WASHINGTON, D.C. –– Last week, Rep. Andrew Garbarino (R-NY), chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, sent a letterto Department of Homeland Security (DHS) Secretary Kristi Noem, urging the Trump administration to examine, through a report, the structure of the Cyber Safety Review Board (CSRB) to address concerns about transparency, accountability, and efficacy as it considers reconstituting the Board. The Board, which was first stood up under the Biden administration by Executive Order following the 2021 SolarWinds intrusion, was tasked with investigating major cyber incidents. However, the Board has faced several challenges since inception.

In the letter, Chairman Garbarino asks for information detailing how incidents are chosen for review, the selection criteria for Board membership, how part-time membership impacts the Board’s engagement, the potential to establish full-time membership, how the Board decides its final recommendations following reviews, and whether subpoena authority would help this review process. Read the full letter here.
 
In the letter, Chairman Garbarino wrote, “I request a thorough review of the Board’s structure prior to its reconstitution—something Deputy Secretary Troy Edgar indicated may happen during his confirmation hearing. It is impossible to call a body “independent” when its members—who serve on a part-time basis—are selected without clear selection criteria…Although private sector individuals are required to serve in their personal capacities, that is impossible to guarantee with part-time membership. The cybersecurity ecosystem is too intertwined to absolve members who may work at competitor companies of conflicts of interest, which potentially impacts the CSRB’s ability to produce objective analyses.”
 
Chairman Garbarino continued, “Lack of transparency about the CSRB’s appointment process may threaten the model and efficacy of the Board. Industry members regularly interact with CISA, given the Agency’s role as a ‘trusted partner’ to the public and private sectors. As such, they may curry favor with the CISA Director for an appointment, potentially putting themselves in a position to directly investigate their competitors. Since the selection and recusal process of industry members for the Board is not transparent to Congress or the American people, there is currently no accountability mechanism to prevent conflicts of interest. This may deter entities involved in each incident from cooperating with the CSRB, as they may become increasingly reluctant to voluntarily share information with a Board that includes competitor organizations. The Biden Administration’s response to the potential reluctance was to push Congress to authorize subpoena power for the Board akin to that of the NTSB. Given the clear differences between the NTSB and CSRB, I do not believe subpoena power is appropriate at this time, especially while conflict-of-interest concerns persist.”

Chairman Garbarino concluded, “Finally, the CSRB’s process for selecting which cyber incidents to review appears non-existent. EO 14028 states: ‘[t]he Secretary of Homeland Security shall convene the Board following a significant cyber incident triggering the establishment of a Cyber Unified Coordination Group (UCG) as provided by section V(B)(2) of PPD-41; at any time as directed by the President acting through the APNSA [Assistant to the President for National Security Affairs]; or at any time the Secretary of Homeland Security deems necessary.’ This broad criteria should prompt numerous reviews, given the sheer number of cyberattacks the nation experiences daily. However, the CSRB began its work by ignoring the President who created it, choosing to forego assessment of the SolarWinds intrusion despite President Biden’s direction. To increase transparency, a reconstituted CSRB should establish and publish criteria for when and how an incident is selected for review.”

###