  10. "Is the Cyber Safety Review Board working? Lawmakers consider tweaks to CSRB". federalnewsnetwork.com. 2024-01-18. Archived from the original on 2024-06-14. Retrieved 2024-06-01.
  11. Cyber Safety Review Board (11 July 2022), Review of the December 2021 Log4j Event (PDF), Cybersecurity and Infrastructure Security Agency, Wikidata   Q113274848
  12. "Review Of The Attacks Associated with Lapsus$ And Related Threat Groups Report | CISA". www.cisa.gov. 2023-08-10. Archived from the original on 2024-06-01. Retrieved 2024-06-01.
  13. 1 2 3 "Summer 2023 Review of the Microsoft Exchange Online Intrusion | CISA". www.cisa.gov. 2024-05-24. Archived from the original on 2024-05-31. Retrieved 2024-06-01.
  14. Nakashima, Ellen; Menn, Joseph (2024-04-02). "Microsoft faulted for 'cascade' of failures in Chinese hack". Washington Post. ISSN   0190-8286. Archived from the original on 2024-05-18. Retrieved 2024-06-01.
  15. eliasgroll (2024-04-03). "Cyber review board blames cascading Microsoft failures for Chinese hack". CyberScoop. Archived from the original on 2024-06-01. Retrieved 2024-06-01.
  16. Hendery, Simon (2024-04-03). "Review board slams Microsoft's lax security practices and culture". SC Media. Archived from the original on 2024-06-01. Retrieved 2024-06-01.
  17. "U.S. Cyber Safety Review Board blames Microsoft for Chinese hack". CNBC. 2024-04-03. Archived from the original on 2024-06-01. Retrieved 2024-06-01.
  18. Blogs, Microsoft Corporate (2024-05-03). "Prioritizing security above all else". The Official Microsoft Blog. Archived from the original on 2024-06-01. Retrieved 2024-06-01.
  19. "DHS, CISA Announce Membership Changes to the Cyber Safety Review Board | CISA". www.cisa.gov. 2024-05-06. Archived from the original on 2024-06-01. Retrieved 2024-06-01.