The Cyber Safety Review Board (also called the CSRB) was established by United States Secretary of Homeland Security Alejandro Mayorkas on February 3, 2022. Modeled after the National Transportation Safety Board, the Board reviews significant cybersecurity incidents and issues reports. President Joe Biden directed the Board's creation through Section 5 of Executive Order 14028, issued on May 12, 2021.
The Board reviews and assesses significant cyber incidents and provides findings and recommendations to the United States Secretary of Homeland Security. The Board’s construction is a unique and valuable collaboration of government and private sector members, and provides a direct path to the Secretary of Homeland Security and the President to ensure the recommendations are addressed and implemented, as appropriate.
Executive Order 14028 provides that the Board is composed of up to twenty members, chosen by the Director of the Cybersecurity and Infrastructure Security Agency. Those members must include representatives from various federal agencies, as well as individuals employed by the private sector. The CSRB lacks subpoena power and instead relies on voluntary cooperation from organizations with relevant information, though the Biden Administration has published a legislative proposal requesting that Congress grant the CSRB subpoena power.
As of 2024, the CSRB has issued three substantive reports.
On July 11, 2022, the CSRB published its first report, reviewing the Log4Shell vulnerability and associated incidents.
On July 24, 2023, the CSRB published a report reviewing the Lapsus$ international hacker group.
On March 20, 2024, the CSRB published a report detailing how in May 2023, a cyber threat actor classified by Microsoft as STORM-0558 compromised the mailboxes of a broad range of victims in the United States and United Kingdom, including email accounts in the U.S. Department of State, U.S. Department of Commerce, and U.S. House of Representatives. The CSRB reported that STORM-0558 was able to compromise Microsoft's corporate network using unknown means and steal a Microsoft Services Account (MSA) key, which STORM-0558 then used to sign forged authentication tokens granting it access to specific mail accounts. This malicious cyber activity was eventually detected by the U.S. Department of State, rather than by Microsoft itself.
The CSRB concluded that "Microsoft’s security culture was inadequate and requires an overhaul," noting that Microsoft "failed to detect the compromise of its cryptographic crown jewels on its own, relying instead of a customer." This report was widely covered by traditional media and cybersecurity trade press.
Following the publication of the report, Microsoft CEO Satya Nadalla released a blog post acknowledging the CSRB's report and pledging to prioritize security in the future.
The CSRB is composed of 15 highly esteemed cybersecurity leaders from the federal government and the private sector:
Private sector CSRB members serve for a term of two years, which may be renewed up to three times.
Owlapps.net - since 2012 - Les chouettes applications du hibou