Cyber Safety Review Board needs stronger authorities, more independence, experts say

The Cyber Safety Review Board continues to lack the authorities and independence from the private sector that it needs in order to effectively investigate major cybersecurity incidents, a panel of experts told Congress on Wednesday. 

Conceived as an analogue to the National Transportation Safety Board — the independent body charged with investigating accidents in airplanes, trains and other forms of public transportation — the CSRB was created via executive order in 2021 and is charged with reviewing major incidents in cyberspace. 

But in a hearing before the Senate Homeland Security and Governmental Affairs Committee, experts told Congress that the board lacks the authorities that have made the NTSB so effective at reducing major transportation accidents and that it is too dependent on the participation of corporations that it is supposed to investigate.   

“If the NTSB worked like the CSRB does now, investigations would be conducted by the FAA Administrator, the chief pilot of Boeing and the chief revenue officer of Delta Airlines,” Tarah Wheeler, a cybersecurity expert and the CEO of Red Queen Dynamics, told lawmakers. 

Today, the CSRB is made up of representatives from both federal agencies as well as major tech and cybersecurity companies like Google, CrowdStrike, Verizon and Palo Alto Networks. That means in some cases, board members may be expected to investigate failures or breakdowns within their own technologies or those of competitors. 

“Many individuals on the CSRB are beloved and respected, but they do have full-time jobs and they do not have the time, freedom or authority to conduct independent, thorough investigations,” Wheeler said. 

Heather Adkins, co-chair of the CSRB and vice president of security at Google, has already announced that she will recuse herself from an upcoming review of Microsoft Exchange intrusions last year that resulted in the compromise of multiple U.S. government email accounts.

Wheeler and other witnesses argued that the board is uniquely positioned to help the federal government and businesses learn from past cybersecurity incidents with widespread consequences — such as the 2021 Log4J vulnerability — but that the body must first be reformed to be more independent and transparent about its actions. 

While the board’s work is critical to identifying weak points in the cybersecurity ecosystem, it lacks a full-time staff who can investigate major cyber attacks untethered from broader industry or political influences, Wheeler said. And unlike the NTSB, the CSRB does not have the power to subpoena the companies it is investigating. 

Maintaining independence when investigating computer breaches is essential to an investigation’s integrity. Drawing on her experience in carrying out incident response, Wheeler said that she has experienced cases in which she attempted to conduct an earnest investigation into an incident only to be told to “shut up” by a legal department concerned with how the findings may blow back onto the company.

Trey Herr, the director of the Cyber Statecraft Initiative at the Atlantic Council, a think tank based in Washington D.C., echoed many of Wheeler’s criticisms and called for more transparency around how the board selects its members and which incidents or topics will be subject for review.

What makes the CSRB unique, Herr said, is its ability to conduct root cause analysis of larger cybersecurity failures “without addressing fault,” its notional independence and its focus on unspooling long-term, complex cybersecurity breakdowns that cut across different products, industries and use cases.

“No entity in the private sector is positioned or incentivized to do this work justice — incident response firms must consider their status with current and former clients, compromised companies must manage reputation and legal exposure to shareholders and regulators while all lack the luxury of the wide lens required to repeatedly and rigorously investigate the risks born from the connections between the systems they build, operate, or secure,” Herr said in written testimony submitted to Congress.

Cybersecurity researchers have broadly welcomed the creation of the CSRB, but the body’s completed investigations have raised questions about the quality of its work. 

The board’s two reviews thus far — focused on the Log4J vulnerability and the Lapsus$ cybercriminal group — have resulted in what Wheeler described as “very simple, consensus-based resolutions” rather than the kind of detailed, in-depth investigations carried out in the wake of an airplane crash or train derailment.

Wheeler analogized the substance of the CSRB’s findings to an investigation into an airplane accident that determined “the cause of the crash was that the pilot flew into the ground, and in the future [they] should not fly into the ground again.”

“We all agree, but that’s not necessarily useful information. The goal of CSRB investigations should be to help us learn from the process of the incident how to not repeat our mistakes,” said Wheeler, who has written extensively in the past about shortfalls in the CSRB’s approach.

Despite being created in the aftermath of the 2020 Sunburst supply chain attack — which compromised at least nine federal agencies and more than 100 companies by exploiting vulnerabilities in SolarWinds software and other products — CSRB still has not investigated what is considered to be one of the most consequential cybersecurity incidents in U.S. history, Herr pointed out. 

Despite calls for the board to investigate the Sunburst incident, federal officials have provided little clarity as to why the CSRB hasn’t taken up the incident.

At the 2022 Black Hat cybersecurity conference in Las Vegas, Rob Silvers, undersecretary for policy at the Department of Homeland Security and chair of the CSRB, told this reporter only that the decision to forgo a review of the incident was made in consultation with the White House.

“We felt together with the White House that the best use of the board when we launched … was to review Log4J,” Silvers said when asked about the status of a SolarWinds review.

The Senate Homeland Security Committee is working on legislation that would legally codify the CSRB, and the Biden administration has requested that the board be given power to subpoena businesses as part of its investigations. 

Subpoena power has been described as central to the success of bodies like the NTSB, giving them the ability to compel testimony, but Wednesday’s witnesses said that the CSRB should not be given similar powers without first making the board more transparent, particularly regarding how members and incidents are selected to avoid real or perceived conflicts of interest among the board’s private sector members.

Following the hearing, Sen. Gary Peters, D-Mich., chair of the committee, told CyberScoop that the committee heard “some very strong testimony” but stopped short of endorsing any of the recommended changes put forth by witnesses in the hearing, saying he was still researching the issue.

“We are considering codifying the board and we’re looking at legislation to do that. As to what that’s going to involve and what it will constitute is still a part of the discussion,” Peters said, adding that he plans on doing “a deeper dive into this issue before we move forward with any specific piece of legislation.”