A member of the U.S. House Committee on Homeland Security has reached out to the federal government, urging the administration to examine, through a report, the structure of the Cyber Safety Review Board (CSRB) to address concerns about transparency, accountability, and efficacy as it considers reconstituting the Board. The Board, which was first set up under the administration of former president Joe Biden administration by Executive Order following the 2021 SolarWinds intrusion, was tasked with investigating major cyber incidents. However, the Board has faced several challenges since its inception.
Andrew Garbarino, a Republican from New York and chairman of the Subcommittee on Cybersecurity and Infrastructure Protection has requested by June 13, this year that the report include answers on how is a cyber incident selected for review by the CSRB. He also seeks input on the selection criteria for CSRB members, and whether these differ for private sector and federal government members. He also asked how part-time membership affected the CSRB’s level of engagement during the review process, analysis, and recommendations.
Additionally, he has called for views on establishing full-time positions on the Board rather than temporarily appointed ones. Information is also requested on how the CSRB decides upon recommendations, whether subpoena authority would help or hinder the CSRB’s ability to perform its reviews under the current construct, and whether the NTSB is the appropriate model for the organization and structure of the CSRB.
The letter from Garbarino to Kristi Noem, Department of Homeland Security (DHS) Secretary, asks for information detailing how incidents are chosen for review, the selection criteria for Board membership, how part-time membership impacts the Board’s engagement, the potential to establish full-time membership, how the Board decides its final recommendations following reviews, and whether subpoena authority would help this review process.
He also expressed concern that the CSRB’s structure inhibited the Board’s ability to fulfill its mandate. “Although the CSRB is often likened to the National Transportation Safety Board (NTSB), this comparison falls short in several ways. The CSRB lacks independence, transparency, and the authorities to perform like the NTSB. Therefore, to ensure any new CSRB’s effectiveness, I request a thorough review of the Board’s structure prior to its reconstitution.”
Garbarino noted that it is impossible to call a body ‘independent’ when its members, who serve on a part-time basis, are selected without clear selection criteria. “Although private sector individuals are required to serve in their personal capacities, that is impossible to guarantee with part-time membership. The cybersecurity ecosystem is too intertwined to absolve members who may work at competitor companies of conflicts of interest, which potentially impacts the CSRB’s ability to produce objective analyses.”
Highlighting the lack of transparency about the CSRB’s appointment process may threaten the model and efficacy of the Board, Garbarino noted that industry members regularly interact with CISA, given the Agency’s role as a ‘trusted partner to the public and private sectors. “As such, they may curry favor with the CISA Director for an appointment, potentially putting themselves in a position to directly investigate their competitors. Since the selection and recusal process of industry members for the Board is not transparent to Congress or the American people, there is currently no accountability mechanism to prevent conflicts of interest.”
He added that this may deter entities involved in each incident from cooperating with the CSRB, as they may become increasingly reluctant to voluntarily share information with a Board that includes competitor organizations.
Garbarino pointed out that the Biden administration’s response to the potential reluctance was to push Congress to authorize subpoena power for the Board akin to that of the NTSB. “Given the clear differences between the NTSB and CSRB, I do not believe subpoena power is appropriate at this time, especially while conflict-of-interest concerns persist.”
He also flagged that the CSRB began its work by ignoring the President who created it, choosing to forego assessment of the SolarWinds intrusion despite President Biden’s direction. “To increase transparency, a reconstituted CSRB should establish and publish criteria for when and how an incident is selected for review.”
Garbarino said that it is incredibly important “that we investigate cyber incidents to U.S. civilian networks and critical infrastructure in a way that is transparent, impartial, effective, and capable of providing actionable recommendations. Therefore, I request that the Department review all CSRB activity to date and provide me a report of the Department’s findings, no later than June 13, 2025.”
In January, the incoming administration of U.S. President Donald Trump reportedly dismissed members of its advisory committees, including the Cyber Safety Review Board (CSRB), which is responsible for investigating significant cybersecurity incidents. This action is part of a broader effort by the Trump administration to reduce costs within the agency. Details of an internal Jan. 20 memo from DHS Acting Secretary Benjamine Huffman emerged online.
The CSRB was investigating a recent cyberattack by state-sponsored hackers from the People’s Republic of China, known as the Salt Typhoon hacks, which has been affected by the administration’s decision. The Chinese hackers infiltrated at least nine U.S. telecommunications companies in the last couple of months, including internet service providers, prompting considerations for federal response measures.
Last week, the House Committee wrote to Adam Stahl, the Acting Administrator of the Transportation Security Administration (TSA), emphasizing the critical importance of the agency’s cybersecurity and resilience strategies amid escalating threats. The committee members highlighted the dynamic nature of cyber threats targeting the nation’s transportation infrastructure, which necessitates a flexible cybersecurity approach that avoids complicating the already intricate regulatory environment.