Why dismantling the PCLOB and CSRB threatens privacy and national security

Among the many disruptive actions in the opening weeks of Trump’s second presidency was the decision to fire the Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), thus depriving the PCLOB of a quorum and blocking its continued operation. Equally problematic was the decision to disband the Cyber Safety Review Board (CSRB), terminating its operation and derailing its investigation of the Salt Typhoon hack of telecommunications providers.  

The PCLOB is an independent government agency with the “mission…[of] ensur[ing] that the federal government’s efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties.” The CSRB is an advisory board that “review[s] and assess[es] significant cyber incidents and make[s] concrete recommendations that would drive improvements within the private and public sectors.”

Many Americans are understandably unfamiliar with these two government entities. With respect to the PCLOB, most of its public-facing activities come in the form of reports, which provide plain-spoken explanations and evaluations of often classified government surveillance programs and offer suggestions for privacy- and civil liberties-focused reforms of these programs. The CSRB’s public reports provide accessible explanations of security failures and other factors contributing to significant cyber incidents and suggest reforms to address security vulnerabilities and failures.

Both entities are part of a broader but ever-dwindling system of government oversight and independent analysis that has become a casualty in the wake of the new Trump administration. At the end of Trump’s first week in office, 18 inspectors general were fired. Their firing runs contrary to a law requiring that Congress be given 30 days’ advance notice when an inspector general is fired, along with evidence supporting the rationale and reasons given for the removal.

All these actions diminish government transparency and accountability. The firing of the inspectors general without the required notice to Congress also sends the message that this executive branch has little to no regard for co-equal branches of government. Senators from both parties raised concerns in a joint letter, but such statements appear to be the extent of their action—the Senate continues to confirm Trump administration nominees and disregard its own prerogatives.

Mark Greenblatt, a former inspector general of the Interior Department appointed during the first Trump administration, warned that these firings “rais[e] an existential threat with respect to the primary independent oversight function in the federal government…We have preserved the independence of inspectors general by making them not swing with every change in political party.”

Because the PCLOB and the CSRB are not common household names, it is worth discussing how their dismantling undermines Congress’ ability to engage in necessary government oversight and otherwise threatens the privacy and national security of American citizens.

The Privacy and Civil Liberties Oversight Board

The PCLOB is comprised of five Senate-confirmed members, no more than three of whom can be from the same party. All are appointed by the president for six-year terms and all but the chair, who is generally from the president’s party, serve in part-time positions. The PCLOB’s two-fold statutory mandate encompasses both oversight and advice. In its oversight role, the Board “review[s] the implementation of Executive Branch policies, procedures, regulations, and information—sharing practices relating to efforts to protect the nation from terrorism, in order to ensure that privacy and civil liberties are protected.”

In its advice role, the Board “review[s] proposed legislation, regulations, and policies related to efforts to protect the nation from terrorism (as well as the implementation of new and existing policies and legal authorities), in order to advise the President and Executive Branch agencies on ensuring that privacy and civil liberties are appropriately considered in their development and implementation.”

Some of the PCLOB’s most notable work began in the immediate aftermath of the 2013 intelligence disclosures by Edward Snowden. It examined a classified program under Section 215 of the PATRIOT Act involving the government’s bulk collection of records of domestic calls made in the United States. These records, which included the “date and time of a call, its duration, and the participating telephone numbers,” but not the content of communications, covered the calls of “most Americans on an ongoing basis.” The records were stored in a database to enable future searches by the National Security Agency for the purpose of determining if a phone number associated with a known terrorist or terrorist organization had any contact with individuals located in the United States.

Not only did the report explain the previously classified Section 215 program in a clear and accessible way, but it provided insight into the government’s legally questionable interpretation of the statute it claimed authorized the bulk collection. This interpretation was not apparent from a plain reading of the statute but had nonetheless been approved by the Foreign Intelligence Surveillance Court (FISC) in classified opinions not available to the public. (Some of these opinions were declassified following the Snowden disclosures). In May 2015, the Second Circuit ruled that Section 215 did not authorize the collection.

Congress ultimately took up the task of reforming Section 215 and passed the USA FREEDOM Act of 2015, which specifically prevents the government from engaging in bulk collection under Section 215. To enable the FISC to obtain views outside the Department of Justice when ruling on a Foreign Intelligence Surveillance Report (FISA) application that presents new or significant legal issues, the law established a mechanism and required the FISC to appoint an amicus curiae “to assist such court in the consideration of any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law, unless the court issues a finding that such appointment is not appropriate.”

Five years later, Congress failed to renew Section 215, and the authority lapsed in 2020.

More recently, the PCLOB issued a report in September 2023 about Section 702 of FISA, a critical intelligence authority that enables the government to target non-U.S. persons located abroad and engage in the warrantless collection of communications. Although U.S. persons cannot be targeted, their communications can be collected incidentally when a foreign target is in communication with them. These communications are stored in government databases and can be queried with terms associated with U.S. persons. Querying with U.S. person identifiers is the most controversial element of Section 702, both because it may violate the Fourth Amendment, as one federal district court recently determined, and because there have been documented abuses of the FBI’s querying practices.

