At a glance.
- Notes on the US Cyber Safety Review Board (CSRB).
- Log4j will be the CSRB's first case.
- US Department of Defense assigns CMMC to its CIO.
The Cyber Safety Review Board: composition and industry reactions.
The US Department of Homeland Security has described the Cyber Safety Review Board as a public-private partnership, and its initial composition bears that out:
- Robert Silvers, Under Secretary for Policy, Department of Homeland Security (CSRB Chair)
- Heather Adkins, Senior Director, Security Engineering, Google (CSRB Deputy Chair)
- Dmitri Alperovitch, Co-Founder and Chairman, Silverado Policy Accelerator; Co-Founder and former CTO, CrowdStrike, Inc.
- John Carlin, Principal Associate Deputy Attorney General, Department of Justice
- Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget
- Chris Inglis, National Cyber Director, Office of the National Cyber Director
- Rob Joyce, Director of Cybersecurity, National Security Agency
- Katie Moussouris, Founder and CEO, Luta Security
- David Mussington, Executive Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency
- Chris Novak, Co-Founder and Managing Director, Verizon Threat Research Advisory Center
- Tony Sager, Senior Vice President and Chief Evangelist, Center for Internet Security
- John Sherman, Chief Information Officer, Department of Defense
- Bryan Vorndran, Assistant Director, Cyber Division, Federal Bureau of Investigation
- Kemba Walden, Assistant General Counsel, Digital Crimes Unit, Microsoft
- Wendi Whitmore, Senior Vice President, Unit 42, Palo Alto Networks
Jake Seid, General Partner at Ballistic Ventures, regards the CSRB as an important development in public-private partnership for better cybersecurity: "Addressing the cybersecurity threat is going to benefit greatly not just from investments made by the private sector but also from investments made by the public sector. And of course, from the two sectors collaborating. Ultimately all new initiatives depend on execution but the concept shows a very important step of increased public sector focus and investment in this area."
The CSRB's first case will be Log4j.
As we noted yesterday, after much anticipation, the White House has announced the membership of its new Cyber Safety Review Board (CSRB). The private-public partnership is tasked with investigating major cyberincidents impacting government, business, and critical infrastructure, and it has just stated that the first item on the agenda will be the Log4j vulnerability. Rob Silvers, undersecretary for policy at the Department of Homeland Security (DHS) and newly named chair of the CSRB, told The Wall Street Journal the group hopes to complete its investigation of the open-source software logging tool bug by May.
ZDNet asked the board why it chose Log4j for its first probe, as opposed to, say, the Solar Winds incident (which prompted the creation of the December 2020 Cyber Unified Coordination Group and subsequently led to the formation of the CSRB). In response, a DHS spokesperson cited the fact the widespread use of Log4J increases the impact of the vulnerability and makes it an easy target for threat actors. They added that the board "will take into consideration existing findings and recommendations related to the activities that prompted the December 2020 Cyber Unified Coordination Group to include any elements related to the existence and exploitation of vulnerabilities or the response to the events."
Tim Erlin, VP of Strategy at Tripwire, wrote to point out some differences between the Cyber Safety Review Board (CSRB) and the long-established National Transportation Safety Review Board (NTSB) to which the CSRB has often been compared:
“We’ve all seen cyber attacks grow from a primarily commercial concern to the level of a national security issue. When you have incidents that can shut down pipelines or impact the water supply, it becomes necessary to provide more rigorous investigation and greater transparency. We’ve certainly reached that point with cybersecurity.
"The comparison to the NTSB is useful, but won’t be entirely accurate. For example, trying to extend this comparison to their first target, the Log4j vulnerabilities, highlights the differences quickly. Log4j is hard to investigate as a single incident, especially given that it’s not really over yet. Still, there’s plenty to learn and we should expect the findings to shape legislation and regulation going forward.
"Cyber security incidents will require very different tools and skills to investigate, and we should all be prepared for some less than satisfying conclusions, especially at the start. The formation of this review board should serve not only to deliver reports, but to continuously improve the best practices for these types of investigations.”
And we know that Log4j exploitation will be the first matter the CSRB takes up. Tripwire's Erlin also had some thoughts on what some of its future cases might look like. He thinks that News Corp's recent disclosure (covered in the Wall Street Journal) would be the kind of incident the CSRB might usefully look into. He begins by noting that initial disclosures are always light on the details, and that attribution is always murky, especially early in the history of an incident:
“It’s time to remind ourselves that there is always more information to be discovered after the initial disclosure of a cyber attack like this one. We should expect that the information shared today isn’t the full story.
