President’s Cyberattack Investigation Board Fails to Probe SolarWinds, Draws Criticism

In the aftermath of a sweeping cyber espionage attack by Russian intelligence targeting U.S. government agencies and corporations, the Biden administration established the Cyber Safety Review Board with a mandate to investigate and report on significant cyber incidents. However, despite its inception following an executive order in May 2021, the board failed to fulfill its initial directive to scrutinize the SolarWinds breach, a decision that has drawn scrutiny and criticism from cybersecurity experts.

The SolarWinds attack, characterized by Microsoft President Brad Smith as one of the largest and most sophisticated cyber intrusions in history, exploited vulnerabilities within SolarWinds’ software and a flaw in Microsoft products. This breach compromised sensitive data from entities such as the National Nuclear Security Administration, the National Institutes of Health, and the Treasury Department.

While the Cyber Safety Review Board was specifically tasked with probing the SolarWinds incident, it never conducted the detailed investigation mandated by the White House. Instead, the board redirected its focus towards a separate cyber incident involving Chinese state hackers in 2023, which targeted federal officials’ email systems using Microsoft security loopholes.

Critics argue that the board’s failure to examine SolarWinds prevented a comprehensive public reckoning with Microsoft’s role in the breach, which could have catalyzed necessary security reforms. ProPublica’s recent investigation highlighted Microsoft’s prior knowledge of the vulnerability exploited in the attack, underscoring systemic corporate negligence that left government systems vulnerable.

Advocates for cybersecurity reform have long called for an independent body akin to the National Transportation Safety Board, which investigates aviation accidents to catalyze industry change and regulatory action. The Cyber Safety Review Board, however, operates under the Department of Homeland Security (DHS) and lacks key attributes such as full independence, subpoena power, and dedicated funding.

Rob Silvers, chair of the board and DHS undersecretary, defended the board’s decision not to review SolarWinds, citing existing scrutiny from public and private sectors. He emphasized the board’s focus on areas where significant insights and lessons could still be gleaned, indicating a strategic shift away from the SolarWinds incident towards other cyber vulnerabilities.

In response to criticism, Silvers pointed to the board’s impact on government policy, citing its role in influencing new Federal Communications Commission regulations. However, critics, including Senator Ron Wyden, argue that a thorough examination of SolarWinds could have preempted subsequent cyberattacks by highlighting systemic weaknesses and corporate accountability.

Despite assurances from DHS and the board’s contribution to cybersecurity discourse, concerns persist about its effectiveness and transparency. The Government Accountability Office (GAO) initially questioned the board’s failure to investigate SolarWinds as directed but later accepted alternative reports from DHS and the National Security Council as fulfilling the executive order’s requirements.

Looking ahead, discussions continue about reforming the Cyber Safety Review Board to enhance its independence, resources, and investigative capabilities. While DHS supports legislation to institutionalize the board with permanent status and enhanced authority, cybersecurity experts advocate for broader reforms to ensure robust oversight and accountability in safeguarding national cybersecurity.

The saga of the Cyber Safety Review Board underscores ongoing challenges in addressing cyber threats effectively within a complex landscape of government oversight and corporate responsibility. As cybersecurity risks evolve, the need for a resilient and transparent investigative framework remains paramount to protect critical national interests and infrastructure.