DHS pushes Congress to formally establish Cyber Safety Review Board

SAN FRANCISCO — A senior Department of Homeland Security official confirmed Wednesday that DHS is working with Congress and the White House on a bill that would codify the Cyber Safety Review Board (CSRB) — a brand-new effort for examining significant cybersecurity incidents.

DHS wants legislation that would formally authorize the board’s funding and grant it subpoena power to compel victims to speak honestly, said Rob Silvers, the undersecretary for strategy, policy and plans, at the RSA Conference.

“We think it would really be in rare instances where the board would need to use that,” Silvers said about the subpoena power, comparing it to the National Transportation Safety Board’s authorities during accident investigations.

The NTSB “almost never uses it, because it doesn't need to, because it gets a cooperation,” Silvers said.

The 15-person CSRB, established by executive order last year, is tasked with evaluating major cyber incidents and making recommendations to remediate them.

The board voted April 24 to approve a legislative proposal and present it to Congress. “[W]e think Congress should put its stamp on it and also give us a foundation for more resources, further building out the staff,” Silvers said.

The CSRB’s first investigation centered on the Log4j bug and the cybersecurity community’s efforts to address the vulnerability. Its current project focuses on the notorious hacking group Lapsus$.

So far the board has seen trust and buy-in from the cybersecurity community, Silvers said, noting that both Apache — the organization that manages the Log4j software — and representatives of the Chinese government appeared before the board for the first investigation.

But subpoena power would give the CSRB the “power we need to get the information we need to do this important work,” Silvers said.

In October, the board reviewed its first investigation, recommending much of what Silvers described in the proposed legislation.

DHS Secretary Alejandro Mayorkas has mentioned the need for Congress to codify the CSRB several times during testimony during various committees.

The draft bill released by the CSRB says the board can be convened whenever deemed necessary by either the president or the secretary of Homeland Security.

Much of the proposed legislation also outlines the extensive measures that would be taken to protect the information provided to the board during investigations.

Heather Adkins, the co-chair of the CSRB and Google’s vice president of security engineering, said onstage with Silvers that members are already making changes to how the board operates after the first investigation and are mulling several others.

“We've already made process changes behind the scenes to get more efficient, to be able to do bigger things. And so I also will want to reach out to the community because I think that will inform us on how can we be better helping the community? Is it more reviews? Fewer reviews? Bigger reviews?” she said.

“That way we know what we're needing for the next version. And then it'd be resilient and permanent and part of the ecosystem in such a way that once we examine all of our current problems, we can solve the next generation of problems as well.”