- Two leading members of the Cyber Safety Review Board, speaking at the Black Hat USA conference in Las Vegas Wednesday, praised the inaugural investigation of the Log4j vulnerability.
- Robert Silvers, CSRB chair and under secretary for strategy, policy and plans at the Department of Homeland Security, said Log4j was the right incident for the board’s first investigation in February. It was a fresh event that was disclosed in December 2021 and has major implications for a number of stakeholders, particularly the open source community.
- The board got widespread cooperation from about 80 different stakeholders across the world, including input from multiple foreign governments, ranging from traditional western allies as well as participation from government officials in the People’s Republic of China. Silvers called the overall level of public-private participation with the review as “remarkable.”
DHS created the CSRB in February, as part of a larger plan by the Biden administration to strengthen the nation’s cybersecurity infrastructure and defend against a wave of high-profile cyberattacks. Major incidents include the 2020 SolarWinds supply chain attack and the May 2021 ransomware attack against Colonial Pipeline.
The 15-member board was designed, in part, based on how aviation and rail accidents are reviewed in the U.S. In such cases, safety experts investigate commercial airline and train crashes in order to find the cause of those accidents and recommend steps to prevent future incidents.
The report, released in July, called Log4j an “endemic vulnerability” that was exploited at lower levels than initially feared, but would have lingering impacts well into the future.
Heather Adkins, deputy CSRB chair and vice president of security engineering at Google, agreed the Log4j vulnerability was the right incident for the board to review as part of its initial investigation.
“I think Log4j is probably one of the most impactful events I can remember in terms of cybersecurity,” Adkins said at Black Hat.