Inside Cybersecurity

December 4, 2022

Daily News

Tony Sager: DHS Cyber Safety Review Board to focus on ‘foundational’ challenges revealed by Log4j

By Charlie Mitchell / February 11, 2022

Cybersecurity leader Tony Sager says the DHS Cyber Safety Review Board will provide an “analytical and holistic look” at the impacts of the Log4j software vulnerability, pulling together a senior group of experienced cyber hands to “look at this together and prioritize what we need to do to avoid this kind of problem in the future.”

“Bringing together the public and private sectors is a really good structure and the people on [the new board] are really good,” according to Sager, one of seven private-sector cybersecurity experts tapped to serve on the board alongside eight senior security leaders from the federal government. “I’m not sure we’ll discover startling new technical issues [related to Log4j] because this is designed to go beyond the ‘incident of the day’ and look at the harder, more foundational things that need to be done that companies can’t do by themselves.”

Sager in an interview with Inside Cybersecurity explained, “You can’t ignore the ‘incident of the day,’ you have to address that in order to survive, but we needed a national way to look at one incident in the context of the whole problem. … As attention shifts to the next giant thing, we want the board to take an analytical and holistic look at Log4j. The board can avoid getting swept up” by events.

Tony Sager

Tony Sager, Senior Vice President and Chief Evangelist, CIS

Sager is senior vice president and chief evangelist at the Center for Internet Security and leader on development of the well-known CIS Controls. He was a 34-year veteran of the National Security Agency.

DHS on Feb. 3 announced that examining the Log4j situation would be the first task for the Cyber Safety Review Board, with a report and recommendations expected this summer.

The board was formally launched the previous day and will function under the direction of the Cybersecurity and Infrastructure Security Agency. The new body is chaired by DHS senior official Robert Silvers while Heather Adkins, Google’s senior director for security engineering, serves as deputy chair.

CISA “will manage, support, and fund the Board with CISA Director Jen Easterly responsible for appointing CSRB members, in consultation with the DHS Under Secretary for Policy Rob Silvers, and for convening the Board following significant cybersecurity events,” according to DHS.

A meeting to discuss the board’s operating procedures and more is planned for late February, Sager said, with CISA organizing the effort and providing administrative and logistical support, as well as the agency’s own cyber expertise. “The industry people have all agreed to devote a significant amount of time and there is a very good support team at DHS,” he said.

Sager noted that his own organization is already “neck-deep” in the Log4j response, as are other industry members of the board who will “bring solid knowledge” to the endeavor.

He observed that the board is based on a recommendation from the Cyberspace Solarium Commission, which envisioned an entity along the lines of the National Transportation Safety Board to review major incidents.

“Some of the NTSB model applies,” he said, “but cyber events are not the same” as a plane crash, for example. For one thing, he said, “cyber incidents happen all the time.”

“With airplanes, you know how the system is supposed to work, how safety was built in, and you have rules to work with. You find the violations of the rules” that caused the crash, he said, whether that was a human error, a flaw in equipment or design, or another factor.

Cyberspace, on the other hand, “is still the wild, wild west and it’s hard to narrow down what would’ve been the right behavior, [which is] often in the eye of the beholder,” he said.

Examining risks with an airplane is “a more mature discipline,” Sager said, but this review board can help move cybersecurity in the direction of a more disciplined way to look at vulnerabilities.

A “companion recommendation” in the Solarium Commission report called for creation of a Bureau of Cyber Statistics, Sager said, and such a body “would be a good one-two punch” along with the Cyber Safety Review Board. “In my opinion, you need both,” Sager said.

The safety review board was established at the direction of President Biden under his 2021 cyber executive order, but Congress so far has been unable to pass legislation authorizing a new Bureau of Cyber Statistics.

“We need to know if we’re getting better, an authoritative way to look at the numbers and statistics,” Sager said.

He looked back over the evolution of security efforts in cyberspace and said, “in the ‘70’s and ‘80’s we thought we’d cure this problem but we didn’t anticipate the world we’re in now, where everyone is vulnerable. It’s not a problem you’re going to cure, you have to manage it.”

“This is going to be challenging but really interesting,” he said of the new board’s mission. “The key is to turn the work into something actionable that can change behavior. That’s why it’s so important to have the government officials involved, like under the Cyberspace Solarium Commission model. There’s a track record of action,” he said.

“It feels like this is a good opportunity with people like Jen Easterly and [National Cyber Director] Chris Inglis. When they call, you have to answer,” Sager said. – Charlie Mitchell (