The decision by the DHS Cyber Safety Review Board to take a “deep dive” into the activities of one illegal “hacker group” is drawing a cautious reaction from stakeholders who see it as a departure from focusing on federal systems or specific incidents, but also an opportunity to pull apart the inner workings of a cyber threat actor.
DHS on Friday announced that the board’s second review will address “the recent attacks associated with Lapsus$, a global extortion-focused hacker group. Lapsus$ has reportedly employed techniques to bypass a range of commonly-used security controls and has successfully infiltrated a number of companies across industries and geographic areas.”
The board in July completed its first review on the Log4j software vulnerability, producing recommendations for government and the private sector on addressing “continued risks” and improving the security of the software ecosystem. The CSRB was created under President Biden’s 2021 cyber executive order.
DHS under secretary for policy Rob Silvers, the board’s chair, said the Lapsus$ review will produce “authoritative fact-finding and recommendations” that can have an immediate effect for network defenders. The board’s 15 government and private-sector members will “take the time needed to conduct a thorough review” and conclude “as quickly as possible,” he said. Heather Adkins of Google serves as board vice chair.
“I am intrigued by the selection as it strikes me as a little bit afield from the original concept of the CSRB in the EO, which after all was linked to Federal cybersecurity, but that being said I agree that it could yield some interesting and actionable results,” said Bob Kolasky, former head of CISA’s National Risk Management Center and now senior vice president at Exiger.
Mark Montgomery of the Foundation for Defense of Democracies commented, “I am excited that the CSRB is moving on to investigate another issue, and I think examining a ransomware group will likely lead to some new and valuable recommendations.”
However, he said, “I do think this avoids the next big step which is that complex incident investigations by CSRB will need the legal authorities similar to those of the National Transportation Safety Board. It would be good to see DHS proposing the necessary legislative language to get these authorities for the CSRB sooner rather than later.”
Montgomery is a leader of the Cyberspace Solarium Commission, which recommended passing legislation to create the board.
Taking a different view, one industry source said questions remain about the underlying value of the review board and other initiatives.
“Frankly this effort and all the ballyhoo about [the Joint Cyber Defense Collaborative] is just rearranging the deck chairs,” the source said. “A real house cleaning and zero based development of programs with a willingness to cut duplication across agencies would be refreshing but unlikely in our lifetime.” – Charlie Mitchell (firstname.lastname@example.org)