Cyber Safety Review Board faces blowback for prioritizing Log4j over SolarWinds

When the federal government’s new cybersecurity agency chose to cover Log4j for its first report rather than SolarWinds, the reaction among some observers was akin to Swifties missing out on Eras Tour tickets

The Cyber Safety Review Board (CSRB) was created in February 2022 after an executive order in May 2021 on “Improving the Nation’s Cybersecurity.” The board was tasked with investigating hacks and other cybersecurity challenges, and is made up of a mix of public servants and representatives from private companies.

There was an expectation that the board would start its review with one of the biggest cybersecurity breaches in US history, the 2019–2020 SolarWinds hack, believed to be connected to Russia—which led to data being exposed from at least eight federal institutions.

But the CSRB instead focused on the Log4j open-source software vulnerability threat in its first report in July.

Focus featured. That decision has earned the board and the federal government criticism for what detractors describe as an effort on the part of the government to shield private industry from public exposure of security flaws that might prove costly to their bottom line. A month after the report was released, reporters at the Black Hat cybersecurity conference asked DHS under secretary Rob Silvers about the Log4j prioritization.

“We felt together with the White House that the best use of the board when we launched in February was to review Log4j,” Silvers said, according to a report in SC Media. “It was fresh, it was an extremely broad and wide impact, and I think the report bears that out,” he added.

Not everyone agrees. According to SC Media, information security professional Tarah Wheeler argued during a separate presentation that without a “coherent government report” on the SolarWinds hack, it’s hard to figure out the “multiple reasons why there are process failures, and multiple places that you can fix that process failure for the future.”

Back and forth. Still, recent events may help justify the agency’s focus on Log4j. Officials revealed on November 16 that Iranian hackers exploited the Log4j vulnerability last year to access a US federal agency’s passwords and deploy cryptocurrency mining software.

Nevertheless, the board continues to face criticism over its prioritization of Log4j, with  Bloomberg’s Jeff Stone suggesting in November that the CSRB didn’t conduct a review of SolarWinds in part because it would have looked bad for the federal government.

“Fully investigating the SolarWinds breach would also have required [SolarWinds], along with Mandiant, Microsoft, and a bevy of other firms, to voluntarily provide data to a panel of cyber experts looking to understand proprietary technologies,” Stone wrote. “It also would have exposed the US government’s failure to prepare for such a threat, despite years-old warnings from the Government Accountability Office that such an incident was possible.”

For its part, the CSRB has indicated reviews are moving forward. Silvers said in October that the board isn’t going to wait for another hacking incident to draft a new report. The board will also look for Congressional authorization—an essential step toward locking in federal funding.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @EoinHiggins_ on Twitter.