Tarah Wheeler – Written Testimony for The Cyber Safety Review Board:
Expectations, Outcomes, and Enduring Questions - Committee on Homeland
Security & Governmental Affairs.
Chair Peters, Ranking Member Paul, and members of the Committee, I am honored to
have been invited to speak with you today.
The Cyber Safety Review Board (CSRB) should be a critical line in our defenses
against PRC and Russian cyber attacks. It does not yet have the power to be, and I’d
like to speak to you today about how it could play a vital role in not only shoring up our
defenses but supporting key sectors of American business.
You heard in my bio a moment ago that I’m a student pilot. It’s part of the reason I, Rob
Knake, and Adam Shostack and over 70 experts collaborated on the Aviation Lessons
Learned project
1
at Harvard’s Belfer Center several years ago to examine how the
National Transportation Safety Board could be used as a pattern for a similar cyber
incidents investigation board. My crossover experience from both cybersecurity and
aviation has equipped me with some analogies that help to illustrate what the best
version of a Cyber Safety Review Board could be.
Let me tell you what I think the CSRB should be, and then explain why I think these
things.
● The CSRB should be a full-time, independent, non-partisan board with the clear
support of Congress for its fact-finding and analytical missions.
● The CSRB should have more than 5 staffers. It needs technical staff who are
able to work side by side with organizations that have been attacked.
● The CSRB should have a formal system by which industry can participate in a
helpful but constrained way.
● The CSRB should have subpoena power, which it would rarely use.
● The CSRB should operate only in the civilian, non-classified world. Defense and
intelligence information that the CSRB needs should be declassified before it
reaches the board.
The CSRB was inspired by and is regularly compared to the National Transportation
Safety Board (NTSB). I’ve been on the front lines of major cybersecurity incidents, and
I’m currently trying to help the bottom half of American small businesses enter the
1
Rob Knake, Adam Shostack, and Tarah Wheeler, “Learning from Cyber Incidents: Adapting Aviation
Safety Models to Cybersecurity,” Belfer Center for Science and International Affairs, Harvard Kennedy
School, November 12, 2021,
https://www.belfercenter.org/publication/learning-cyber-incidents-adapting-aviation-safety-models-cyberse
curity.
