Skip to main content
Cybersecurity

IT pros consider immediate consequences of a halted CSRB

The board, established in 2022, investigated major incidents and offered actionable advice.

A view over a huge table in a boardroom

Klaus Vedfelt/Getty Images

4 min read

A council of security pros in industry and government no longer have a paper due, it seems, but no one’s celebrating.

A Jan. 20 memo, signed by Acting Department of Homeland Security (DHS) Secretary Benjamine C. Huffman, announced the termination of advisory committees under the DHS, reportedly including the investigatory Cyber Safety Review Board (CSRB). (The original page announcing the launch of the CSRB in February 2022 has been classified as “archived content.”)

The consequences of shutting down a government–industry collaboration like CSRB concerns IT pros, including a former member of the advisory group who spoke with IT Brew.

“Only the administration can answer whether the CSRB is done or whether they will try to resurrect it in some form,” said Katie Moussouris, founder and CEO of Luta Security and an inaugural member of the review board, which was under the Cybersecurity and Infrastructure Security Agency (CISA) within the DHS.

What is the CSRB? The CSRB investigated major cybersecurity incidents: the software vulnerability Log4j in 2022; Lapsus$ threat actors in 2023; and most recently, the 2023 Microsoft Online Exchange intrusion.

The group’s efforts have been compared to the National Transportation Safety Board, an independent federal agency charged with investigating aviation accidents, determining causes, and providing preventative recommendations.

When investigating Log4j, Moussouris and 14 other members, including government and cybersecurity industry leaders, interviewed nearly 80 organizations and individuals to collect insights and provide protection recommendations.

“This was all voluntary. We had no subpoena power, and the fact that so many different organizations and walks of life were willing to come forward voluntarily and share information for the greater good? That was proving a theory,” Moussouris told us.

Work in progress. Dismantling the CSRB has put an abrupt end to its current investigation: an examination of state-sponsored attacks on telecom firms from Chinese hacking group Salt Typhoon. Halting the research has especially “disappointing” short-term consequences, according to Moussouris, given the continuing nature of the attack.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

A report on Salt Typhoon, Moussouris said, will help the public understand telecom providers’ and government’s actions to defend against the threat actors. “In the immediate sense, the stoppage of that particular investigation is going to have immediate national security consequences,” she said.

What’s next? Moussouris still plays a federal advisory role in the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board and the Department of Commerce’s Information Security Technical Advisory Council.

Matthew DeChant, CEO of consultancy Security Counsel, has worked with groups like the Department of Health and Human Service’s 405(d) program, a collaborative effort between the health sector and the federal government “to align healthcare industry security practices.” The group still exists, for now.

DeChant said he sees that the disbanding of a group like CSRB puts many public–private groups at risk.

“This is a very, very fluid situation here, and it appears everything is on the table,” he said.

He has concerns about “the larger apparatus” of cybersecurity info-sharing breaking down and that “we just don’t get information flowing from one group to the other.”

CISA itself lost 130 staffers, according to an ABC News report, including some tasked with election security.

As agency memos and directives chip away at federal cyber efforts, Moussouris envisions CSRB-like initiatives turning into local, state-level operations.

“The longer-term result of stopping an organization like the [CSRB] is that as these incidents unfold, we do not have a good substitute at the federal level to investigate them and disseminate non-classified knowledge to the public,” she said.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.