Witnesses told members of Congress today that the Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) should be an independent entity with a clear and transparent process for how it selects its board members and the incidents it investigates.
The CSRB – established by President Biden’s cybersecurity executive order in 2021 – investigates past cybersecurity incidents and recommends how entities can prevent similar threats in the future.
Thus far, the CSRB has released two reports: one on the Log4j software vulnerability and one on the Lapsus$ hacking group. It is currently in the middle of its third review on the recent Microsoft Exchange Online intrusion and cloud security as a whole.
“Although the CSRB is fairly new and has begun to help combat serious cyber threats, there’s clearly more it can do to support our nation’s cybersecurity,” Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters, D-Mich., said today during a full committee hearing.
As President Biden is looking to codify the CSRB into Federal law, as outlined in the National Cybersecurity Strategy, the committee invited witnesses in the cybersecurity space to offer recommendations to improve the CSRB – with independence and transparency emerging as two key areas for improvement.
“First, please fund an independent civilian agency staffed with full-time investigators,” said Tarah Wheeler, CEO of Red Queen Dynamics. “The two CSRB reports so far have had very simple consensus-based resolutions … but that’s not necessarily useful information. The goal of CSRB investigations should be to help us learn from the process of the incident, how to not repeat our mistakes.”
“Second, do not introduce classified information into investigations or require clearances to sit on the CSRB,” Wheeler added. “The CSRB must build trust by operating openly as the stakes grow higher in cyberspace – lack of transparency around how people are currently nominated to the CSRB and how the board selects which investigations they pursue may decrease trust in its impartiality.”
John Miller, the senior vice president of policy and general counsel at the Information Technology Industry Council (ITI), agreed with Wheeler, noting that board members need to be selected through “a clear and transparent process.”
This way, Miller said the board can avoid real or perceived conflicts of interest with its members. Additionally, while private sector entities have a lot to add to the CSRB, he stressed the need for a clear “process for recusal” when necessary.
Miller also noted that the board should increase transparency around the cyber incidents it chooses to review.
“The criteria and methodology for selecting which incidents to investigate must be clearly communicated and well understood across impacted stakeholders, including the business community,” Miller said. “Policymakers should ensure that reviews of incidents are selected and based on a clear, publicly released set of criteria that is developed in conjunction with stakeholders.”
The ITI executive said this is especially important as DHS’s Cybersecurity and Infrastructure Security Agency (CISA) is currently developing regulations to implement the new Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), “including the criteria to designate covered entities and incidents.”
Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, added that the board’s “independence both in the conduct of its investigation and the selection of incidents,” is what makes it unique from other government entities that conduct similar cyber reviews.
“The board’s ability to pick the most important or the most complex and tricky failures is, in some ways, its greatest value and puts it, in my mind, a step apart from most of the existing mechanisms,” Herr said.
“We plan to continue to be actively engaged in looking at reforms and perhaps codifying some of the rules that are in place right now and would welcome your further input,” Chairman Peters told the witnesses in his closing statement.
“Certainly, as we heard today, the Cyber Safety Review Board has, I believe, the potential to make great and important contributions to the cybersecurity ecosystem, but there are still some important issues that we need to address,” he concluded.