After Russian intelligence launched a devastating cyber espionage attack against U.S. government agencies, the Biden administration established a new board to investigate the incident and inform the public. The Cyber Safety Review Board (CSRB) was created following the SolarWinds hack, in which state hackers infiltrated the American software company SolarWinds and exploited a flaw in a Microsoft product to steal intelligence from major U.S. agencies.
The CSRB was formed by executive order in May 2021 to review the SolarWinds attack, but it never conducted the investigation. Instead, for its first report, the board reviewed a separate vulnerability in Log4j software. The second report also did not cover SolarWinds, and for its third report, the board investigated a 2023 attack by Chinese state hackers on Microsoft security.
The failure to review SolarWinds meant the board did not uncover Microsoft’s longstanding knowledge of the flaw exploited by Russian hackers. This oversight raised concerns about Microsoft’s security practices and the board’s effectiveness. Critics, including Sen. Ron Wyden, argued that the board’s inaction may have contributed to subsequent cyberattacks, such as the 2023 Chinese hack.
The CSRB is housed within the Department of Homeland Security (DHS) and is not independent, lacking full-time staff, subpoena power, or dedicated funding. Rob Silvers, the board chair, is a Homeland Security undersecretary, and its vice chair is a Google executive. Silvers stated that the board did not review SolarWinds because it had already been closely studied by public and private sectors, and the board focused on areas with more lessons to be learned.
Cybersecurity experts and officials have criticized the board’s lack of independence and limited scope. The Government Accountability Office (GAO) initially found that the board failed to fulfill its mandate but later accepted the board’s Log4j review as meeting the requirement. The GAO’s decision puzzled experts, who noted that the Log4j report contained minimal references to SolarWinds.
The CSRB’s investigation of the 2023 Chinese-led hack highlighted multiple security failures at Microsoft, prompting the company to announce a series of changes. However, Microsoft’s president Brad Smith raised concerns about the board’s conflicts of interest, noting that some board members were from competing companies.
The CSRB’s establishment aimed to address the threat posed by sophisticated cyberattacks on the U.S. economy and national security, but its performance so far has left significant gaps in addressing past and future threats.
