Trump has fired a major cyber security investigations body. It’s a risky move
- Written by Toby Murray, Professor of Cybersecurity, School of Computing and Information Systems, The University of Melbourne
Before the end of its first full day of operations, the new Trump administration gutted all advisory panels for the Department of Homeland Security. Among these was the well-respected Cyber Safety Review Board, or CSRB.
While this change hasn’t received as much notice as Trump’s massive announcement about AI[1], it has potentially significant implications for cyber security. The CSRB is an important source of information for governments and businesses trying to protect themselves from cyber threats.
This change also throws into doubt the board’s current activities. These include an ongoing investigation into the Salt Typhoon cyber attacks which began as early as 2022[2] and are still keeping cyber defenders busy[3], attributed to hackers in China.
Salt Typhoon has been described as the “worst telecommunications hack[4]” in US history. Among other activities, the hackers obtained call records data made by high-profile individuals and even the contents of phone calls and text messages[5]. The phones of then presidential nominee Donald Trump were reportedly among those targeted[6].
What does the Cyber Safety Review Board do?
The board was established three years ago by the Biden administration. Roughly speaking, its job is the cyberspace equivalent of government air traffic investigation bodies such as the US National Transportation Safety Board, or the Australian Transport Safety Bureau.
The CSRB investigates major cyber security incidents. Its job is to determine their causes and recommend ways government and businesses can better protect themselves, including on how to prevent similar incidents in future.
Its members include global cyber security luminaries from industry, such as cyber executives from Google and Microsoft, and US government leaders from several departments and agencies concerned with security.
The US CSRB has previously published three major reports. Its first covered the infamous 2021 Log4j vulnerability[7], described at the time[8] as the “single biggest, most critical vulnerability ever”. (A vulnerability is a weakness in a computer system that cyber criminals can exploit.)
The board’s most recent published investigation involved a very sophisticated hacking campaign[9] that targeted Microsoft’s cloud email services in 2023. As a result, hackers even gained access to the emails of various US government agencies.
Cyber security experts widely consider the CSRB as a positive thing. Late last year, Australia even committed to establish its own version, the Cyber Incident Review Board[10].
At the time of writing, it’s unclear whether the CSRB will continue – perhaps with different membership – or whether its activities will cease entirely.
Either way, the decision to fire the board’s members[11] has significant security implications. It comes at a moment in history when cyber threats have never been more severe.
What is Salt Typhoon?
The CSRB has been investigating the Salt Typhoon hacking campaign. Salt Typhoon is the name Microsoft assigned to a sophisticated group of hackers believed to be operated by China’s Ministry of State Security. The ministry is somewhat like a combination of an intelligence agency and a secret police service.
Salt Typhoon is best known for hacking into several US telecommunication companies, first reported in August 2024[12]. In December, it came to light Salt Typhoon’s telco hacks may also have impacted countries beyond the US. American, Australian, Canadian and New Zealand authorities also jointly issued public guidance[13] to organisations to help defend against Salt Typhoon.
Salt Typhoon reportedly targeted prominent figures, including political leaders. The hackers’ goal appears to have been to collect intelligence, rather than cause damage.
For example, it has been reported[14] Salt Typhoon collected a list of all phone calls made near Washington DC, which could help them determine who was talking to whom in the US capital.
Salt Typhoon also reportedly[15] obtained a list of phone numbers wiretapped by the US Justice Department. This confirmed the fears of many people opposed to the government’s powers to lawfully wiretap citizens’ phones.
It is unclear why the hackers obtained that information. Some have speculated[16] it would identify which of their own operatives were being monitored by US law enforcement.
To say the Salt Typhoon revelations created waves[17] in government and cyber security circles is putting it mildly. Telecommunications are critical infrastructure, as well as highly valuable targets for intelligence collection.
The idea that foreign spies could burrow so deeply into the communication fabric of the US was unprecedented and disturbing.
In October 2024 the CSRB was tasked[18] with investigating Salt Typhoon’s activities.
An uncertain future
With the board now fired, the future of the Salt Typhoon investigation remains unclear.
A thorough and impartial investigation of the Salt Typhoon hacks, had it been allowed to run, was likely to have delivered highly valuable cyber security lessons. Those lessons are important for both US companies and those in Australia, which have also been the targets[20] of Chinese intelligence collection.
The future of the CSRB itself is now also in question. The board and its overseas equivalents serve a vital role in promoting cyber information-sharing that helps to improve best practices.
It is imperative these bodies are staffed with a diverse collection of impartial experts, able to carry out their work free from government and corporate interference.
It remains to be seen whether dissolving the current CSRB will be a gift to Chinese hackers (as some have claimed[21]), or simply a speed bump in the evolution of the board.
References
- ^ massive announcement about AI (theconversation.com)
- ^ began as early as 2022 (theconversation.com)
- ^ are still keeping cyber defenders busy (www.cybersecuritydive.com)
- ^ worst telecommunications hack (www.washingtonpost.com)
- ^ even the contents of phone calls and text messages (www.wsj.com)
- ^ reportedly among those targeted (www.nytimes.com)
- ^ Log4j vulnerability (en.wikipedia.org)
- ^ described at the time (www.wired.com)
- ^ very sophisticated hacking campaign (www.cisa.gov)
- ^ Cyber Incident Review Board (www.homeaffairs.gov.au)
- ^ fire the board’s members (www.darkreading.com)
- ^ first reported in August 2024 (www.washingtonpost.com)
- ^ public guidance (www.cisa.gov)
- ^ it has been reported (techcrunch.com)
- ^ reportedly (www.wsj.com)
- ^ Some have speculated (theconversation.com)
- ^ created waves (foreignpolicy.com)
- ^ tasked (federalnewsnetwork.com)
- ^ Tada Images/Shutterstock (www.shutterstock.com)
- ^ targets (www.abc.net.au)
- ^ some have claimed (www.theregister.com)
