The CSRB conducted an exhaustive review of the events surrounding the December 2021 disclosure of a vulnerability in #Log4j, which led to one of the most intensive cybersecurity responses in history. Highlights from the report 🧵 1/
#Log4j is one of the most serious software vulnerabilities ever. It’s an endemic vulnerability and unpatched versions will remain in systems for years to come, perhaps a decade or longer. The #Log4j event is not over. Risk remains and network defenders must stay vigilant. 2/
Many companies could not quickly identify where in their environments they had vulnerable code, revealing opportunities to increase software transparency and capacity to respond quickly to newly-discovered vulnerabilities. 3/
The CSRB raised concerns over Chinese government regulations on vulnerability disclosure, which could be used to get early access to newly-discovered vulnerabilities to exploit for malicious purposes. The report outlines what the Board heard from the Chinese government. 4/
This event highlighted security risks unique to the thinly-resourced, volunteer-led open source software community. Industry & the federal government must commit more resources to supporting open source software security. 5/
Software developers often do not have access to training programs in secure software development practices. The CSRB recommended that universities and community colleges should require a cybersecurity component for all #ComputerScience degrees & certifications. 6/
Today the Cyber Safety Review Board is proud to release its first-ever report on the #Log4j vulnerability. Learn more ⬇️ cisa.gov/sites/default/…
The CSRB is a ground-breaking public-private partnership. Never before have industry and government #cyber leaders come together in this way to review serious incidents, identify what happened & advise the entire community on how we can do better in the future.
Directed by @POTUS in his EO on Improving the Nation’s Cybersecurity, @SecMayorkas launched the CSRB. I’m proud to serve as Chair alongside Deputy Chair Heather Adkins of Google.
Last week, I was in Qatar and the UAE for important engagements to expand security cooperation between the United States and each nation, and to advance key homeland security arrangements and objectives. Read more 👇 dhs.gov/news/2022/07/1…
I signed several arrangements with Prime Minister and Interior Minister @KBKAIThani to deepen @DHSgov security partnerships on aviation security and visa fraud, including support for Qatar’s preparations to host a safe and secure @FIFAWorldCup. dhs.gov/news/2022/07/0…
.@DHSgov will strengthen its collaboration with Qatar on cybersecurity policy, and we will share information on cyber threats as part of new security arrangements we signed.