Shostack + Friends Blog


CSRB Senate Hearing

Comments following the Senate’s CSRB hearing Tarah Wheeler testifying

On Wednesday, the Senate held a hearing, The Cyber Safety Review Board: Expectations, Outcomes, and Enduring Questions. There were very solid questions, and I want to offer perspective on two of them: recommendations and classified information.

One issue that seemed to be on the minds of several Senators was how to ensure that the CSRB is listened to, not ignored, by either government agencies or private companies.

I’ve come to understand that the NTSB’s ability to express recommendations and let other act on them (or not) is a strength. It allows the NTSB to investigate and express recommendations that may be complex, expensive or otherwise perhaps sub-optimal. This is a useful separation of power and duties, and lets regulators and private actors make decisions about how to engage with those recommendations. Regulatory agencies can take a recommendation, engage with stakeholders, draft guidance or rules, get feedback, and more.

As we build out the CSRB as an institution, I think that's a solid model.

The other issue is classification, and I’m with Tarah Wheeler on this: The CSRB does not need access to classified information, and having classified information reduces the transparency that’s essential to building credibility. Information about how a system was attacked will generally not be classified. (If it’s a private sector system, it’s almost certainly not classified.) Information about who or why might be available in classified form, but the CSRB probably doesn’t need to answer “whodunnit” to find lessons that are generally applicable. It would be fine to say “The NSA informed us that a highly capable foreign power did this, and we relied on that information as we made these following assessments.”

More, it’s reasonable to think information about how a system was attacked should not be classified. The formal bar for classification is that the release of the information would damage national security. (There are, as I understand it, other protections for law enforcement investigations which are separate from the classification system.)

The attacker already knew about the means they used to attack, and they’re probably using that knowledge against other targets. Making that information widely available quickly is essential to adapting to attacks, increasing costs to attackers, and informing effective defense. Classification is in active conflict with each of those goals.

Other attackers might not have known about it, but I would hope that the specific route is rapidly addressed. (And as CISA says, “Attackers are doing fine without roadmaps.”) So the information most useful to the CSRB probably does not meet the bar for either classification or remaining classified. Overclassification is a well-understood problem in Washington. The CSRB should be protected from it.