Black Hat: Inside the Cyber Safety Review Board

Earlier this week, Black Hat ran a webinar titled Inside the Cyber Safety Review Board: A Fireside Chat with Jeff Moss, Chair Rob Silvers, and Deputy Chair Heather Adkins. Jeff Moss, the founder of Black Hat interviewed Rob Silvers, who is the chair of the Cyber Safety Review Board (CSRB), and Heather Adkins who is the deputy chair and has a day job as Google's Senior Director for Security Engineering. If you haven't done already, before reading this post I suggest that you read my earlier post BlackHat: Do We Want a National Cybersecurity Safety Board?

Two particular incidents come up in the discussion, one being the motivation for forming the CSRB in the first place, and one being the topic of their first report on which the work is just starting. So read my blog posts:

• The Biggest Security Breach Ever (about SolarWinds)
• Log4J: 2021 Ends the Same Way It Began

Well, we have a CSRB and its first meeting is coming up in a few days.

My post does not contain exact quotes (I can't type that fast!) but I will write this post as if they are. When I put Q for a question, that is Jeff Moss asking the questions. Anything in [brackets] is my commentary.

Jeff started with a couple of softball questions but they get harder later on.

Q: The CSRB is recently created and has its first meeting in a few days. So what is the role and purpose of the CSRB?

Rob: It was created by President Biden last year in the wake of SolarWinds to bring together government and private partners to make recommendations on how to improve our security. It is modeled on the NTSB. The idea is to learn from cyber events. Currently, there is nothing that improves the situation and lets us learn from incidents. Companies, of course, review their incidents but generally, they do not share with others. Half the members are from the government and half from the private sector. CSRB is not a regulatory body, it is not a law enforcement agency, it is about learning lessons for the future.

[It was not mentioned in the webinar, but I went and looked up who the members are]

• Robert Silvers, Under Secretary for Policy, Department of Homeland Security (CSRB Chair)
• Heather Adkins, Senior Director, Security Engineering, Google (CSRB Deputy Chair)
• Dmitri Alperovitch, Co-Founder and Chairman, Silverado Policy Accelerator; Co-Founder and former CTO, CrowdStrike, Inc.
• John Carlin, Principal Associate Deputy Attorney General, Department of Justice
• Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget
• Chris Inglis, National Cyber Director, Office of the National Cyber Director
• Rob Joyce, Director of Cybersecurity, National Security Agency
• Katie Moussouris, Founder and CEO, Luta Security
• David Mussington, Executive Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency
• Chris Novak, Co-Founder and Managing Director, Verizon Threat Research Advisory Center
• Tony Sager, Senior Vice President and Chief Evangelist, Center for Internet Security
• John Sherman, Chief Information Officer, Department of Defense
• Bryan Vorndran, Assistant Director, Cyber Division, Federal Bureau of Investigation
• Kemba Walden, Assistant General Counsel, Digital Crimes Unit, Microsoft
• Wendi Whitmore, Senior Vice President, Unit 42, Palo Alto Networks

Heather: I like to think about how NTSB came to being. The arrival of cars. Trains moving from steam to electricity. Flight. Propeller to jet. These were innovative and disruptive for their time and we are there with digital technology today. Phones in our pockets, smartwatches, tags that can track our possessions. Things will not run smoothly if people don’t trust them so we need to plan how we are going to study incidents when they come up. Getting to foundations of a national view on how technology fails us and how we can improve it are really important.

Q: Why now? It’s been debated for a decade, so what got us over the finish line?

Rob: The executive order came about in the wake of SolarWinds and Microsoft Exchange Hafnium incidents. [Hafnium was when Microsoft detected lots of attacks on exchange servers using 0-day exploits in March last year] It sought to pick up from the community recommendations that have been percolating over time but not mandated, such as zero-trust architecture and 2-factor authentication. The idea was to create an NTSB but for cyber. The first review will the Log4J vulnerability, one of the most significant ever discovered. [If you don't know what Log4J is then go and read my post linked to near the start of this post]

Q: Walk me through people's roles.

Rob: I’m the chair, and Heather is deputy chair. The model is one leader from public sector and one from private sector [Heather works for Google]. We are arm in arm as we launch the Log4J review. Every member has one vote. For something as complex as Log4J we will need to divide and conquer.

