CISA CSRB: good riddance
It was a political group pushing policy, not a technical group doing failure analysis
In my social media timeline, I see journalists lamenting[1][2] the dissolution of the “Cyber Safety Revue Board” or “CSRB”. But this is a good thing, the board was very much a misuse of resources.
The CSRB was an advisory board setup by CISA modeled after the NTSB, the group that investigates major accidents involving airplanes, trains, pipelines, and so on.
But while it copied the NTSB purpose, it wasn’t structured anything like the NTSB. The NTSB is a federal agency, with 5 political leaders (it’s their paid full time job), a large number of technical experts (likewise, paid full time jobs), subpoena power, and a $150 million budget.
In contrast, the CSRB is just 13 to 20 people, who volunteer their time, most of whom aren’t particular technical.
The CSRB output hasn’t been technical but political. The board was more about gathering political consensus than producing technical information.
They’ve produced only a few reports, a lot of effort with little output. Their reports covered the MS Exchange 2023 hack, the Lapsus$ attacks, and Log4j.
None of these reports contribute to our understanding of the subject. These high-profile incidents are already well covered with public information, with lots of experts opining on them. The “value add” is the fallacious idea that it’s “official”, that none of the public information is valid unless the government puts its stamp of imprimatur on it.
Their report on the MS Exhange hack is a good example. It makes the following political judgement:
“The Board concludes that this intrusion should never have happened. Storm-0558 was able to succeed because of a cascade of security failures at Microsoft”
This is nonsense. Every hack “should never have happened” and is the result of “failures”. It’s not a “cascade of failures”, but a demonstration of the robust “defense-in-depth” at Microsoft, that any attack has to get through a lot of barriers.
An NTSB failure analysis is never so judgmental. The political desire to assign blame is antithetical to failure-analysis, which focused primarily on what failed.
The CSRB reports are the opposite. Their reports only contain a high-level overview of what went wrong, high-level, hand-waving, non-technical descriptions. They lack the technical detail of NTSB reports, and do not contain enough information where a techie like myself can figure out exactly what went wrong.
Instead of fixing specific problems, the CSRB reports are about promoting broad policy level initiatives. For example, their report on the Log4j vulnerabilities contains no help for how organizations can find vulnerable systems. Instead, it promotes the political agenda of “software bill of materials” that theoretically might help in the future. (But which, in my technical opinion, won’t).
The memorandum dissolving the CSRB justifies itself by saying it’s a misused of resources, and it absolutely is. A non-political, non-judgmental NTSB-style failure-analysis would be a good thing. The current CSRB is nothing like that, as we can see from its reports.
Disclaimer: I know, like, and respect several people on the CSRB.