The Cyber Safety Review Board is moving toward launching its second review, according to DHS under secretary for policy Rob Silvers, who discussed the CSRB’s work as well as CISA’s new performance goals for industry in a fireside chat with the Suzanne Spaulding of the Center for Strategic and International Studies.
“The second review will be here before too long, we have some ideas that are moving quickly down the pipeline,” Silvers said Friday at a CSIS event, while declining to identify the vulnerability or incident that will be examined.
The CSRB in July issued its first report, addressing the widespread Log4j software vulnerability, and Silvers said officials are “already moving out” on recommendations from that report including through CISA guidance on asset management and ongoing work on open source software security.
Silvers chairs the CSRB and also heads up the Cyber Incident Reporting Council created by the incident reporting law enacted in March.
Spaulding, a senior advisor for homeland security at CSIS, served as the top cybersecurity official at the Department of Homeland Security during the Obama administration and was a member of the Cyberspace Solarium Commission. She hosts fireside chat Tuesday with CISA Director Jen Easterly on the CISA performance goals and other issues.
The safety review board flowed from a Solarium recommendation and is patterned after the National Transportation Safety Board.
“We never had this for cyber,” Silvers commented, adding the process “is truly about lessons learned and what we need to do going forward,” rather than about assigning blame in cyber incidents. “We have gotten a good reaction” to the first report, he said.
Silvers said CISA, DHS and component agencies like the Transportation Security Administration are working out of “two buckets” in addressing cyber across critical infrastructure sectors: increasing companies’ resilience to cyber attacks, and developing “operational collaboration” with industry partners.
The performance goals, issued last week by CISA, help increase resilience by providing a tool for companies of any size to use in developing a “mature” cyber program, he said, and equip CISOs with a cybersecurity program they can take to management and boards of directors.
“We’re trying to meet companies where they are and bring them a product they can use” to map progress, Silvers said.
On operational collaboration, Silvers pointed to the work of CISA’s Joint Cyber Defense Collaborative and said the cyber agency “is drawing up the best from that and sharing it with the broader community.”
“On the back end,” he said, “we have the Cyber Safety Review Board to draw lessons.”
Silvers also discussed the Shields Up campaign launched prior to the Russian invasion of Ukraine, calling it “the most extensive” government-private sector engagement of its kind “ever led by the federal government.”
The ongoing effort is “unprecedented,” Silvers said, “and sets a model” through its use of industry briefings and information sharing.
Spaulding noted that “it will be hard to keep up the tempo,” but said, “I hope there’s no back-pedaling” in areas including info-sharing and declassification of relevant intelligence of use to critical infrastructure operators.
She also urged lawmakers to address another Solarium recommendation by passing legislation to create a Bureau of Cyber Statistics, though that one appears unlikely to move this year.
On election security, Silvers said federal and state officials have done a good job securing computer equipment and data systems and that CISA will be operating its around-the-clock “watch operation” on and around election day.
Spaulding said of securing the systems, “I feel that situation is well in hand,” while she expressed ongoing concerns over disinformation efforts. – Charlie Mitchell (firstname.lastname@example.org)