The Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) is poised to reveal details about its next investigation, the board’s chair said today.
“I think we’re going to have an announcement soon,” Rob Silvers, DHS undersecretary for policy and chair of the CSRB, said during a Center for Strategic and International Studies event in Washington, D.C.
Recent speculation suggests the CrowdStrike outage in July is a leading candidate for the CSRB’s next investigation. Members of Congress, such as Rep. Ritchie Torres, D-N.Y., have also called on the CSRB to investigate the CrowdStrike outage.
When asked if the board might investigate the global computer outage caused by a flawed CrowdStrike software update, Silvers mentioned that the board follows specific criteria for selecting incidents but did not provide further details.
“One of the questions we often get is, how is it decided what incidents will come under review? And [there’s] a list of criteria that are considered,” Silvers said. “Was it a high-impact, severe incident? Was it the type of incident where a deep study would likely yield new facts and new lessons learned? Has it been closely studied and scrutinized? And is there an element of discretion where it would be in the national interest to review it?”
The CSRB, established by President Biden in 2021, is a public-private initiative comprised of government and industry leaders to better understand significant cybersecurity events. It examines major cybersecurity events to understand their causes, responses, and mitigations, and provides recommendations based on its findings.
The Cybersecurity and Infrastructure Security Agency manages, supports, and funds the board. The board has previously examined the Log4j vulnerability and the Lapsus$ hacker group.
The board’s most recent review was a report on security failures at Microsoft, which allowed Chinese spies to access unclassified email accounts of senior U.S. officials at the State and Commerce departments.
In a 34-page report released in April 2024, the CSRB called out Microsoft for its security culture, describing it as “inadequate” and in need of “an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”