Following President Biden\u2019s cybersecurity executive order issued last May, the Department of Homeland Security (DHS) announced on February 3 the creation of the Cyber Safety Review Board (CSRB). This public-private initiative is charged with reviewing and assessing significant cybersecurity incidents across government and the private sector. \u201cThe CSRB will provide a unique forum for collaboration between government and private sector leaders who will deliver strategic recommendations to the President and the Secretary of Homeland Security,\u201d DHS said in announcing the statement.The CSRB will start with 15 top cybersecurity leaders from the federal government and the private sector, including Robert Silvers, DHS undersecretary for policy, who will serve as chair, and Heather Adkins, Google\u2019s senior director for security engineering, who will serve as deputy chair. DHS\u2019s Cybersecurity and Infrastructure Security Agency (CISA) will manage, support and fund the board. CISA Director Jen Easterly is responsible for appointing CSRB members, in consultation with Silvers, and convening the board following significant cybersecurity events.Other board members include several cybersecurity industry luminaries, including \u00a0Dmitri Alperovitch, co-founder and chairman, Silverado Policy Accelerator, and co-founder and former CTO, CrowdStrike; Katie Moussouris, founder and CEO, Luta Security; Chris Novak, co-founder and managing director, Verizon Threat Research Advisory Center; Tony Sager, senior vice president and chief evangelist, Center for Internet Security; Kemba Walden, assistant general counsel, Digital Crimes Unit, Microsoft; and Wendi Whitmore, Senior vice president, Unit 42, Palo Alto Networks.According to the CSRB\u2019s charter, the board\u2019s duties are solely advisory. Meetings will be held at the direction of CISA\u2019s director following a cybersecurity incident that would trigger the creation of a Unified Coordination Group (UCG), a body formed to address emerging threats. The estimated annual cost of operating the CSRB is approximately $2.8 million, including administrative expenses, contract support, and five full-time employees.DHS says the CSRB\u2019s first review will focus on the vulnerabilities discovered in late 2021 in the widely used open-source Log4j software library. It\u2019s worth noting that Biden\u2019s executive order stipulated that the board\u2019s initial review \u201cshall relate to the cyber activities that prompted the establishment of a UCG in December 2020,\u201d referring to the damaging SolarWinds supply chain infection.NTSB is an imperfect comparisonOfficials have said that the CSRB is loosely modeled on the National Transportation Safety Board (NTSB), an independent regulatory agency housed within the Department of Transportation that investigates transportation accidents such as airplane crashes and train derailments. However, some experts think the NTSB model is an imperfect comparison and highlight the distinct challenges and opportunities CSRB faces as it seeks to protect the nation\u2019s networks and infrastructure better.Suzanne Spaulding, a former DHS official and currently a senior adviser for homeland security at the Center for Strategic and International Studies (CSIS), tells CSO, \u201cThe NTSB is operating in a heavily regulated sector that appreciates [its role] and understands that without something like the NTSB, they would have a hard time getting people to climb into that metal tube hurling through the air at high speeds. Those conditions do not exist by and large in the world that the cybersecurity review board will be operating in.\u201dMike Danko, an aviation attorney who works closely with the NTSB, also highlights the lack of regulation in cybersecurity as a factor that distinguishes the CSRB from the NTSB. \u201cWe have an industry, aviation, that's highly regulated and where you have players who oftentimes are unhappy with the regulation, but nonetheless have some joint interest in safety,\u201d he tells CSO.CSRB\u2019s investigative power is unclearAnother difference that sets the CSRB apart from the NTSB is that \u201cthey don't have subpoena authority,\u201d Spaulding says.Gary Halbert, a partner at Holland and Knight, agrees that it seems that the CSRB lacks the investigative authority of the NTSB. \u201cThe NTSB has a fairly strong record of identifying causation, but they've got the ability to do the factual discovery that provides a basis on which to draw their conclusions,\u201d he tells CSO. \u201cWith this new entity, you wonder where are the factual investigations going to be conducted? Is it going to be conducted by existing agencies? I don't think this new entity has any type of investigative authority from the way it sounds.\u201dDanko, however, says the NTSB rarely uses its subpoena power. \u201cAs far as I know, I've never been involved in a case where the NTSB has subpoenaed anyone.\u201d Among the reasons Danko cites for the NTSB\u2019s failure to invoke this power is that \u201cit believes that subpoenaing or using that power is antithetical to getting the truth. Basically, it wants to go to a mechanic or supplier and say, \u2018Hey, what happened? This isn't under oath. We\u2019re not going to come after you. Don't worry about it. This is off the record.\u2019 And they feel that that is part of the process. Despite the fact that they can subpoena, they just don't.\u201dEarning trust is crucialAmong the challenges that the CSRB will face is earning the cybersecurity sector\u2019s trust. \u201cThey are going to have the challenge to earn the trust of the folks they're trying to work with, and that'll be critical,\u201d Spaulding says. \u201cBut they've got the right people. I think they can build trust.\u201dHalbert says the NTSB earned the trust of the industry, Congress, and the American public slowly over time as it evolved into an independent agency with statutory and regulatory authority to gather evidence and information. The CSRB will need to \u201cestablish its reputation such that any findings or recommendations that come from its that work will gain traction both within the government and with the private sector,\u201d he says.\u201cEverybody loves the NTSB,\u201d Danko says. \u201cThey come out after a crash, they speak well, they seem to know what they're doing. They\u2019re solemn, and they don't appear to have an ax to grind.\u201dFunding could be a long-term problemAnother challenge over the long haul for the CSRB will be funding. The initial budget of $2.8 million won\u2019t go very far when the federal government is struggling to recruit cybersecurity specialists who are offered substantial six figures annual salaries by the private sector.The lack of funding chronically hampers the work of the NTSB, Danko says. \u201cWhen a plane crashes, what do you want to do? You want to secure the wreckage and put it in storage. They have no budget for that. They have to sweet talk some farmer to go out and pick up the wreckage and put it in his barn. There's no budget for anything.\u201dIf the board proves itself, it might be able to finagle more funding from Congress or at least more power in the years ahead. \u201cIt would not surprise me as\u2026Congress gets a chance to observe how this new entity does its work [and] concludes that its authorities, so to speak, are not adequate for the task,\u201d that CSRB might be granted more power and more authority, Halbert says.