Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
United States Security

Biden Administration Forms Cybersecurity Review Board To Probe Failures (wsj.com) 38

The Biden administration has formed a panel of senior administration officials and private-sector experts to investigate major national cybersecurity failures, and it will probe as its first case the recently discovered Log4j internet bug, officials said. From a report: The new Cyber Safety Review Board is tasked with examining significant cybersecurity events that affect government, business and critical infrastructure. It will publish reports on security findings and recommendations, officials said. Details of the board will be announced Thursday. The board, officials have said, is modeled loosely on the National Transportation Safety Board, which investigates and issues public reports on airplane crashes, train derailments and other transportation accidents. The new panel's authority derives from an executive order that President Biden signed in May to improve federal cybersecurity defenses.

The cyber board isn't an independent agency like the transportation board and will instead reside within the Department of Homeland Security. It will have 15 members -- three times as many as the full complement of the transportation board -- from government and the public sector who don't need to be confirmed by the Senate. It lacks subpoena power, unlike the transportation board. Homeland Security Secretary Alejandro Mayorkas said in an interview that the cyber board was intended to draw solutions to future problems from past cybersecurity crises, rather than casting blame where shortcomings are identified.

This discussion has been archived. No new comments can be posted.

Biden Administration Forms Cybersecurity Review Board To Probe Failures

Comments Filter:
  • by WoodstockJeff ( 568111 ) on Thursday February 03, 2022 @12:52PM (#62234127) Homepage

    It is vital to know why some things succeed, not just how other things failed.

    • It's hard to probe cybersecurity successes, when "success" merely means "hasn't been broken yet."

      • by Tom ( 822 )

        If "yet" is a long enough period under enough exposure, that's absolutely a mark for success.

        In fact, that's how we test material things. We put it under pressure and check if it breaks. Sometimes, we can't get it to break. If we put 100t on it and it's still standing, we feel comfortable writing "can carry 50t" on it. (yes, we leave a margin of error)

    • I would imagine that if all the members of the "Cyber Safety Review Board" (pompous enough title?) were to chip in, say, 1% of their salaries, enough money would be raised to hire several proper software security experts to fix the problems.

      As it is, the announcement looks like a savage satire on modern US (and UK) government.

      Here we have a small piece of useful software, written and maintained free of charge by volunteers. After many years, it turns out not to be completely proof against attack by determin

    • They've already done this. There was the Building Security In initiative and other stuff put out on what works. The way it works is that there is a weakness or vulnerability that is exploited and that results in a cybersecurity breach. The companies involved in developing and deploying these systems can and do know about this yet the incentive to actually create a secure system is low. One reason is the NSA wants the vulnerability to exploit. Remember Eternal Blue that was used in Stuxnet? Microsoft di
  • by dark.nebulae ( 3950923 ) on Thursday February 03, 2022 @12:54PM (#62234135)

    Great job for a bunch of ass-hat politicians that will never understand what the vulnerabilities actually were and, more importantly, what they were not.

    I'm constantly having conversations with clients that no, just because they have such and such version does not mean they are automatically vulnerable, they'd have to be using such and such feature first which I know they are not, blah blah blah.

    The last thing we need is a bunch of no-nothing politicians who know squat about technology coming in to review what is going on...

    • Fairly frequently I come into contact with people who thought their sophisticated understanding of vulnerabilities means they understood they aren't susceptible to the latest POC code circulating. I'm not trying to paint you with this brush but there is a potentialy dangerous line of reasoning here that needs to be pointed out.

      While in the main people that carefully analyze vulns can often to be right about the most recent thing, what they sometimes don't notice is that their careful analysis can become a r

    • Great job for a bunch of ass-hat politicians that will never understand what the vulnerabilities actually were and, more importantly, what they were not.

      Starting with log4j. What it was not was a bug. It was a feature that someone added on purpose, and no one else piped up to say, "Wait, no, that's stupid!"

  • by know-nothing cunt ( 6546228 ) on Thursday February 03, 2022 @01:12PM (#62234195)

    Before cyberposting any more cybercomments, please cyberprefix every cybernoun, cyberverb, and cyberadjective with "cyber."

    Sincerely,

    The Cybercommittee of Cyberspelling Cybernazis

  • TURBULENT and TURMOIL **REQUIRE** our computing to be insecure.

    That is the heart of the problem.

    From the NSA/CIA hoarding vulnerabilities to be leveraged by the above programs (if you're not familiar with them, you bloody well should be) and not letting vendors know and closing them, to this whole stupid POLICY of spying on EVERYONE because those who are influential in our governments are downright involved in criminal behaviour are scared shitless we will find out about what they have been up to. Look at

  • by Tom ( 822 )

    Here's top three reasons cybersecurity is pathetic that I'm sure they will NOT be looking into:

    1. The focus on quarterly results - pressure to put out a profitable product NOW means shortcuts are taken during development. Many security issues are the result of software bugs. Many of those bugs could be avoided with more resources devoted to quality.

    2. Common tools - putting more powerful tools into the hands of everyday users means putting more exploit potentials into the hands of millions of easy marks. Ma

The sooner all the animals are extinct, the sooner we'll find their money. - Ed Bluestone

Working...