The Biden administration established the Cyber Safety Review Board (CSRB) in response to a major cyber-espionage attack by Russian intelligence, which targeted U.S. government agencies through the SolarWinds software.
The hackers used a vulnerability in a Microsoft product to infiltrate the National Nuclear Security Administration, National Institutes of Health, and the Treasury Department, marking what Microsoft President Brad Smith described as the most sophisticated attack ever. Despite the board’s creation to investigate such incidents, it never examined the SolarWinds attack as initially directed.
The CSRB, created to address cyber threats compromising U.S. economic and national security, was intended to function similarly to the National Transportation Safety Board (NTSB), which investigates aviation accidents independently and publicly.
However, unlike the NTSB, the CSRB operates within the Department of Homeland Security (DHS), and lacks full-time staff, subpoena power, and dedicated funding. This structure has led to criticism regarding its ability to conduct thorough, independent investigations.
The CSRB’s decision not to review SolarWinds remains unexplained. Instead, it investigated a 2023 cyber attack by Chinese state hackers, who exploited various Microsoft security flaws to access the emails of top federal officials.
Joe Biden
A public examination of the SolarWinds incident could have exposed Microsoft’s longstanding knowledge and neglect of a critical security flaw, which would have significant implications for U.S. government security and Microsoft’s practices.
Critics argue that the board’s failure to investigate SolarWinds has prevented accountability and potential prevention of future attacks. Senator Ron Wyden and other cybersecurity experts suggest that a thorough review could have identified weaknesses in Microsoft’s security culture and possibly prevented the 2023 Chinese hack.
However, DHS maintains that the two incidents were distinct and a review of SolarWinds wouldn’t have necessarily uncovered the gaps found in the latest attack.
Microsoft has not disputed the whistleblower’s claims regarding its security failings but emphasizes its commitment to customer protection and thorough handling of security issues.
The board’s failure to probe SolarWinds raises questions about its ability to hold government agencies accountable for their cybersecurity lapses. Critics, including Wyden, express concern that the board’s composition, with federal officials as the majority, might hinder impartial evaluations of government negligence.
Despite the board’s lack of action on SolarWinds, it has led to some regulatory changes, such as new FCC rules related to cell phone security. Nonetheless, cybersecurity experts remain skeptical of the board’s effectiveness, especially given the Government Accountability Office’s (GAO) puzzling endorsement of the board’s work.
The CSRB’s limited scope and independence contrast sharply with the NTSB model, underscoring the need for a more robust and autonomous cybersecurity review process to address the escalating threats to national security.
