US Cyber Board to probe cloud security after latest Exchange hack

The US Cyber Safety Review Board (CSRB) is to conduce a review of cloud cyber security, focusing on what government bodies, industry and cloud service providers need to do better to strengthen identity management and authentication in the cloud.

The probe comes in the wake of the July 2023 Microsoft Exchange Online incident, which will form a key line of inquiry.

The incident saw Chinese cyber spies access email data cross multiple organisations, including government agencies, using forged authentication tokens via a stolen Microsoft account consumer signing key. “Organisations of all kinds are increasingly reliant on cloud computing to deliver services … which makes it imperative that we understand the vulnerabilities of that technology,” said Homeland Security secretary Alejandro Mayorkas.

“Cloud security is the backbone of some of our most critical systems, from our e-commerce platforms to our communication tools to our critical infrastructure,” he continued. “In its reviews of the Log4j vulnerabilities and activities associated with Lapsus$, the CSRB has proven itself to be ready to tackle and examine critical and timely issues like this one.

“Actionable recommendations from the CSRB will help all organisations better secure their data and further cyber resilience,” said Mayorkas.

“We must … acknowledge the increasing criticality of cloud infrastructure in our daily lives and identify the best ways to secure that infrastructure and the many businesses and consumers that rely on it,” said CSRB chair and DHS undersecretary for policy Rob Silvers.

“The CSRB is designed to assess significant incidents and ecosystem vulnerabilities and make recommendations based on the lessons learned,” he said. “To do this work, we bring together the best expertise from industry and government. The Board will undertake a thorough review.”

CISA director Jen Easterly, through whom the CSRB will ultimately report, added that the review’s findings and recommendations would help advance cyber security best practice across cloud environments.

The CSRB was established at the direction of President Biden in February 2022, in the immediate aftermath of the Log4j crisis, which formed the basis of its first review.

It’s a public-private initiative within the Department of Homeland Security, with board members drawn from across government and industry, including tech and cyber experts from the FBI and NSA, and the likes of Google vice-president of security engineering Heather Adkins, CrowdStrike co-founder Dmitri Alperovitch, Chris Novak of the Verizon Threat Research Advisory Centre, and Palo Alto Networks’ Unit 42 senior vice-president, Wendi Whitmore.

Earlier in August, the board published a major review on the 2022 Lapsus$ attacks, in which it concluded there had been a “collective failure” across multiple organisations to account for the risks associated with using text messaging and voice calls as an element of multi-factor authentication (MFA).

It was by taking advantage of MFA failings that the Lapsus$ group was able to access the networks of victims including BT, Nvidia, Okta, Revolut, Rockstar Games and Uber.

A British teenager arrested in March 2022, who has since attained the age of 18 and as such can now be publicly named as Arion Kurtaj, has been charged with 12 offences relating to the attacks, but has been assessed by psychiatrists as unfit to stand trial.