Why Eliminating the Cyber Safety Review Board Weakens Critical Infrastructure and Cyber Resilience

“It’s better to have cybersecurity and not need it than to need it and not have it.” – Anon

The Cyber Safety Review Board (CSRB) was established to provide oversight, coordinate responses to major cyber incidents, and derive actionable insights to prevent future occurrences. Its recent disbandment raises pressing concerns about the security of critical infrastructure. At a time when ransomware attacks cost organisations an average of $4.35 million per incident (IBM, 2022), the absence of a unified body like the CSRB leaves critical gaps in our national cybersecurity strategy.

This article examines the consequences of the CSRB’s dissolution through real-world case studies and offers a path forward to address its absence.

Case Studies: Lessons from Past Incidents

The Colonial Pipeline Ransomware Attack

The 2021 Colonial Pipeline incident remains a textbook example of how a single breach can escalate into a national crisis. Hackers exploited a compromised VPN password, deploying ransomware that disrupted the flow of nearly half the East Coast’s fuel supply.

The attack caused panic-buying, long fuel lines, and economic losses across multiple states. Colonial Pipeline paid a $4.4 million ransom in Bitcoin, underscoring the crippling effects of inadequate preventative measures.

• Lessons Learned:
  • Coordination Is Key: A central body like the CSRB could have facilitated a streamlined review and generated actionable recommendations for the energy sector.
  • Proactive Security Measures Save Costs: As highlighted by Tessian’s analysis of IBM’s 2022 Cost of a Data Breach Report, organisations with incident response plans saved an average of $2.66 million per breach.

(References: IBM, 2022; ResearchGate, 2022)

Scottish Water’s Teslacrypt Ransomware Attack

Scottish Water fell victim to the Teslacrypt zero-day ransomware, initiated via a phishing email with a malicious link. Once clicked, the malware encrypted files across the organisation, demanding ransom in Bitcoin.

Scottish Water’s Cyber Threat Intelligence (CTI) service, managed by Fujitsu, quickly identified the threat, neutralised the malware, and partnered with Symantec to block further infections. The incident was reported promptly to the Drinking Water Quality Regulator for Scotland (DWQR) and escalated to the National Cyber Security Centre (NCSC).

• Lessons Learned:
  • Zero-Day Threats Require Proactive Monitoring: Despite updated antivirus systems, the new malware bypassed traditional defences, proving the need for continuous monitoring.
  • Coordinated Reporting Frameworks Work: The rapid involvement of DWQR and NCSC highlights the importance of structured incident reporting.

(References: Fujitsu Case Study)

The Fallout of Disbandment

The CSRB’s absence is likely to exacerbate existing vulnerabilities:

1. Delayed Responses and Fragmented Learning:

Without a centralised entity, critical lessons from incidents like Colonial Pipeline and Scottish Water will remain siloed, delaying responses and limiting cross-sector improvement.

2. Rising Supply Chain Risks:

The SolarWinds attack demonstrated how supply chain compromises ripple across industries. A unified body like the CSRB is essential to monitor and mitigate these risks systemically.

3. Loss of Institutional Memory:

The CSRB was a repository for cybersecurity insights. Its dissolution risks the loss of long-term knowledge crucial for addressing evolving threats.

4. Increased Geopolitical Vulnerabilities:

Cyberattacks by state-sponsored actors like China and Russia continue to target critical infrastructure. Coordinated oversight is vital to preempt and counteract such threats effectively.

A Path Forward: Reimagining the CSRB

To address the void left by the CSRB’s disbandment, we need a regulator that strikes a balance—one with enough authority to ensure security is not sacrificed for innovation but without the overreach that stifles progress, as seen in certain heavily regulated markets like the European Union.

