DHS policy lead calls on Congress to permanently authorize cyber review board

DHS is asking Congress to help the Cyber Safety Review Board with legislative authorities, funding and subpoena powers to aid its cyber incident investigations.

The Department of Homeland Security’s Cyber Safety Review Board may soon announce its latest review, as a top DHS official also calls on Congress to authorize the CSRB into law.

After releasing a blistering review of Microsoft’s cloud security practices in January, the DHS board has yet to follow up with its next project. But Rob Silvers, under secretary of homeland security for policy and chairman of the CSRB, signaled the board’s next project could be unveiled shortly.

“I think we’re going to have an announcement soon,” Silvers said during an event today hosted by the Center for Strategic and International Studies.

When asked, Silvers did not specify whether it would be related to this summer’s global Crowdstrike outage, which was connected to a faulty software update rather than a cyber incident. But he did describe the general criteria for a CSRB investigation.

“Was it a high-impact, severe incident? Was it the type of incident where a deep study would likely yield new facts and new lessons learned? Has it been closely studied and scrutinized? And is there an element of discretion where it would be in the national interest to review it?” Silvers said.

As part of his sweeping 2021 cyber executive order, President Joe Biden established the CSRB to investigate significant cyber incidents. The board is loosely modeled after the National Transportation Safety Board.

Earlier this year, DHS sent Congress a legislative proposal to codify the CSRB into law. Silvers called on Congress to provide funding for the board as well.

“These are very complex situations that we’re reviewing, and it’s a really deep dive factual investigation,” he said. “You have to write it all up, and you have to coordinate interviews with so many companies and experts. It’s a lot of work, and so we need the resources to do it.”

The EO gives discretion to the president, the secretary of homeland security, and the director of the Cybersecurity and Infrastructure Security Agency to initiate a new review. DHS’s legislative proposal would also allow the board itself to initiative a review with a two-third majority vote.

Silvers said that change would lend a “norm of independence” to the CSRB.

“There is an understanding that the experts on this board may have good ideas of their own, and if there’s a majority that wish to proceed in a direction, that should be encouraged, too,” he said.

The board includes a mix of government and industry representatives. Heather Adkins, vice president for security engineering at Google, currently serves as deputy chairwoman of the CSRB.

Some have criticized the board for including industry members. A witness before the Senate Homeland Security and Governmental Affairs Committee earlier this year compared it to Boeing participating in NTSB investigations.

But Silvers argued that participation of industry lends credibility and expertise to the CSRB’s work.

“You need to have both those in the federal government that have so many of the tools and authorities to do cyber defense and to elevate the overall cyber level of defense in this country, but you also need to have the company representatives of companies and industry and researchers that truly understand how these things play out in the field and how the board can best speak practically to the network defender community,” Silvers said.

Microsoft review fallout

The review board made a big splash when it released the Microsoft review, which castigated the technology giant for a “cascade” of cybersecurity shortcomings. The board concluded Microsoft’s “avoidable errors” ultimately allowed Chinese hackers to infiltrate the emails of top U.S. officials last year.

Microsoft leaders took responsibility for the findings. But during a June congressional hearing, Microsoft President Brad Smith was critical of how Microsoft’s competitors weaponized the CSRB report. He also criticized the presence of competitors on the board, even though Google’s Adkins and others recused themselves from the Microsoft review.

“We are not adversaries with each other, even though we may compete with each other,” Smith said during the June 13 House Homeland Security Committee hearing. “The adversaries are our foreign foes. So let’s try to exercise a little self restraint about how we work in these processes, because I don’t think that the next company that gets an invitation from the CSRB is likely to be necessarily as willing as we were to share everything, which we did.”

During today’s CSIS event, Silvers applauded Microsoft for being a “fulsome participant” in the review. But Silvers also defended the board’s objectivity and processes.

“Will others not cooperate going forward, because this board speaks directly and calls balls and strikes? I don’t know,” Silvers said. “We’re going to find out. I am hopeful because this board has credibility. Sure, sometimes we call balls, sometimes we call strikes, but no one has ever criticized the underlying substance of what we’re saying. I think that we are viewed as giving everyone a fair shake, and I’m hopeful that companies will cooperate.”

DHS’s legislative proposal would give the board limited subpoena authority in case individuals or organizations don’t voluntarily participate in a review. Only government members of the CSRB would be able to vote for an administrative subpoena.

“So that in those rare cases where a company that’s under review will not cooperate, we have the ability to get the needed information so that we can serve the public interest of shedding light,” Silvers explained. “But so far, we haven’t needed to do that.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories