Official: DHS cyber review board will announce next investigation ‘soon’

A review board of federal and industry officials led by the Homeland Security Department is readying to announce its next investigation, a top DHS official teased on Monday.

“I think we’re going to have an announcement soon,” Rob Silvers, DHS undersecretary for policy and chair of the Cyber Safety Review Board (CSRB), said during a Center for Strategic and International Studies event in Washington, D.C.

President Joe Biden created the CSRB in 2021 to investigate the root cause of major cybersecurity incidents and distill their takeaways for policymakers and industry. To date, the board has conducted three examinations, including one of the widespread Log4j vulnerability and another on the Lapsus$ hacker group.

Speculation has run rampant about what the organization would look into next following its scathing report earlier this year on how “cascade” of avoidable security failures at Microsoft allowed Chinese spies to break into the unclassified email inboxes of senior U.S. officials at the State and Commerce departments.

Asked if the body might dig into the global computer outage caused by a flawed CrowdStrike software update last July, Silvers noted the board has a list of criteria an incident must meet in order to be reviewed but did not elaborate further.

In a legislative proposal released last year, DHS asked congressional lawmakers to formally enshrine the CSRB into law and grant it limited subpoena powers — that can only be voted on by its federal members — in order to gain information from non-cooperative entities.

Silvers noted there are seven full-time staff members working for the board, as well as a team of contractors.

“We have drawn from existing resources to build out a full time staff of the board,” he said. “These are very complex situations that we’re reviewing, and it’s a really deep dive factual investigation.”