The next stage of the Biden administration’s collaboration with cyber firms could involve giving certain tech executives special investigatory powers, depending on congressional action.
The Biden administration wants Congress to make a federal board of cyber investigators permanent, but many questions linger about what authority to give the investigators — some of whom work full-time in the private sector.
President Biden created the Cyber Safety Review Board to investigate devastating hacks via a 2021 executive order.
Mr. Biden has asked Congress to make the board an enduring fixture of government beyond individual cyberattacks and the Department of Homeland Security wants the board members to have subpoena power, according to Sen. Maggie Hassan, New Hampshire Democrat.
The Senate Homeland Security and Governmental Affairs Committee is reviewing whether to make Mr. Biden’s desired changes to the board.
The 15-person board’s membership includes executives from businesses such as Google and Palo Alto Networks. Other tech companies have concerns that businesses’ participation on the board can create an unfair competitive advantage for board members, according to the Information Technology Industry Council’s John Miller.
“If the CSRB is going to continue to have private sector members on its board, even if you insulate them from the decision-making process as to whether to issue a subpoena, it does, at the very least, create some apparent conflicts of interest when you have members of the private sector subpoenaing other members of the private sector who might be competitors,” he said at a committee hearing.
Mr. Miller told senators on Wednesday that giving the board new authority would disrupt tech companies’ collaborative partnerships with federal cyber officials and create adversarial relationships with those overseeing the investigators.
The Atlantic Council’s Trey Herr disagreed with Mr. Miller and told lawmakers that new subpoena powers for public and private cyber investigators would benefit the country.
“For the board’s ability to investigate large, complex incidents where there is profit motive to protect, potentially, some of that information at play, and this committee and others have seen the challenge in investigating complex issues within the technology industry, the subpoena can be a basic and useful mechanism,” Mr. Herr said.
Eliminating potential conflicts of interest from the board’s membership will likely prove difficult given the work histories of cybersecurity defenders who move between the government and the private sector and because of the government clients relying on top cyber firms.
The board’s members must include representatives from federal agencies, including the Department of Defense, National Security Agency, and FBI, among others, according to its charter. Private sector members are added via appointment from the Cybersecurity and Infrastructure Security Agency’s director.
The board’s charter said the CISA director may also invite others outside the board to participate on a case-by-case basis.
Preventing tech companies from wielding investigatory power to swipe corporate secrets is a challenge lawmakers have not yet decided precisely how to address.
Tarah Wheeler, CEO of cybersecurity compliance company Red Queen Dynamics, told lawmakers on Wednesday that a recusal mechanism ought to be established for private businesses’ representatives on the board.
“People who are directly involved with, and who could profit from, an investigation that is being targeted at one of their competitors, I believe, must experience a recusal process,” Ms. Wheeler said. “This isn’t a perfect way to go about it, but I think that that is a bare minimum.”
The Cyber Safety Review Board’s first report examined problems with the open-source logging platform Log4J and the board’s second investigation dug into extortionist hackers known as Lapsus$.
The board is actively probing cloud computing security following breaches of Microsoft services disclosed last year.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.