Heather: We are 15 people and in the lifetime of the board we will be reviewing many topics. One thing we will do is leverage the whole community and getting the right people in the room for these conversations. Log4J touches the democratization of coding and the ability of anyone in the world to create an open-source project.

Q: So you have your first task, Log4J, What are the deliverables? There may be classified information submitted to the board but in the end the report will be public right?

Rob: Yes, there will be a public report. There may be information we receive that we cannot release, perhaps because it is business confidential, perhaps because it is classified.

Q: But the result is to create a not-secret report for the country?

Rob: Yes, not-secret. If we have to do some confidential stuff we will do that too.

Q: How long do you envision these things will take? And what happens if people on the board don’t vote for the report?

Rob: We have 90 days under executive order to conduct our first review, so we will be working fast. In terms of diversity of views, the goal is to achieve consensus whenever we can, but we will develop reports that note where there are differing views

Heather: Some things are really obvious like using 2-factor authentication. But some will be more controversial and we want to surface these issues. We need to mix some practical things we can do now with inspirational things for academics and venture capital.

Rob: I can envisage recommendations that are technical but some might be national policy recommendations for Congress and the Executive Branch at the policy and regulatory level. One of the really special parts of this organization is to bring together experts that have this full spectrum of expertise both technical and policy.

Q: Are we hamstrung since we don’t have the concept of software liability?

Heather: There was no liability built into technology in the 19th century for a long time. We had seat belts for a long time before we had 3 point harnesses and airbags. We don’t know what the equivalents are in security. We are 30 years in to this.

Q: We need more. Like perhaps we need mandatory breach notifications, not just one-off autopsies.

Heather: One of the interesting things about Log4J is that it is not just a US problem. One persons somewhere can create software that is used by millions of people. That's very different from transportation. It can't just be an idea for liability. We need to rethink what the process needs to be for creating projects like this.

Rob: Everyone who joined this board is a busy successful person, and they joined because they want to do big things. Every idea has its time and there are ideas that have been floating around but their idea has not come. For example, there has been a community talking about software bills of materials for a long time and then Log4J comes along and it becomes much more pertinent. This board is filled with practitioners who are doing the work. These will be action-oriented solutions, not just theoretical ideas.

Q: You’ve got the game plan. How do you measure success? At end of 90 days you have a report. What do you want to accomplish with this first one?

Rob: One good template was the Solarium report [the report of the Cyberspace Solarium Commission in 2020] and just got accepted as wise and started to be acted on. We will measure success by measuring the uptake on our recommendations. We intend to make recommendations that are high impact.

Heather: After the first report, we will do a look at it and measure how effective it was. The inaugural report allows us to lay out the norms. We will navigate as we go so I’m sure the second report will be a bit different.

Q: Do you expect pushback from private sector, or from agencies who might think you are stepping on their toes. Other countries have not done this so other countries will be watching and perhaps start doing the same thing. Where do you think the bumps will be in the road?

Rob: One bump is that I can imagine companies that are not familiar with this new body and wonder why they should cooperate with it. Remember, the board has no regulatory authority. So we are adopting a philosophy of “blameless post-mortems”. We just make actionable recommendations and it is not about accountability. People can talk to us under confidentiality protection.

Heather: One criticism is that many of these analyses are shrouded in secrecy and so don’t make it out, but there is an appetite to know how to address it, in both industry and agencies in the government. Need to analyze these events without finger-pointing, just how do we get better.

Jeff: You see reports from big companies but often there are reasons not to look too deeply for liability reasons or something. But you can say the same things as a manufacturer would say it means more since it is coming from an independent body.

Heather: SolarWinds is another example, there are tons of client software that could have been used instead. So the focus is not on what one company did wrong, it could have been somebody else.

Jeff: Optimistically, you are successful, you’ve got some reports out. Do you think there is enough flexibility to explore what the moment demands?

Rob: There is lots of freedom in how we conduct this. One thing the executive order tasks us to do is to see whether there is an even better way to do business. We all want it to be effective. We want it to be seen as an authoritative source for the security community.

Q: So the review gets done, 90 days are up. Does the executive branch have to tell you what to do next? Or can you choose other things to review?

Rob: We won’t be shy to recommend things if we think it is appropriate.

Q: Hopefully you will come back in 90 days when the first report is out and do another webinar with Black Hat. We on the outside are proud that we in the US get to do this first, and hopefully, others will follow.

[If that webinar happens then I will cover it here in Breakfast Bytes]

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.

.