For business leaders defending their organizations against criminal hackers and state-sponsored cyberattacks, allocating resources can feel like aiming at a moving target. Recent moves by the federal government, including the abrupt firing of members of a cyber advisory committee, could make the process more tricky, experts warn.
As President Donald Trump begins his second term in office, the new administration has caused waves by firing the members of the Cyber Safety Review Board (CSRB), a technical and non-partisan advisory of industry insiders, as well as ordering seemingly partisan changes to an intelligence oversight board, and putting a pause on federal health communications.
The government framed some of the moves as efforts to rid the committees of “agendas.” Critics of the moves see signs of politicization. Either way, the upshot for businesses is greater uncertainty and a disruption, at least temporarily, to important insight and information for protecting against cyberattacks.
Cybersecurity can be an “existential threat” to business similar to rising catastrophic weather events, said Padraic O’Reilly, co-founder of CyberSaint Security. Governments should be serving as a broker of information to lower that risk, he said, noting that he is “very concerned” about whether the Trump administration will replace the members or continue the CSRB.
“[Businesses are] doing their best to identify which particular threats are most essential to go after and swing resources to,” O’Reilly said. “That’s the biggest challenge in cybersecurity. There are thousands of alerts that come in. The challenge for risk teams, compliance teams…are which ones to go after?”
It’s a complex job as it is, and there are signs that companies may increasingly need to shoulder more of the burden on their own.
Brandon Wales, the former executive director at the Cybersecurity and Infrastructure Security Agency, warned at a House Homeland Security hearing last week that “business leaders, particularly in our nation’s critical infrastructure, need to understand that the government cannot save them from all threats.”
Wales spent around two decades at the DHS and is now vice-president of cybersecurity strategy at SentinelOne. Wales told lawmakers that “cyber risks are core business threats” and that it’s businesses that are “ultimately responsible for their security and resilience.”
Wales warned that if those business leaders are not already preparing for a crisis with China: “you’re late.”
Changing of the guard
Last year’s brazen hacks into U.S. telecommunication networks by the Chinese group dubbed Salt Typhoon are among the worst cyber-espionage campaigns in recent memory. The incident, which impacted up to 8 telecommunications firms, swept up meta-data of millions of Americans, and targeted Trump and other candidates during the 2024 presidential campaign, was a major area of focus for the Department of Homeland Security’s Cyber Safety Review Board.
The dismissal of the group’s members last week risks setting the clock back for gaining actionable insight into the attack on the private sector, according to experts.
When asked about the firings, a senior DHS official said that: “Effective immediately, the Department of Homeland Security will no longer tolerate any advisory committee which push agendas that attempt to undermine its national security mission, the President’s agenda or Constitutional rights of Americans.”
Modeled after the transportation industry’s own review process of major incidents, the CSRB was created by former President Biden’s executive order to investigate major cybersecurity incidents like the 2021 Chinese hacking into Microsoft Exchange Servers that served tens of thousands of businesses in the U.S. and U.K. The voluntary board is made up of technical and policy experts that investigate technical missteps or lax security practices, alongside non-binding recommendations on how to possibly avoid the next catastrophe.
The CSRB was established in 2021 and did face some critiques for the chosen investigations, but the concerns among experts were largely presented as growing pains with little questions around whether it should exist at all. “It’s very difficult to politicize technical matters,” O’Reilly said.
Also being closely watched by industry insiders is the future of the CISA, the agency tasked with assisting and informing businesses about cyber and physical risks. The agency caught political flack from the far-right for fighting foreign election disinformation which will likely result in drastic cuts in an already struggling federal cyber workforce.
House Homeland Security Committee Chairman Mark Green spent time at last week’s hearing advocating for legislation that would create new cybersecurity scholarship programs at community colleges and technical schools in exchange for government service as a way to beef up the struggling workforce. The Cyber PIVOTT Act, introduced last year, would create a sort of cyber Reserve Officer Training Corps to beef up CISA’s workforce.
Green said during the hearing that the U.S. has “played defense for too long and now it’s time to go on the offense.”
However, just how far the legislation will get remains to be seen. Department of Homeland Security Secretary Kristi Noem, appears to hold the opposite view, telling lawmakers during her confirmation hearing that she wants CISA to be “smaller, more nimble.” Noem was confirmed by Senators on Sunday in a 59-34 vote.