Rep. Ritchie Torres (D-N.Y.) plans to introduce a bill to codify the Cyber Safety Review Board (CSRB) in the wake of a Crowdstrike IT meltdown that led to widespread chaos across U.S. and global computer systems.
“When a cyber event happens, be it an attack or an accident, there should be an automatic process by which the federal government investigates the causes, learns from the failures, and translates the lessons learned into public policy,” Torres told The Hill.
President Biden created the Cyber Safety Review Board in 2022 through an executive order. The CSRB is modeled after the National Transportation Security Board, which investigates transportation-related incidents and issues reports, findings, and recommendations.
“In the wake of the widespread outages that have shaken the global economy, I am introducing legislation that would codify in statute the Cyber Safety Review Board so that no future presidential administration could abolish it,” Torres said.
According to Torres, codifying the CSRB will “bolster” what the president’s executive order originally hoped to accomplish. He added that the Crowdstrike incident demonstrated that the U.S. needs a more empowered and proactive CSRB.
On Friday, Torres also sent a letter to the Department of Homeland Security calling on the department to conduct a joint investigation of this software update failure and the impact it has had on American civilian infrastructure.
“At a time when cyberattacks are rising in both scope and sophistication, modernizing our local, state and federal cybersecurity systems is paramount, and ensuring they are able to not only accept the software update, but to function after the update is the bare minimum,” he wrote in the letter.
The CSRB has issued three reports since its creation, which Torres points to as evidence for why Congress should codify the board as a permanent body.
Much of the world’s computer infrastructure was in dissaray Friday after an update by Crowdstrike, a cybersecurity firm that provides software to scores of companies worldwide, went wrong. The outage affected companies and services across industries, grounding flights, knocking banks and hospital systems offline, and taking media outlets off the air.
The company says the problem occurred when it deployed a faulty update to computers running Microsoft Windows, noting that the issue behind the outage was not a security incident or cyberattack.
“I wanna start with saying we’re deeply sorry for the impact that we’ve caused to customers, to travelers, to anyone affected by this, including our company,” Crowdstrike CEO George Kurtz said in an interview on NBC’s “Today” show.
“So, we know what the issue is. We’re resolving and have resolved the issue. Now it’s recovering systems that are out there.”
The U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency released a statement saying that they are “working with CrowdStrike, Microsoft and our federal, state, local and critical infrastructure partners to fully assess and address system outages.”