As cyber threats top a list of business risks for the fourth straight year, the dissolution of the Cyber Safety Review Board eliminates a source of cybersecurity guidance that had gained significant private-sector trust, sources say. The volunteer board of public and private sector experts had become increasingly influential in analyzing major breaches and shaping how organizations respond to digital threats.
Among the flurry of activity on Donald Trump’s first days in office, his administration moved to overhaul the Department of Homeland Security (DHS). Gone were the heads of the TSA and Coast Guard, as well as the members of an aviation committee established after the 1988 PanAm bombing, which killed more than 250 people.
Not only were the members of the aviation committee sacked, but so were members of all similar advisory committees within DHS, including the Cyber Safety Review Board (CSRB), established by a Biden Administration executive order. On the board was a mix of government and private sector cybersecurity leaders; its charge was to analyze major cybersecurity events and make recommendations for improving response and practices. None of the board positions were paid, and members were appointed by the Cybersecurity and Infrastructure Security Agency (CISA).
Cybersecurity is routinely among the biggest threats to businesses of all sizes, with large, high-profile corporations frequently in the sights of hackers and other cyber criminals. Allianz Commercial’s recent annual report on business risks found that cyber incidents were rated as the single biggest risk, ahead of things like supply chain disruptions, natural disasters and even changes to regulations. This is the fourth consecutive year cyber threats have been cited as the top risk, the insurer said.
In its short tenure, the CSRB had become influential in affecting cross-sector cybersecurity, and the resulting leadership vacuum is worrying, said Martin Greenfield, CEO of Quod Orbis, a cybersecurity monitoring software company.
“[The CSRB’s] work has been instrumental in highlighting systemic vulnerabilities that many organizations might have otherwise overlooked,” Greenfield said. “They’re setting industry benchmarks for transparency and accountability in handling major security incidents, while fostering public-private collaboration in threat intelligence sharing. … The absence of the CSRB might create vulnerabilities in the US cybersecurity landscape. Without a dedicated board, we lose independent, high-level security assessments and recommendations that previously guided national cybersecurity policy. This gap in centralized oversight could slow responses to emerging threats and weaken the crucial collaboration between government and industry.”
An anonymous source told TechCrunch that the decision to shutter all DHS advisory boards was “horribly shortsighted.”
In April, the CSRB issued its report on a 2023 incident in which Chinese hackers successfully breached the mailboxes of more than 500 Microsoft Online Exchange users, including Cabinet members and other State Department personnel. That report was scathing, saying the board had, “identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.” (The full report was still accessible as of this writing.)
Freelance cybersecurity reporter Eric Geller said on social media platform Bluesky that the panel was partway through an investigation of Salt Typhoon, a group of Chinese hackers that in December was reported to have stolen the metadata of a large number of Americans and targeted Trump and Vice President JD Vance, among other government officials, Reuters reported.
Other panels that got the axe included advisory boards on AI safety and security, critical infrastructure and telecommunications. Separately, Trump also revoked the recent Biden Administration executive order on AI safety, which could further imperil the cybersecurity safety posture of US interests, Greenfield said.
“Without federal oversight, AI development risks prioritizing speed over safety, potentially increasing vulnerabilities in critical infrastructure and enabling more sophisticated cyber warfare and misinformation campaigns,” he said. “The absence of unified standards could give foreign adversaries developing AI with fewer ethical constraints a competitive advantage.”
