Secretary of Homeland Security Alejandro N. Mayorkas announced today, August 11, that the Cyber Safety Review Board (CSRB) will conduct its next review on the malicious targeting of cloud computing environments.
The review will focus on approaches government, industry, and Cloud Service Providers (CSPs) should employ to strengthen identity management and authentication in the cloud. The CSRB will assess the recent Microsoft Exchange Online intrusion, initially reported in July 2023, and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers. The Department began considering whether this incident would be an appropriate subject of the Board’s next review immediately upon learning of the incident in July.
The Board will develop actionable recommendations that will advance cybersecurity practices for both cloud computing customers and CSPs themselves. Once concluded, the report will be transmitted to President Joseph R. Biden, Jr. through Secretary Mayorkas and Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly.
“Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Cloud security is the backbone of some of our most critical systems, from our e-commerce platforms to our communication tools to our critical infrastructure. In its reviews of the Log4j vulnerabilities and activities associated with Lapsus$, the CSRB has proven itself to be ready to tackle and examine critical and timely issues like this one. Actionable recommendations from the CSRB will help all organizations better secure their data and further cyber resilience.”
The CSRB is a public-private initiative that brings together government and industry leaders to deepen understanding of significant cybersecurity events, including the root causes, mitigations, and responses, and to issue recommendations, based on this fact-finding in the wake of those events.
The CSRB’s first review focused on vulnerabilities discovered in late 2021 in the widely used Log4j open-source software library. Its second review, released yesterday, examined the recent attacks associated with Lapsus$, a global extortion-focused hacker group. The CSRB found that Lapsus$ leveraged simple techniques to evade industry-standard security tools that are a lynchpin of many corporate cybersecurity programs and outlined 10 actionable recommendations for how government, companies, and civil society can better protect against Lapsus$ and similar groups.
“We must as a country acknowledge the increasing criticality of cloud infrastructure in our daily lives and identify the best ways to secure that infrastructure and the many businesses and consumers that rely on it,” said CSRB Chair and DHS Under Secretary for Policy Rob Silvers. “The Cyber Safety Review Board is designed to assess significant incidents and ecosystem vulnerabilities and make recommendations based on the lessons learned. To do this work, we bring together the best expertise from industry and government. The Board will undertake a thorough review.”
“An effective shared responsibility model requires a persistent focus on potential systemic risks in cloud environments. Organizations around the world place trust in secure identity management and authentication infrastructure to provide essential functions and protect sensitive data,” said CISA Director Jen Easterly. “The Board’s findings and recommendations from this assessment will advance cybersecurity practices across cloud environments and ensure that we can collectively maintain trust in these critical systems.”
The CSRB does not have regulatory powers and is not an enforcement authority. Its purpose is to identify relevant lessons learned to inform future improvements and better protect our communities.