Cyber Safety Review Board Refused To Investigate SolarWinds

Craig Silverman reports in ProPublica that shortly after a huge Russian cyberattack in 2021, President Biden issued an executive order establishing the Cyber Safety Review Board and ordered it to start by reviewing the notorious SolarWinds attack.

Russian intelligence infiltrated SolarWinds, a domestic software company that serves thousands of American companies, and government agencies.  They used a flaw in a Microsoft product to steal protected data from the National Nuclear Security Administration, the National Institutes of Health, and the Treasury Department.

According to the article, a full, public accounting of the Solar Winds case would have been devastating to Microsoft. The company knew about the flaw that enabled the hack but failed to address it.

The cybersecurity industry has long been calling for a cyber equivalent of the National Transportation Safety Board, an independent agency required to investigate and issue public reports on the causes and lessons learned from major aviation and other accidents. The Cyber Safety Review Board has resisted that mission.

It has no full-time staff, subpoena power, or dedicated funding. Its independence is compromised because it is housed in the Department of Homeland Security. Its chair is Rob Silvers, a Homeland Security undersecretary. Its vice chair is a security executive at Google.

According to the article, Homeland Security decided the board didn’t need to review SolarWinds because the attack had already been “closely studied” by the public and private sectors.

As a result, the board didn’t discover the role that Microsoft’s weak security culture played in the attack, a revelation that might have prevented a 2023 Chinese hack. Sen. Ron Wyden recently renewed calls for the board to review SolarWinds and for the government to improve its cybersecurity defenses.