Biden Forms Cybersecurity Board to Probe Failures

The board, officials have said, is modeled loosely on the National Transportation Safety Board, which investigates and issues public reports on airplane crashes, train derailments and other transportation accidents. The new panel’s authority derives from an executive order that President Biden signed in May to improve federal cybersecurity defenses.

The cyber board isn’t an independent agency like the transportation board and will instead reside within the Department of Homeland Security. It will have 15 members—three times as many as the full complement of the transportation board—from government and the public sector who don’t need to be confirmed by the Senate. It lacks subpoena power, unlike the transportation board.

Homeland Security Secretary Alejandro Mayorkas said in an interview that the cyber board was intended to draw solutions to future problems from past cybersecurity crises, rather than casting blame where shortcomings are identified.

“It is not a regulatory authority, it is not a board that is searching for or focused upon accountability or fault,” Mr. Mayorkas said. “We are going to be looking at ourselves, we are going to be looking at one another, and that really underscores the purpose of this board—to not focus on fault.”

Rob Silvers, the undersecretary for policy at DHS and a lawyer with experience in cybersecurity issues, will chair the review board. Heather Adkins, senior director of security engineering at Alphabet Inc.’s Google, has been tapped as the vice chair.

Several government agencies, including the National Security Agency and other parts of DHS, have expansive cybersecurity missions that include protecting the federal government and assisting the private sector. Officials said the new board was necessary to combine the expertise of government officials and private-sector researchers to study high-profile cybersecurity episodes and share comprehensive findings with the public.

“This is something that has been missing from the ecosystem until now,” Mr. Silvers said of the Cyber Safety Review Board, which he said will draw personnel support and funding from the Cybersecurity and Infrastructure Security Agency, DHS’s cybersecurity wing.

Mr. Silvers said the board expects to finish by May its probe of the vulnerabilities related to the open-source software logging tool called Log4j. It is a free piece of code that logs activity in computer networks and applications, and officials have warned that it is likely one of the gravest cybersecurity vulnerabilities on record.

Researchers have said the Log4j flaw, publicly disclosed in December after its discovery by a Chinese security team, was particularly worrying because the free Java-based software is used in a range of products including security software, networking tools and videogame servers. The exact number of users of Log4j is probably impossible to know, but the software has been downloaded millions of times, according to the organization that builds it, Apache Software Foundation.

Other members of the 15-person board include Rob Joyce, the top cybersecurity official at the National Security Agency; John Carlin, principal associate deputy attorney general; National Cyber Director Chris Inglis ; Dmitri Alperovitch, co-founder of the Washington-based Silverado Policy Accelerator think tank; and Katie Moussouris, a security researcher who pioneered bug-bounty programs as an incentive for reporting computer flaws. Kemba Walden, assistant general counsel for Microsoft Corp. , and Wendi Whitmore, senior vice president of Palo Alto Networks Inc.’s cyber threat team, are also on the board.

Democratic Sen. Mark Warner of Virginia, chairman of the Senate Intelligence Committee and co-chairman of the Senate cybersecurity caucus, had pushed for the creation of such a review board to probe major cybersecurity crises.

“It’s only a matter of when, not if, we face another widespread cyber breach that threatens our national security,” Mr. Warner said. “I was glad to see this NTSB-like function included in the president’s May 2021 executive order on cybersecurity, and this is a good first step to establishing such a capability.”

Write to Dustin Volz at [email protected]