As the US mulls legislation that would see the Cyber Safety Review Board become a permanent fixture in the government's cyber defense armory, experts are calling for substantial changes in the way it's organized.
Discussions were held at a US Senate hearing on January 17 on how the CSRB could be improved.
The board was established in 2021 via an Executive Order and is tasked with investigating some of the most pressing cybersecurity challenges facing the US, but has only produced two reports so far: One on Log4J [PDF] and another on the LAPSUS$ group [PDF].
All three senior industry figures in attendance agreed that a greater degree of independence was required to ensure the reports produced by the board were as richly detailed as possible, answering the questions that those in the private sector typically haven't in the past.
Tarah Wheeler, CEO at Red Queen Dynamics, said the current makeup of the CSRB needs a serious rethink and the way investigations are carried out at present is like asking Boeing's leadership to write the sole report on what happened with last week's 737 MAX 9 disaster.
Currently, the CSRB comprises 15 cybersecurity leaders from both the public and private sectors, but this is viewed as a potential blockade for open, transparent reporting on major incidents.
A private organization isn't expected to be completely and wholly transparent about a security incident, so to elect a representative of an organization subject to a CSRB investigation to the CSRB could result in findings omitted for legal and profitability reasons.
The board's upcoming third report, looking into the Microsoft Exchange snafu that saw 60,000 State Department emails flutter off to China, is one such example of where private sector members from or with ties to Microsoft have no place.
To avoid a duplication of efforts, the CSRB should be an independent body wielding the power to fully probe an incident and include every detail in an open report so the wider industry can benefit from the lessons, she argued.
The goal of the CSRB should be to offer reports filled with actionable information that's free to be published without fear of lawyers hushing certain sections or risking a dip in stock prices.
The sentiment was shared by Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, who also agreed that the proposed independence of the CSRB should be seen as a key strength and an argument in favor of introducing the board on a permanent basis.
In terms of the board's membership, Herr said the CSRB should have a handful of core members but also have the power to bring in and recuse members on an ad-hoc basis, depending on the perceived conflict of interest on any given investigation.
John Miller, senior veep of policy, trust, data, and technology and general counsel at the Information Technology Industry Council, said private sector board members should be independent and the election process should also be transparent.
It's a sentiment that was met with unanimous agreement, but there is somewhat of an unease around the conflicts of interest that arise with the private sector's involvement.
In addition to its independence and primary function, discussions were held about whether the board should have the power to subpoena organizations to obtain key information that may otherwise stay within a company's walls.
Wheeler, on one hand, appeared vehemently in favor of affording the CSRB subpoena powers, but not in its current makeup, which she argued could be seen as anti-competitive.
Herr agreed, with a slight addendum: The subpoena power should not be tied to a criminal investigation - something that may impede the board's access to information.
He said it should exist within a specific authority like the National Transportation Safety Board - a similar body that investigates major transport accidents and inspired the formation of the CSRB - and shouldn't be punitive in any way.
Miller opposed the idea, saying it was too early to think about affording the CSRB powers of this caliber until the Cybersecurity and Infrastructure Security Agency has finalized the scope of the incidents and covered entities of the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
Following the hearing, Senator Gary Peters said the committee was not endorsing any of the testimony given before it this week and is still in the research stages of deciding whether to codify the board.
This Cyber News was published on go.theregister.com. Publication date: Thu, 18 Jan 2024 19:13:05 +0000