Rob Knake
Along with almost all other advisory boards at the Department of Homeland Security, the Trump Administration moved quickly to disband the Cyber Safety Review Board (CSRB) in the name of cost savings and government efficiency. Yet the CSRB may not be much dead as it is dormant. The Trump Administration has not rescinded EO 14028, which created the board, and the next major cyber incident, it will face pressure to see the board stood back up under existing authorities. Many have already called to reinstate the board. When that happens, the difficulty of operating an investigative board on a voluntary basis will become all too apparent to the current administration.
Don’t get me wrong here, the CSRB did some incredible work. I was proud to be part of its stand up and to have made some small contributions representing the Office of the National Cyber Director in some of its proceedings. The three reports the CSRB completed all provide valuable lessons learned for cybersecurity operators as well as insights for policymakers and lawmakers. Yet at a meta-level, the lesson learned from this body of work is that relying on voluntary efforts by board members and voluntary cooperation by companies does not scale to meet the challenge.
For the CSRB to meet its mandate, three things need to change. First, the board needs to be trimmed and granted unequivocal authority to investigate significant cyber incidents; second, the investigative staff needs to be professionalized and staffed sufficiently to carry out multiple investigations at any given time; and, finally, the board must operate independently without the oversight of Federal agencies whose actions are under review.
Investigative Authority
After side-stepping the mandate to investigate SolarWinds, the CSRB’s first two reports investigated an open-source vulnerability (log4j) and the actions of a threat group (Lapsus$). Because of their subjects, neither delivered the hard-hitting findings or criticisms of corporate cybersecurity practices or security tool failures that this industry so badly needs. Yet when the CSRB, in its third and final report, picked an incident that was not an ecosystem problem but the failing of a single company, it inadvertently showed why relying on good faith participation is likely to fail in the future.
The Review of the Summer 2023 Microsoft Exchange Online Intrusion is the best example of an after action review in the public domain. It pulls no punches and solidly lands a combination that would have knocked out most other companies. In all candor, even a large cybersecurity vendor might not have survived such a brutal flurry.
While the report praises Microsoft’s cooperation, finding that “Microsoft fully cooperated with the board,” it goes on to offer a scathing indictment of Microsoft’s security practices. “The Board finds that this intrusion was preventable and should never have occurred.” Ouch. “The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul.” Double ouch.
The success of the report likely killed off the prospect of the CSRB ever gaining the kind of cooperation Microsoft provided again. At least if not compelled to do so. No doubt, at least in the short-term, cooperating with the CSRB’s investigation harmed shareholder value. Any sensible CEO will conclude that refusing to cooperate, lawyering up, and controlling the narrative is the right course of action when asked nicely to engage in a voluntary process. That outcome is of course not in the national security interest.
Luckily, we have a model for how to encourage the kind of cooperation Microsoft provided in the National Transportation Safety Board NTSB. Somewhat counterintuitively, it starts with clear authority to investigate, compel testimony, and require the turnover of evidence.
The NTSB’s authorizing legislation gives it unambiguous authority to investigate transportation incidents including the authority to force the turnover of information and data it deems relevant. With the authority to compel the sharing of evidence of failure, most companies choose to become “parties” to the investigation, engaging in a cooperative process with the NTSB to share not only evidence but also expertise all in the interest of promoting aviation safety.
In contrast, strengthening the authorities of the CSRB is viewed in the cyber community as a last resort rather than the basis for engendering cooperation. The legislative proposal released by the Biden Administration in 2023 positions subpoena authority as a tool that could only be used when all else failed and created a high bar for its use. In the draft legislation, only when the chair deems the response to a voluntary request insufficient can the chair move to use the subpoena authority. Even then, a subpoena would only be issued when two-thirds of board members approve it. As Congress considers granting authority to investigate to the CSRB, that authority must be unambiguous as it is for the NTSB.
Professional Staff: Scaling to Meet the Challenge
Under the part-time and voluntary service model, the CSRB’s investigations have been far too constrained. The current setup for the CSRB means that the investigation of cyber incidents is not anyone’s day job. Since the CSRB was stood up, we’ve had many significant incidents that should have been investigated including Colonial Pipeline, Kaseya, MoveIT, the Crowdstrike outages, and this summer’s Microsoft SharePoint attacks to name a few examples. None were investigated, but all merited investigation by the CSRB, as did a sampling of the 3000+ reported incidents within the health care sector since May of 2021.
Instead of relying on part-time experts, the CSRB should be staffed by trained investigators whose one and only job will be to investigate cyber incidents and produced lessons learned reports. These professional staff members should be paid and paid well in line with market rates for experience incident responders and likely well above even CISA’s cyber pay levels. In modeling legislation, Congress should look to the authorities granted to the Veterans Administration to hire doctors at market rates and provide additional incentives for hiring.
The staff should have the authority to contract out specific tasks such as malware analysis or specialized forensic activities but the generation of findings and the production of reports should be entirely the work of the professional staff. These employees should fall under the strictest of ethics obligations and should be prohibited from holding investments in cybersecurity or related fields.
Board Independence
While in its first incarnation, most of the work of the CSRB was conducted by board members, a professional staff will obviate the need for board members to carry out investigations. Instead, board members can provide oversight for the professional staff as well as invaluable context and connections in investigations.
Board members should continue to serve as special government employees on a part-time basis though the role of chair should be considered for a full-time role. While the CSRB did an exemplary job of managing conflicts of interest, future board members should be drawn from the large pool of “formers” that have served at large technology companies, cybersecurity firms, and in government rather than current executives.
More so than current employment by private cybersecurity companies, Federal agency representation is more problematic. As conceived in EO 14028, CSRB membership is to include representatives of relevant Federal agencies as well as representatives of cybersecurity firms and software providers. While I have deep respect for each and every person who served on the CSRB and do not question their integrity or professionalism, it makes little sense to have representatives of the agencies that failed to prevent an incident or were involved in the response to it as members of the board.
In the case of the Microsoft incident, representatives from Microsoft and its competitors like Google recused themselves. But representatives from CISA, the FBI, and NSA did not. The report provides little criticism of these organizations. It is reasonable to ask why CISA was unable to detect that its own systems were compromised while even the State Department was able to do so. It is also reasonable to ask why the NSA apparently failed to pick up on this adversary activity attributed to a nation-state group under active scrutiny or failed to share this information if it did. Yet these issues were not examined in the report. It may be that they did not deserve examination but a setup in which the Secretary of the Department of Homeland Security would need to sanction criticizing their own department or peer agencies that they need to work with every day makes little sense. There is a reason the NTSB is not part of the Department of Transportation let alone the FAA and that its reports are not subject to the approval of any Federal official other than the NTSB chair.