WASHINGTON – During a Senate Homeland Security and Governmental Affairs Committee hearing today, Senator Maggie Hassan (D-NH) questioned leading cybersecurity experts about the Cyber Safety Review Board (CSRB). The CSRB consists of 15 cybersecurity leaders from the federal government and the private sector and is overseen by the Cybersecurity & Infrastructure Security Agency, part of the United States Department of Homeland Security. Congress is considering legislation to make the CSRB permanent.
To watch Senator Hassan’s hearing questions, click here.
Senator Hassan began by questioning Dr. Trey Herr, the Director of the Cyber Statecraft Initiative for the Atlantic Council: “U.S. adversaries, including China and Russia, continue to target U.S. critical infrastructure in cyber space. What role does the CSRB play in countering threats from U.S. adversaries? Should Congress consider requiring the Board to prioritize national security threats as part of its investigative responsibilities?”
Dr. Herr said that the “board’s role in addressing those sorts of incidents that you mentioned are to ensure that our defensive architecture is as sound and as robust as possible in the face of those growing threats.”
Then, Senator Hassan asked Dr. Herr: “How is the Cyber Safety Review Board’s purpose different from other entities conducting cybersecurity reviews and investigations?”
Dr. Herr highlighted the board’s “ability to conduct root cause analysis of these failures without addressing fault,” its independence, and its capability on researching and addressing complex, long-range cyber threats.
Lastly, Senator Hassan asked all the witnesses about the potential need for the CSRB to have subpoena authority.
Tarah Wheeler, the Chief Executive Officer for Red Queen Dynamics, said that it is valuable to have access to information from the moment of a cyberattack instead of publicly-released information vetted through lawyers. John Miller, Senior Vice President of Policy, Trust, Data, and Technology and General Counsel at the Information Technology Industry Council, said that before seeing Cybersecurity & Infrastructure Security Agency requirements for the CSRB, it is not clear if CSRB needs subpoena power.
###