Cyber ​​Safety Review Board closes book on SolarWinds and reports on Log4j

A new public-private entity within the Department of Homeland Security has said all it wants to say about the incident dubbed “SolarWinds” under an executive order. This order came in response to several federal agencies and high-profile tech companies being compromised by the intrusion event.

“We have fully complied with the executive order,” said Rob Silvers, undersecretary for policy at DHS. “The White House and Department of Homeland Security have jointly determined that when the board is launched at this point, the board’s expertise and resources should be best utilized to investigate recent events surrounding the Log4j vulnerability. “

Under Executive Order 14028, Silvers chairs a new Cyber ​​Safety Review Board. He spoke to reporters Wednesday alongside DHS Secretary Alejandro Mayorkas and Heather Adkins, Google vice president of safety engineering and vice chair of the CSRB. DHS arranged the media call before the board released its first report Thursday.

The executive order — issued in May 2021, five months after the SolarWinds event was uncovered — provided specific direction for the board’s formation, including an initial effort to focus on analyzing this incident, which also included the Active Directory Federation Services of Microsoft used networks with hijacked credentials to move laterally inside the victim.

The order did not specify a timeline for DHS to be established, but said that once it is in place, it should present recommendations from the review of the incident to the DHS Secretary within 90 days.

DHS announced the formation of the board in February, but said it would instead prioritize investigating vulnerabilities and remediation efforts related to the open-source software library called Log4j.

When asked about this issue, Adkins told reporters, “We found many parallels between the Log4j event and the SolarWinds incident when it comes to our recommendations and how software is safely developed and shared with the community, as well as the community itself responds and comes together to join the public-private partnership.”

The report’s main recommendation is that companies should continue to exercise vigilance regarding Log4j for years to come. It also suggested that the DHS secretary “explore the feasibility of establishing a center of excellence for software security risk assessment.” Except for references in the footnotes, the report makes no mention of the SolarWinds incident at all.

After DHS announced in February that the report’s focus would change, Bennie Thompson, chairman of the House Homeland Security Committee, said he was “pleased that the Biden administration is taking this proactive step.”

But Rep. Ritchie Torres, DN.Y., vice chairman of the committee, is not ready to let the issue rest. In legislation offered as an amendment to the annual National Defense Authorization Act, he requires the CISA Director and the Office of the National Cyber ​​Director to perform the autopsy on SolarWinds and report to Congress. He also calls on the Government Accountability Office to investigate the board’s actions.

“The Comptroller General of the United States is evaluating the activities of the Cyber ​​Safety Review Board established pursuant to Executive 14 Order 14028, with a focus on the Board’s initial review announced in February 2022,” the amendment reads, noting, that GAO “should assess whether the Board has the necessary authority, resources and expertise to carry out its mandate to review and assess significant cyber incidents.”

Leave a Comment

Your email address will not be published.