"Cyber attack attribution is extremely difficult, and while the casual reader may draw the conclusion here that China is responsible (which may be true), it’s worth noting the language that Mandiant uses. Mandiant states that 'those behind this activity have a China nexus' and that 'they are likely involved in espionage activities to collect intelligence to benefit China’s interests.' The statement does not go as far as pointing to the Chinese government directly. The term “China nexus” and the phrase “benefit China’s interests” are both ways of softening the conclusion. In these types of reports, language matters.
"On its surface, this seems like the kind of incident the newly formed Cyber Safety Review Board might investigate. This might be a test of the effectiveness of that effort, but given the international nature of News Corp, it will also test how that board addressed the inherently different borders that apply to cybersecurity.”
Mark Alba, Chief Product Officer at Anomali, thinks that the pervasiveness of the Log4j family of vulnerabilities was tailor-made for CSRB review. The narrower case of the News Corp hack might, however, be a useful foray into the sphere of nation-state cyber operations:
“The board’s decision to take up Log4J as one of its first cases is a smart move, as the vulnerability is virtually ubiquitous across computing environments. A look into the News Corp breach would also be a good idea, as all signs point to this being a nation-state attack. Because these types of breaches are often an early look into a major cyber event taking place, an investigation could yield new intelligence about how the adversary operates, which could help other organizations to proactively defend against it.”
Murky as early attribution may be, Expel CEO Dave Merkel, considering the incident in itself, apart from any consideration the CSRB might give it, sees the limited details available as consistent with the methods Chinese government operators have used in the past:
"This latest attack would be entirely consistent with past Chinese state-sponsored behavior. Years ago, Chinese nation state actors attacked the New York Times in a well-publicized incident. And their use of BEC would also make sense. When it comes to cyberattacks, nation state actors will only be as advanced as they have to - why burn expensive zero days if you don't need to? The #1 source of attacks against our customers is BEC. There’s no reason to think Chinese state-sponsored groups wouldn't use the same tactics against their targets if those tactics work - and news organizations are definitely targets.”
And, whatever the eventual attribution may turn out to be, the methods on display are dishearteningly familiar. Jake Seid, General Partner at Ballistic Ventures, wrote to say, “Unfortunately, business email systems getting compromised is quite common. It happens through many different ways but often these days through social engineering, where attackers trick employees into doing something that ultimately compromises the system.”
Paul Farrington, chief product officer at Glasswall, sees the Chinese operation as indicative of the way in which nation-states have come to see cyberspace as a domain of conflict:
“Cyber has joined land, sea and air to become the fourth conflict theatre. From a risk/reward perspective, it’s a theatre of operations that offers a lot of advantages. For instance, attacks can be carried out with little or no repercussions, yet have devastating practical consequences. Attackers are not waging war or committing acts of aggression in the traditional sense, and there are as yet few examples where attacks have caused human casualties. However, each incident adds to the underlying tension and suspicion that exists on the international stage.
"Current reports state that Chinese nation-state hackers are behind the News Corp cyberattack that compromised journalists’ sensitive emails and documents. It is common for politically motivated cybercriminals to mine reporters’ materials for intelligence as they often speak to confidential sources and gather important information on world events.
"As the ‘weaponization’ of information technology escalates at an alarming rate, organizations must significantly improve their ability to proactively identify and defend against attacks, irrespective of their source and motivation. Failure to do so will leave more organizations at even greater risk of disruption and damage, tactically outmatched by adversaries who are relying on the weaknesses inherent in many of today’s IT networks for their success.
"Attacks like this demonstrate that a traditional castle-and-moat approach to network security leaves organisations exposed. Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. Without a zero trust approach, organisations run the risk of attackers having a free reign across a network once they are inside.”
US Department of Defense moves CMMC responsibility to the CIO.
Federal News Network reports that the Pentagon will be shifting responsibility for the Cybersecurity Maturity Model Certification (CMMC) program to the Department of Defense (DoD) chief information officer. In doing so, they will do away with the office of the under secretary for acquisition and sustainment (A&S), which has overseen the CMMC since its launch in 2019. DoD CIO John Sherman explained that the purpose of the move is “to increase the program’s integration with other Defense Industrial Base Cybersecurity programs,” and stated, “As we realign responsibility for the program, it’s important to note that we will continue to work closely with A&S on this program.” The CCMC program is described as a “comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks” by supporting small and medium sized businesses, setting goals for protecting DoD info, and strengthening cooperation between the DoD and industry. CMMC Director Stacy Bostjanick and a team of six civilians from A&S will transition to the CIO’s office.