The CSRB was envisioned as the National Transportation Safety Board (NTSB) for the information highway—a central agency with investigative and intervention powers to analyse breaches, identify vulnerabilities, and recommend improvements. Without such a body, the digital landscape risks becoming a free-for-all where no one investigates the “crashes” or fixes the “planes.” Here’s how a reimagined CSRB could fulfil this critical role:

1. Adopt a “Just Enough Regulation” Approach:

The regulator must focus on enabling innovation while ensuring accountability. This means creating frameworks that encourage organisations to adopt proactive security measures without imposing burdensome compliance requirements that hinder growth.

2. Empower Investigative and Intervention Capabilities:

A reimagined CSRB should have the authority to investigate breaches comprehensively, identify root causes, and mandate necessary changes. Think of it as a proactive safety mechanism, not a punitive bureaucracy.

3. Enhance Collaboration with Private Entities:

Corporations are the engines of innovation, but unchecked innovation can lead to security lapses. By fostering partnerships between the regulator and private enterprises, the CSRB can ensure both parties work towards shared security goals. For instance, companies could share anonymised threat data in exchange for tailored recommendations from the CSRB.

4. Provide Clear and Actionable Guidance:

As the NTSB provides precise recommendations to improve aviation safety, the CSRB should develop actionable guidelines for industries based on incident reviews. These guidelines would help organisations bolster defences without overhauling their operations unnecessarily.

5. Focus on Prevention, Not Punishment:

The goal should be to reduce the frequency and impact of cyber incidents, not to penalise organisations post-breach. By maintaining a non-adversarial relationship with businesses, the CSRB can ensure its focus remains on systemic improvement.

A reimagined CSRB is not just about oversight—it’s about creating a safety net for the information highway, where innovation thrives within a secure and resilient ecosystem. It’s time to bring this vision back, balancing innovation with the need for proactive security.

Conclusion

The disbandment of the CSRB creates a vacuum in national cybersecurity. Incidents like Colonial Pipeline and Scottish Water illustrate the critical role a unified body plays in coordinating responses, analysing systemic vulnerabilities, and safeguarding critical infrastructure. Reinstating or reimagining the CSRB is not merely an option—it’s a necessity to protect our interconnected digital ecosystem.

References and Further Reading

IBM. Cost of a Data Breach Report (2022).

Read here

ICO. Incident Reporting Guidelines (2024).

Read here

ResearchGate. Ransomware Attacks on Critical Infrastructure: A Study of the Colonial Pipeline Incident.
Read here

Lepide. Colonial Pipeline Attack Case Study.

Read here

Fujitsu. Scottish Water Case Study.

Read here

Editor’s Note: This article is solely the opinion of the author, and publication in Cyber Defense Magazine does not imply endorsement of the content. We bring it to our readers as one side of the ongoing discussion on the necessity of continuing the Cyber Safety Review Board as part of the CISA. Others say that the CSRB is not a “regulator,” and that the CISA itself already has the authority and resources to conduct the stated functions of the CSRB.

About the Author

Ramkumar Sundarakalatharan is the Co-Founder & CEO of Zerberus Technologies, a cutting-edge cybersecurity firm dedicated to simplifying automated security monitoring and compliance adherence. As an Information Security Researcher at the Royal Holloway, University of London, Ramkumar combines academic rigour with practical expertise to drive innovation in the cybersecurity landscape.

With over 20 years of experience spanning startups and multinational corporations, he is a recognised leader in cybersecurity strategy, Critical National Infrastructure (CNI) security, and governance frameworks. Ramkumar has developed and patented several groundbreaking technologies in automated threat detection and compliance adherence, contributing to the industry’s evolution in safeguarding digital ecosystems.

An advocate for aligning cybersecurity with business value, Ramkumar has worked across diverse domains, from securing large-scale cloud architectures to advising enterprises on achieving ISO, PCI DSS, and SOC2 certifications. He is passionate about fostering resilience against emerging threats while enabling organisations to innovate securely.

You can connect with Ramkumar on LinkedIn, explore his insights on his blog Nocturnalknight.co, or learn more about his company at Zerberus.ai.