Rep. Andrew Garbarino, R-N.Y., chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, is urging the Department of Homeland Security (DHS) to examine the structure of the agency’s Cyber Safety Review Board (CSRB) as it considers reconstituting the board, with an eye to increasing transparency of how its members are selected and which cybersecurity incidents the board chooses to investigate.
DHS dismissed the members of the CSRB, along with all other members on advisory committees within the department, on the first day of the Trump administration. However, the department plans to eventually reinstate the board – something Deputy Secretary Troy Edgar indicated during his confirmation hearing.
“I am concerned that the CSRB’s structure inhibited the Board’s ability to fulfill its mandate,” Rep. Garbarino wrote to DHS Secretary Kristi Noem in a March 13 letter that was made public on March 17.
“Although the CSRB is often likened to the National Transportation Safety Board (NTSB), this comparison falls short in several ways. The CSRB lacks independence, transparency, and the authorities to perform like the NTSB,” the congressman said. “Therefore, to ensure any new CSRB’s effectiveness, I request a thorough review of the Board’s structure prior to its reconstitution.”
The CSRB was created under the Biden administration as a public-private initiative to bring together government and industry leaders to better understand significant cybersecurity events. The board has investigated root causes, mitigations, and responses to several high-profile cyberattacks and vulnerabilities, and then issued recommendations based on its findings.
DHS’s Cybersecurity and Infrastructure Security Agency (CISA) is charged with managing, supporting, and funding the board. The CSRB is composed of up to 20 members, who are appointed by the director of CISA, meaning all of the previous members were appointed by former CISA Director Jen Easterly.
However, Rep. Garbarino said that the board lacks transparency surrounding the appointment process, as there is no “clear selection criteria.”
“Lack of transparency about the CSRB’s appointment process may threaten the model and efficacy of the Board,” Rep. Garbarino said. “Industry members regularly interact with CISA, given the Agency’s role as a ‘trusted partner’ to the public and private sectors. As such, they may curry favor with the CISA Director for an appointment, potentially putting themselves in a position to directly investigate their competitors.”
“Since the selection and recusal process of industry members for the Board is not transparent to Congress or the American people, there is currently no accountability mechanism to prevent conflicts of interest,” the congressman added.
Rep. Garbarino explained that this could deter organizations involved in cyber incidents from cooperating with the CSRB, as they may not want to voluntarily share information with a board comprised of their competitors.
“The Biden Administration’s response to the potential reluctance was to push Congress to authorize subpoena power for the Board akin to that of the NTSB. Given the clear differences between the NTSB and CSRB, I do not believe subpoena power is appropriate at this time, especially while conflict-of-interest concerns persist,” Rep. Garbarino said.
Additionally, the congressman said the selection process for which cyber incidents to review “appears non-existent.” To increase transparency, he said a reconstituted CSRB “should establish and publish criteria for when and how an incident is selected for review.”
Rep. Garbarino is requesting DHS to review all CSRB activity to date and produce a report on its findings no later than June 13.
Specifically, he wants answers to questions such as how a cyber incident is selected for review by the CSRB, what is the selection criteria for CSRB members, and how part-time membership has impacted the CSRB’s level of engagement.
He also wants to know how the CSRB decides its recommendations and if a subpoena authority would help or hinder the ability of the CSRB, under the current construct, to perform its reviews.
Rep. Garbarino is not the first to raise concerns regarding the transparency of the CSRB. Cybersecurity experts testified before Congress last year to call for more transparency around how members are appointed to the CSRB.
The experts called for an “independent civilian agency staffed with full-time investigators” to tackle significant cyber incidents. Additionally, while private sector members have a lot to add to the board, the experts said there should be a clear “process for recusal” when necessary.
