U.S. Rep. Andrew Garbarino (R-NY), in his capacity as chairman of the U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, recently requested a review of a board established under the Biden administration to improve the nation’s cybersecurity.
Specifically, the congressman asked for a report on the U.S. Department of Homeland Security (DHS) Cyber Safety Review Board (CSRB) that examines concerns about transparency, accountability, and efficacy as DHS considers reconstituting the board.
“I am concerned that the CSRB’s structure inhibited the board’s ability to fulfill its mandate,” Rep. Garbarino wrote in a March 13 letter sent to DHS Secretary Kristi Noem, who recently decided to temporarily disband CSRB memberships.
In his letter, Rep. Garbarino requests information detailing how incidents are chosen for review; the selection criteria for CSRB membership; how part-time membership impacts the board’s engagement; the potential to establish full-time membership; how the board decides its final recommendations following reviews; and whether subpoena authority would help the review process.
“It is impossible to call a body “independent” when its members — who serve on a part-time basis — are selected without clear selection criteria,” wrote Rep. Garbarino. “Although private-sector individuals are required to serve in their personal capacities, that is impossible to guarantee with part-time membership. The cybersecurity ecosystem is too intertwined to absolve members who may work at competitor companies of conflicts of interest, which potentially impacts the CSRB’s ability to produce objective analyses.”
He also pointed out that there’s a lack of transparency about the CSRB’s appointment process. The members of CSRB — who are appointed by the Cybersecurity and Infrastructure Security Agency (CISA) director — are industry members who regularly interact with the CISA.
“As such, they may curry favor with the CISA director for an appointment, potentially putting themselves in a position to directly investigate their competitors,” wrote the lawmaker. “Since the selection and recusal process of industry members for the board is not transparent to Congress or the American people, there is currently no accountability mechanism to prevent conflicts of interest.”
Additionally, Rep. Garbarino wrote that the CSRB’s process for selecting which cyber incidents to review appears non-existent and the “broad criteria” used should prompt numerous reviews given the sheer number of cyberattacks the nation experiences daily.
“To increase transparency, a reconstituted CSRB should establish and publish criteria for when and how an incident is selected for review,” he wrote.