Rep. Ritchie Torres, D-N.Y., is planning to introduce a bill that would codify the Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) following Friday’s Microsoft outage linked to the cybersecurity giant CrowdStrike.
The widespread outages – affecting Federal government agencies, airlines, banks, hospitals, and other essential sectors worldwide – were caused by a defective update to CrowdStrike’s Falcon security software that the cyber firm pushed to Windows operating systems early Friday morning.
“When a cyber event happens, be it an attack or an accident, there should be an automatic process by which the Federal government investigates the causes, learns from the failures, and translates the lessons learned into public policy,” Rep. Torres said in a statement to MeriTalk.
“Enter the Cyber Safety Review Board, which exists not by statute but by executive order. In the wake of the widespread outages that have shaken the global economy, I am introducing legislation that would codify in statute the Cyber Safety Review Board so that no future presidential administration could abolish it,” he said.
On Friday, Rep. Torres also sent a letter to Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly to request that DHS – in partnership with its CISA component and the CSRB – conduct a joint investigation of the CrowdStrike outage.
In the letter, obtained by MeriTalk, the congressman requested that DHS coordinate with other Federal agencies “to ascertain what policies can be put in place and what investments can be made to secure our critical infrastructure systems from threat actors who wish to do us harm.”
The CSRB is a public-private initiative that brings together government and industry leaders to better understand significant cybersecurity events. The board investigates root causes, mitigations, and responses, and it then issues recommendations based on its findings. CISA manages, supports, and funds the board.
The CSRB’s first review focused on vulnerabilities discovered in late 2021 in the widely used Log4j open-source software library. Its second review the board examined the 2021-2022 attacks associated with Lapsus$, a global extortion-focused hacker group.
The CSRB’s third and most recent review analyzed the summer 2023 Microsoft Exchange Online intrusion, attributing the success of the China-based hack to “a cascade of security failures at Microsoft” and an “inadequate” security culture at the company.
The board has yet to announce its next review, but given the significance of the CrowdStrike outage, it is likely a top contender for the CSRB’s fourth review.