DHS creates Cyber Safety Review Board to review significant cybersecurity incidents

Following President Biden’s cybersecurity executive order issued last May, the Department of Homeland Security (DHS) announced on February 3 the creation of the Cyber Safety Review Board (CSRB). This public-private initiative is charged with reviewing and assessing significant cybersecurity incidents across government and the private sector. “The CSRB will provide a unique forum for collaboration between government and private sector leaders who will deliver strategic recommendations to the President and the Secretary of Homeland Security,” DHS said in announcing the statement.

The CSRB will start with 15 top cybersecurity leaders from the federal government and the private sector, including Robert Silvers, DHS undersecretary for policy, who will serve as chair, and Heather Adkins, Google’s senior director for security engineering, who will serve as deputy chair. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) will manage, support and fund the board. CISA Director Jen Easterly is responsible for appointing CSRB members, in consultation with Silvers, and convening the board following significant cybersecurity events.

Other board members include several cybersecurity industry luminaries, including  Dmitri Alperovitch, co-founder and chairman, Silverado Policy Accelerator, and co-founder and former CTO, CrowdStrike; Katie Moussouris, founder and CEO, Luta Security; Chris Novak, co-founder and managing director, Verizon Threat Research Advisory Center; Tony Sager, senior vice president and chief evangelist, Center for Internet Security; Kemba Walden, assistant general counsel, Digital Crimes Unit, Microsoft; and Wendi Whitmore, Senior vice president, Unit 42, Palo Alto Networks.

According to the CSRB’s charter, the board’s duties are solely advisory. Meetings will be held at the direction of CISA’s director following a cybersecurity incident that would trigger the creation of a Unified Coordination Group (UCG), a body formed to address emerging threats. The estimated annual cost of operating the CSRB is approximately $2.8 million, including administrative expenses, contract support, and five full-time employees.

DHS says the CSRB’s first review will focus on the vulnerabilities discovered in late 2021 in the widely used open-source Log4j software library. It’s worth noting that Biden’s executive order stipulated that the board’s initial review “shall relate to the cyber activities that prompted the establishment of a UCG in December 2020,” referring to the damaging SolarWinds supply chain infection.

NTSB is an imperfect comparison

Officials have said that the CSRB is loosely modeled on the National Transportation Safety Board (NTSB), an independent regulatory agency housed within the Department of Transportation that investigates transportation accidents such as airplane crashes and train derailments. However, some experts think the NTSB model is an imperfect comparison and highlight the distinct challenges and opportunities CSRB faces as it seeks to protect the nation’s networks and infrastructure better.

Suzanne Spaulding, a former DHS official and currently a senior adviser for homeland security at the Center for Strategic and International Studies (CSIS), tells CSO, “The NTSB is operating in a heavily regulated sector that appreciates [its role] and understands that without something like the NTSB, they would have a hard time getting people to climb into that metal tube hurling through the air at high speeds. Those conditions do not exist by and large in the world that the cybersecurity review board will be operating in.”

Mike Danko, an aviation attorney who works closely with the NTSB, also highlights the lack of regulation in cybersecurity as a factor that distinguishes the CSRB from the NTSB. “We have an industry, aviation, that’s highly regulated and where you have players who oftentimes are unhappy with the regulation, but nonetheless have some joint interest in safety,” he tells CSO.

CSRB’s investigative power is unclear

Another difference that sets the CSRB apart from the NTSB is that “they don’t have subpoena authority,” Spaulding says.

Gary Halbert, a partner at Holland and Knight, agrees that it seems that the CSRB lacks the investigative authority of the NTSB. “The NTSB has a fairly strong record of identifying causation, but they’ve got the ability to do the factual discovery that provides a basis on which to draw their conclusions,” he tells CSO. “With this new entity, you wonder where are the factual investigations going to be conducted? Is it going to be conducted by existing agencies? I don’t think this new entity has any type of investigative authority from the way it sounds.”

Danko, however, says the NTSB rarely uses its subpoena power. “As far as I know, I’ve never been involved in a case where the NTSB has subpoenaed anyone.” Among the reasons Danko cites for the NTSB’s failure to invoke this power is that “it believes that subpoenaing or using that power is antithetical to getting the truth. Basically, it wants to go to a mechanic or supplier and say, ‘Hey, what happened? This isn’t under oath. We’re not going to come after you. Don’t worry about it. This is off the record.’ And they feel that that is part of the process. Despite the fact that they can subpoena, they just don’t.”

Earning trust is crucial

Among the challenges that the CSRB will face is earning the cybersecurity sector’s trust. “They are going to have the challenge to earn the trust of the folks they’re trying to work with, and that’ll be critical,” Spaulding says. “But they’ve got the right people. I think they can build trust.”

Halbert says the NTSB earned the trust of the industry, Congress, and the American public slowly over time as it evolved into an independent agency with statutory and regulatory authority to gather evidence and information. The CSRB will need to “establish its reputation such that any findings or recommendations that come from its that work will gain traction both within the government and with the private sector,” he says.

“Everybody loves the NTSB,” Danko says. “They come out after a crash, they speak well, they seem to know what they’re doing. They’re solemn, and they don’t appear to have an ax to grind.”

Funding could be a long-term problem

Another challenge over the long haul for the CSRB will be funding. The initial budget of $2.8 million won’t go very far when the federal government is struggling to recruit cybersecurity specialists who are offered substantial six figures annual salaries by the private sector.

The lack of funding chronically hampers the work of the NTSB, Danko says. “When a plane crashes, what do you want to do? You want to secure the wreckage and put it in storage. They have no budget for that. They have to sweet talk some farmer to go out and pick up the wreckage and put it in his barn. There’s no budget for anything.”

If the board proves itself, it might be able to finagle more funding from Congress or at least more power in the years ahead. “It would not surprise me as…Congress gets a chance to observe how this new entity does its work [and] concludes that its authorities, so to speak, are not adequate for the task,” that CSRB might be granted more power and more authority, Halbert says.