The U.S. government’s response to a steady stream of cyberattacks is slowed by the delayed deployment of a planned board to review major incidents and make security recommendations, cyber researchers and consultants say.
The cyber board is charged with examining incidents and drawing lessons to inform U.S. government policies and practices, starting with the SolarWinds Corp. software hack that rippled across federal agencies and the private sector. It’s been a year since the SolarWinds attack that inspired the board’s creation came to light, and the cyber board hasn’t launched yet.
“The longer you delay having this board set up, the worse of a position we are in,” said Steven Bellovin, a computer science professor at Columbia University who advocated for a board to review cyber incidents.
Other cyberattacks have followed in the wake of the SolarWinds event, from the hack of Microsoft Exchange servers to ransomware attacks on gas supplier Colonial Pipeline Co. and meat processor
“We’re going to see more attacks that aren’t investigated,” Bellovin said.
The department is “far along in its work to stand up the Cyber Safety Review Board,” a DHS spokesperson said in an email. “We anticipate a near-term announcement and we look forward to working with the distinguished cybersecurity leaders who have agreed to serve on the Board,” the spokesperson said.
Biden’s executive order doesn’t set a deadline for creating the board. The board will have 90 days from its establishment to give recommendations to the DHS secretary for boosting the nation’s cyber defenses and response.
The review board’s role in analyzing cyber incidents could help “bridge the gap” between existing investigations by law enforcement and those by companies that are victims of such attacks, according to Erez Liebermann, a former federal cybercrime prosecutor who’s now a partner at Linklaters LLP.
Law enforcement’s mission in investigating a cyber event is to catch criminals and bring them to justice, Liebermann said, while companies hit by hackers typically hire a forensic firm to concentrate on issues facing their computer systems and customers.
Companies often try to shield forensic reports on an incident’s root cause and the response to it, due to the threat of class action litigation and enforcement actions, he said.
A review by the planned cyber board could provide “a much more public accounting of what happened and how it happened,” Liebermann said.
However, unlike the transportation safety board’s reports, the cyber review board’s findings may not be made public. The executive order only requires that the board provide recommendations to the DHS secretary.
The job of the cyber review board shouldn’t be to find a single point of failure for an incident like SolarWinds, even though that’s often the security industry’s impulse, said Tarah Wheeler, a cybersecurity fellow at Harvard University.
“The job of an investigative board like this is not to lay blame, nor to find who to fire,” she said. “We have to look instead at the system that made this situation possible.”
Focusing less on blame could help the cyber industry take a lessons-learned approach to addressing future threats, instead of just responding to individual events, Wheeler added.
Figuring out where to make strategic investments in cybersecurity is a crucial challenge when the government and private sector are in “firefighting mode,” responding to a series of attacks, said Adam Shostack, a cyber consultant with expertise in threat modeling who formerly worked at
“In cybersecurity, we don’t spend enough time understanding why did the fire start, why did it spread, what are the commonalities between these building fires,” Shostack said.
The board will include federal officials from the Defense Department, the Justice Department, the Cybersecurity and Infrastructure Security Agency, and other agencies, as well as private sector representatives.
A Defense Department spokesman said in an email that the agency has designated a cyber board member, but declined further comment. DOJ and CISA didn’t immediately respond to requests for comment.
One reason the board isn’t up and running could be related to the U.S. government’s other ongoing efforts to address cyber risks, according to John Dermody, counsel at O’Melveny & Myers LLP who was previously a deputy legal adviser at the National Security Council.
The executive order establishing the review board also seeks to shore up the government’s cyber defenses and improve information-sharing with the private sector. It’s one of several steps that the Biden administration has taken in the wake of repeated cyberattacks, including the newly created Office of the National Cyber Director and a push to secure the nation’s critical infrastructure from hackers.
“There’s been so much going on in the cyber world over the past year or so that some things will have to wait. This may be one of them,” Dermody said.