Former CSRB members largely silent on dismissal

Former members of the Department of Homeland Security's Cyber Safety Review Board have been broadly silent on their dismissals last week.

Benjamine C. Huffman, who was the acting DHS secretary prior to Kristi Noem's confirmation Saturday, sent a Jan. 20 memo that immediately terminated all current DHS advisory committee memberships. Though not named in the memo directly, this included the Cyber Safety Review Board (CSRB), an advisory board established by former President Joe Biden in 2021 to review and report on significant cybersecurity issues and incidents.

The CSRB delivered three reports; one dedicated to a series of incidents surrounding Log4j vulnerabilities discovered in December 2021, one dedicated to notorious ransomware gang Lapsus$, and the most high-profile report, one dedicated to a May 2023 incident in which Microsoft was breached by Chinese state-sponsored threat group Storm-0558. The latter report, published last March, was highly critical of Microsoft, citing a series of security failures that enabled nation-state hackers to access U.S. government emails in an attack the board argued should never have occurred.

Huffman wrote in the memo that the decision to terminate board memberships came out of a "commitment to eliminating the misuse of resources and ensuring that DHS activities prioritize our national security." The memo said future activities would be focused "solely on advancing our critical mission to protect the homeland and support DHS's strategic priorities," adding that dismissed members were welcome to reapply.

While Huffman's memo cited misuse of resources, a CISA spokesperson last week sent a statement to Informa TechTarget from an unnamed senior DHS official that suggested other motives for the dismissals of advisory board members. "Effective immediately, the Department of Homeland Security will no longer tolerate any advisory committee which pushes agendas that attempt to undermine its national security mission, the President's agenda or Constitutional rights of Americans," the statement read.

Informa TechTarget contacted many former and then-present members of the CSRB for comment on members' dismissals, including Dmitri Alperovitch, co-founder of Silverado Policy Accelerator and CrowdStrike; Jamil Jaffer, cybersecurity expert and venture capitalist; Rob Joyce, a former White House cybersecurity official; Chris Krebs, former director of CISA; Katie Nickels, senior director of intelligence operations at Red Canary; Katie Moussouris, founder and CEO of Luta Security; Chris Novak, vice president of cybersecurity solutions at Verizon; Wendi Whitmore, senior vice president of Unit 42 at Palo Alto Network; and Tony Sager, senior vice president at the Center for Internet Security.

Spokespeople for Alperovitch, Sentinel One (Krebs' current employer), Red Canary and Verizon declined to comment, as did Joyce. Jaffer was not available for comment. In the case of Sentinel One, a spokesperson said in an email that "Chris [Krebs] resigned from the CSRB Saturday January 18, 2025." Palo Alto Networks, Google, Luta Security and the Center for Internet Security did not return request for comment. However, Moussouris told TechCrunch she's hopeful the advisory seats will be filled by the most qualified candidates without delay.

Although President Donald Trump's name was not on the memo sent last week, the phrase "misuse of resources" is reminiscent of Trump's aims to eliminate perceived waste in government spending. Similarly Noem, who was the governor of South Dakota prior to her confirmation as DHS secretary, said during testimony this month that CISA, which has a significant role in the CSRB, has gone "far off mission" and that it should be made smaller to focus more on defending critical infrastructure and less on combating misinformation and disinformation campaigns.

Krebs was fired as CISA Director in November 2020 for pushing back against Trump's unfounded claims that widespread voter fraud and hacked voting machines led to an illegitimate election result. Although CISA does combat misinformation and disinformation, it is usually against campaigns operated by U.S. cyber adversaries, including Russia and Iran.

At the time the CSRB's membership was dismantled, it was working investigating Salt Typhoon, a Chinese state-sponsored actor that breached major telecom carriers including Verizon, AT&T, T-Mobile and Lumen Technologies. Attackers hacked infrastructure used to fulfill law enforcement and intelligence wiretapping requests. Salt Typhoon gained access to call data and private communications belonging to high-profile individuals such as government officials, as well as members of the 2024 presidential campaigns for Trump and former vice president Kamala Harris.

The breaches, which first came to light last fall, had far-reaching effects; in December, CISA issued a new mobile security guidance in light of the attacks that warned the threat actors may have maintained access to the telecom networks. "Highly targeted individuals should assume that all communications between mobile devices -- including government and personal devices -- and internet services are at risk of interception or manipulation," CISA said in the guidance.

It wasn't until earlier this month that AT&T and Verizon announced they had completely evicted the threat actors from their respective networks. SentinelOne intelligence director Matthew Pines said the attacks "will be seen as the worst counterintelligence breach in US history."

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.