The Cyber Safety Review Board (CSRB) will assess the recent Microsoft Exchange Online intrusion and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure, the Secretary of Homeland Security Alejandro Mayorkas announced today.
The review will focus on the malicious targeting of cloud computing environments, and, specifically, approaches government, industry, and Cloud Service Providers (CSPs) should employ to strengthen identity management and authentication in the cloud.
“Organizations of all kinds are increasingly reliant on cloud computing to deliver services to the American people, which makes it imperative that we understand the vulnerabilities of that technology,” Secretary Mayorkas said. “Cloud security is the backbone of some of our most critical systems, from our e-commerce platforms to our communication tools to our critical infrastructure.”
“In its reviews of the Log4j vulnerabilities and activities associated with Lapsus$, the CSRB has proven itself to be ready to tackle and examine critical and timely issues like this one. Actionable recommendations from the CSRB will help all organizations better secure their data and further cyber resilience,” he added.
Microsoft announced in mid-July that it had taken action to mitigate China-based cyberattacks that exposed email account information of U.S. government agencies and other organizations, along with customer accounts of people tied to those agencies and organizations.
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI confirmed that at least one Federal civilian agency was a target of the attacks. A CISA official emphasized that the attack appeared to have been narrowly scoped, quickly rooted out, and that classified information was not exposed.
The CSRB’s third review will dive into the Microsoft hack and develop actionable recommendations that will advance cybersecurity practices for both cloud computing customers and CSPs themselves. Once concluded, the report will be transmitted to President Biden through Secretary Mayorkas and CISA Director Jen Easterly.
“We must as a country acknowledge the increasing criticality of cloud infrastructure in our daily lives and identify the best ways to secure that infrastructure and the many businesses and consumers that rely on it,” CSRB Chair and DHS Under Secretary for Policy Rob Silvers said. “The Cyber Safety Review Board is designed to assess significant?incidents and ecosystem vulnerabilities and make recommendations based on the lessons learned. To do this work, we bring together the best expertise from industry and government. The Board will undertake a thorough review.”
The CSRB is an unprecedented public-private initiative that brings together government and industry leaders to deepen understanding of significant cybersecurity events, including the root causes, mitigations, and responses, and to issue recommendations, based on this fact-finding in the wake of those events. DHS’s CISA manages, supports, and funds the board.
The CSRB’s first review focused on vulnerabilities discovered in late 2021 in the widely used Log4j open-source software library. Its second review, released yesterday, examined the recent attacks associated with Lapsus$, a global extortion-focused hacker group.
The CSRB found that Lapsus$ leveraged simple techniques to evade industry-standard security tools that are a lynchpin of many corporate cybersecurity programs and outlined 10 actionable recommendations for how government, companies, and civil society can better protect against Lapsus$ and similar groups.
“An effective shared responsibility model requires a persistent focus on potential systemic risks in cloud environments. Organizations around the world place trust in secure identity management and authentication infrastructure to provide essential functions and protect sensitive data,” said CISA Director Easterly. “The Board’s findings and recommendations from this assessment will advance cybersecurity practices across cloud environments and ensure that we can collectively maintain trust in these critical systems.”