The Cyber Safety Review Board Releases Their First Report 

Last year, President Biden created the Cyber Safety Review Board, with the intention that (akin to the National Transportation Safety Board) the new organization would review cyber incidents, examine root causes and, where necessary, make recommendations. In relation to that, The U.S. Department of Homeland Security (DHS) released its first Cyber Safety Review Board’s (CSRB) report. It should be considered required reading:

Chris Clymer, Director & CISO, Inversion6 had this to say:

Log4J shined a light on long-standing problems in our software supply chain.  IT systems have become incredibly complex, with layers and layers of components put together by layers and layers of integrators and developers.  All of which is often compiled and built in ways where it is extremely difficult to know what components are included in a system your business relies upon.

This CSRB report is filled with great recommendations, and helps to reinforce that the Log4J issue has not gone away, and that there are likely numerous similar problems out there still unidentified.  CISA has done really great work raising awareness on security the last few years, becoming a singular voice on cybersecurity for the government.  So its striking that this report says that for all that, CISA should be doing MORE to assess and raise awareness.  Theres clearly more improvements to keep making.  They also recommend that the CISA guidance be taken from optional to mandatory by state and federal regulators.  I’m skeptical that many laws will pass here in our current political environment…and sadly, I agree that short of regulations REQUIRING organizations to do things like maintain a Software Bill of Materials, organizations are unlikely to prioritize investing the significant time and money into these efforts.  Many would like to…but the costs to really address these problems will be high.  Without regulatory cover, it is difficult to explain to stockholders why you’re making these investments…especially if you’re the first one making that shift.

This is fundamentally a good thing. For too long, cyber incident response has been uncoordinated, with a lack of systematic review at the Federal level. I look forward to seeing future reports as this one is very instructive.

Leave a Reply