Cybersecurity professionals say the board needs subpoena authority in order to be effective.
Rob Silvers, the Department of Homeland Security’s under secretary for strategy, policy and plans, will be the first leader of a public-private Cyber Safety Review Board to investigate select incidents.
The undersecretary will chair the board for two years and, in conjunction with the director of the Cybersecurity and Infrastructure Security Agency, appoint no more than 20 total members, according to a notice set to publish in the Federal Register Thursday.
The CSRB stems from a May executive order President Joe Biden issued in response to major hacks against IT management firm SolarWinds and software giant Microsoft. The attacks—massive in scale and with high potential for compromising government systems—led to the assembly of a Cyber Unified Coordination Group, which for the first time engaged members of the private sector, officials said.
The executive order’s instructions call for the board’s deputy chair to be a member of the private sector.
Other “members will include at least one representative from the Department of Defense, the Department of Justice, DHS, CISA, the National Security Agency, and the Federal Bureau of Investigation,” according to the notice. “CSRB members will also include individuals from private sector entities to include appropriate cybersecurity or software suppliers.”
The board will function in an advisory capacity. DHS Secretary Alejandro Majorkas has exempted it from the transparency rules of the Federal Advisory Committee Act, “in recognition of the sensitive material utilized in CSRB activities and discussions,” and members may be required to obtain security clearances, according to the notice.
The idea for the board has been around in some form for decades, though it’s current form falls short of all its proponents imagined it could be. Ideally, those proponents argued,it would be modeled after the National Transportation Safety Board, which is empowered to collect information after an incident to improve safety across the aviation industry.
Cybersecurity thinkers say private sector entities will not share the sort of information that would be helpful in the same way unless they are compelled to do so, and they have called for the CSRB to have subpoena authority.
The board will have 90 days from its establishment to provide recommendations to the DHS secretary for improving cybersecurity and incident response practices after reviewing the hack that caused the UCG to come together in December, 2020.