Congress is considering updates to the Cyber Safety Review Board, as some experts say the CSRB need more independence and transparency, while lawmakers also eye giving subpoena powers to the investigative panel.
President Joe Biden directed the establishment of the review board under the Department of Homeland Security as part of his sweeping May 2021 cybersecurity executive order. The board was created to investigate major cyber incidents, similar to how National Transportation Safety Board investigates major aviation, railway and other transit accidents.
Under a legislative proposal released last year, DHS asked lawmakers to formally establish the CSRB into law and grant it administer subpoena powers. But experts testifying before a Senate Homeland Security and Governmental Affairs Committee hearing on Wednesday said Congress should make some tweaks to the CSRB before putting those powers into law.
“Although the CSRB is fairly new, and has begun to help combat serious cyber threats, there’s clearly more it can do to support our nation’s cybersecurity,” Committee Chairman Gary Peters (D-Mich.) said at the outset of the hearing.
Tarah Wheeler, chief executive of cybersecurity firm Red Queen Dynamics, said the CSRB should ideally be an “independent civilian agency staffed with full-time investigators.” She argued the board’s current members “don’t have the time, freedom or authority” to conduct thorough, independent investigations into major cyber incidents.
“If the NTSB worked like the CSRB does now, NTSB investigations would be conducted by the FAA administrator, the chief pilot at Boeing and the chief revenue officer of Delta Airlines,” Wheeler said.
The board’s chairman is Rob Silvers, DHS’ deputy under secretary for policy. The deputy chairwoman is Heather Adkins, vice president of security engineering at Google. Out of the CSRB’s 15 members, seven are from industry or non-federal organizations, while eight are federal officials.
“It’s difficult to imagine how the independence of a board can be established when everyone there is carrying the weight and responsibility of a whole other organization with them into those meetings,” Wheeler said.
John Miller, general counsel at the Information Technology Industry Council, said even ITI’s members are conflicted about how to approach the balance of membership in the CSRB. ITI represents major technology companies, including Amazon, Google and Microsoft.
“The one thing that I think is clear is that if there is private sector participation in the board, and I represent private sector companies . . . there really should be clear membership selection processes, and there should really be a very clear process for recusal and making sure that we don’t have either real or perceived conflicts of interest or business advantage,” Miller said.
Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, argued it will be nearly impossible to have a review board without any potential conflicts of interest, given the role many agencies and industry representatives play in cyberspace.
“A CSRB whose every member has no potential for conflict would be a board so disconnected from these systems, and the systems that it investigates as to make its work nearly meaningless,” Herr said.
He argued for “a core of full time members and a substitution process to swap in prospective board members with similar expertise for those recused where feasible, especially when demanded by a specialized incident.”
Experts also questioned the board’s process for selecting the cyber incidents it will investigate. Miller said while the Log4j investigation made sense, many in industry questioned why the CSRB chose to investigate the Lapsus$ cyber gang.
“It really seemed to be reiterating a lot of recommendations that others had already made and others had focused on,” Miller said.
Herr and other experts argued the board should stay focused on investigating specific cyber incidents, not threat groups or broader trends in cyberspace.
“It would strengthen the CSRB’s independence to link the selection of cases to clear and public criteria with a mandate that the board regularly reflect and review both the cases selected and the requirements of these criteria in view of a changing technology landscape,” Herr said.
Meanwhile, all the experts generally agreed that the board should be granted subpoena power, but not without changes to how the CSRB operates.
“The CSRB as it is structured now absolutely should not have subpoena power,” Wheeler said. “Use of this power by industry representatives on the current board could be seen as anticompetitive. Use of that subpoena power by government officials could be seen as backdoor regulatory action. But if the CSRB were independent, it should absolutely have the power to compel information and testimony.”
Miller argued it’s premature to grant the CSRB subpoena power until the Cybersecurity and Infrastructure Security Agency comes out with more information about its cyber incident reporting regulations. Those are due later this spring.
“If the CSRB is going to continue to have private sector members on its board, even if you insulate them from the decision making process as to whether to issue a subpoena, it does at the very least create some apparent conflicts of interest when you have members of the private sector subpoena another member of the private sector who might be competitors,” Miller said.
But Herr said the board will need subpoena authority to fully investigate cyber incidents.
“For the board’s ability to investigate large complex incidents where there is profit motive to protect potentially some of that information in play, and this committee and others have seen that challenge and investigating complex issues within the technology industry, the subpoena can be a basic and useful mechanism as part of that,” Herr said.
Moving forward with the CSRB, Peters said the committee plans to “continue to be actively engaged in looking at reforms, and perhaps codifying some of the rules that are in place right now.”