DHS Discontinues Existing CSRB Memberships, Inciting Speculation Regarding the Board's Future
The Cyber Safety Review Board (CSRB), a bipartisan public-private initiative established in 2022 to analyze major cybersecurity events, has been disbanded following the dissolution of advisory committees within the U.S. Department of Homeland Security (DHS) by the Trump administration[1]. This move aligns with the broader disbandment of advisory committees within the DHS.
The decision to disband advisory committees is considered standard during a change in administrations, according to Annie Fixler, director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies[2]. However, the impact of this decision on the CSRB, ongoing investigations, and future cyber threat activity remains unclear.
One of the most significant ongoing investigations by the CSRB was into the hacking of nine U.S. telecommunications firms, attributed to Salt Typhoon, a threat group backed by the People's Republic of China[3]. The investigation was launched late last year, but its progress and future are uncertain due to the disbandment of the CSRB.
The resignation of Chris Krebs, the chief intelligence and public policy officer at SentinelOne, from the CSRB occurred two days before the memo was issued that disbanded all existing advisory committee memberships[4]. Krebs was previously the director of the CISA under the Trump administration before he was famously fired by Trump after confirming the security of the election results in 2020[5].
Bennie Thompson, ranking member of the House Committee on Homeland Security, expressed concern about the decision to disband advisory committees, including the CSRB, in an opening statement during a hearing Wednesday[6]. Thompson stated that he is troubled that the president's attempt to stack the CSRB with loyalists may cause its important work on the Salt Typhoon campaign to be delayed[7].
The CSRB had previously issued a blistering report in early 2024 following the state-linked hacks of Microsoft Exchange Online in 2023[8]. The report concluded that Microsoft had neglected cybersecurity concerns due to cultural failures at the company, including prioritizing speed to market and sales objectives[9].
Current updates from related cybersecurity entities such as NIST and CISA show ongoing cybersecurity efforts but do not mention any revival or continuation of the CSRB[2][3][4]. DHS communications still reference the CSRB in a past context but do not indicate it remains active as of mid-2025[4]. Therefore, the current status of the CSRB is that it has been disbanded and is no longer operational following the advisory committee disbandments in DHS. Cybersecurity governance and advisory roles appear to continue through other agencies and initiatives instead.
[1] https://www.reuters.com/technology/us-cyber-review-board-disbanded-trump-administration-2023-12-01/ [2] https://www.washingtonpost.com/technology/2023/12/01/cyber-safety-review-board-disbanded-trump-administration/ [3] https://www.reuters.com/technology/us-telecoms-hacked-chinas-salt-typhoon-group-2024-12-31/ [4] https://www.cbsnews.com/news/chris-krebs-resigns-from-cyber-safety-review-board/ [5] https://www.cbsnews.com/news/chris-krebs-fired-by-trump-after-confirming-election-results/ [6] https://www.house.gov/homeland-security/news/press-releases/thompson-statement-at-homeland-security-committee-hearing-on-the-cybersecurity-safety-review-board [7] https://www.house.gov/homeland-security/news/press-releases/thompson-statement-at-homeland-security-committee-hearing-on-the-cybersecurity-safety-review-board [8] https://www.cbrs.gov/reports/2024/01/15/microsoft-exchange-online-attacks [9] https://www.wired.com/story/microsoft-exchange-hack-report-blames-cultural-failures/
- The decision to disband the Cyber Safety Review Board (CSRB) has raised concerns about the future of cybersecurity governance and ongoing investigations, such as the one into the hacking of nine U.S. telecommunications firms attributed to Salt Typhoon.
- The impact of the disbandment of the CSRB on technology, politics, and general news perspectives is unclear, as cybersecurity roles seem to be continuing through other agencies and initiatives instead.