Section 702 was set to expire on December 31, 2023, prompting the Board to perform a yeoman’s task of explaining a complicated and controversial surveillance authority in an unclassified format, along with offering their views on the privacy risks created by Section 702, along with how the authority should be reformed by Congress to address these risks and the unlawful querying practices.

To be clear, there was not agreement among all PCLOB members, with only the three Democratic members signing the report—the two Republican members refused to sign, issuing their own analysis and set of recommendations. The views expressed by the two Republican members were more aligned with the Biden administration’s position on Section 702 reauthorization, and the views expressed by the Democratic PCLOB members were much more aligned with a coalition of Democratic civil libertarians and Republican MAGA members in the House of Representatives.

Because surveillance issues do not divide reliably down party lines, both sides of the aisle can benefit from clear, unclassified explanations of surveillance programs along with PCLOB member views, whether unanimous or not, on how surveillance authorities should be reformed.

During the last 702 reauthorization, Congress not only passed limited reforms aimed at preventing further abuses of U.S. person querying, but also expanded the reach of Section 702. The reauthorization was a rocky road—the expansion was controversial, and not all members of Congress thought the reforms were sufficient.

Section 702 is set to expire in April of 2026, once again requiring congressional reauthorization to prevent the authority from lapsing. The PCLOB opened a new 702 project while it still had a quorum, indicating its intention to provide analysis and member views about whether the FBI had adequately addressed the previously identified abuses in addition to other issues relevant to reauthorization. Without a three-member quorum, the only options available are a staff report or a report issued by the one remaining member (the single Republican member in place when President Trump took office was not fired) containing her own views. The significance of either of these options must be distinguished from the value provided by a Board report containing the views of at least three members. 

The Cyber Safety Review Board

The CSRB is a young entity that reviews significant cyber incidents and makes recommendations designed to drive security improvements in the public and private sectors. First stood up during the Biden administration via executive order under the authority given to the president by the Homeland Security Act of 2022 (see 6 U.S.C. 451), the CSRB includes members drawn from both the government and the private sector, without regard to their political affiliations.

The CSRB’s work, which is solely advisory, enables transparency, analysis, and accounting for cyber intrusions that implicate the national security interests of the United States. In 2024, the CSRB issued a report on the Summer 2023 Microsoft Online Exchange Intrusion. This intrusion involved a threat actor linked to China, known as Storm-0558, which compromised the Microsoft Exchange Online mailboxes of a range of victims in the United States and the United Kingdom.

In the United States, Strom-0558 accessed accounts in the U.S. Department of State, U.S. Department of Commerce, and the U.S. House of Representatives. Significantly, “senior officials [that] ha[d] substantial responsibilities for many aspects of the U.S. government’s bilateral relationship” with China had their “official and personal mailboxes” compromised. These officials included U.S. Commerce Secretary Gina Raimondo, Congressman Don Bacon, U.S. Ambassador to China R. Nicholas Burns, and Assistant Secretary of State for East Asian and Pacific Affairs Daniel Kritenbrink, among others. Moreover, Storm-0558 “had access to some of these cloud-based mailboxes for at least six weeks,” during which “the threat actor downloaded approximately 60,000 emails from State Department alone.” In the words of the CSRB, Storm-0558 “struck the espionage equivalent of gold.”

The CSRB conducted a “deep fact-finding” around the incident and concluded that it had been “preventable and should never have occurred,” indicating “it was able to succeed because of a cascade of security failures at Microsoft.” It provided a long list of recommendations—some that focused upon Microsoft specifically, others upon cloud service providers more generally, still others upon different government agencies, and some that applied to entities from each of these categories. In response, Microsoft Vice Chair and President Brad Smith “accept[ed] responsibility for each and every one of the issues cited in the CSRB’s report,” indicating that the company was “taking action to address every one of the CSRB’s recommendations applicable to Microsoft.”

These kinds of fact-finding investigations are critical to public safety and national security. Consider that during the second week of the new Trump administration, a Blackhawk helicopter tragically collided with a commercial airliner as the plane made its landing approach at Reagan National Airport, killing everyone onboard both aircraft. The National Transportation Safety Board is investigating the cause of the crash. It would be unacceptable for any president or administration to interfere with or shut down such an investigation, and doing so would rightly spark public outcry. A thorough and independent review of the facts and circumstances is essential.

When the United States is the victim of a significant cyber intrusion, the harms are never as visible as two aircraft colliding. It can take weeks or months for government and private sector entities to determine the scope of the intrusion, and the impact and ramifications of the intrusion may take years to play out and assess. It can also be difficult to determine whether an intruder remains hidden somewhere inside a network thus difficult to expel.

When President Trump took office the second time, the CSRB was in the process of investigating a significant hack of U.S. telecommunications providers by the Chinese hacking group Salt Typhoon.

Senator Mark Warner (D-Va.), vice chairman of the Senate Select Committee on Intelligence, called the intrusion the “worst telecom hack in our nation’s history.”

Public reporting and analysis about the hack has been limited, but one noteworthy element concerns China’s access to “a nearly complete list of phone numbers the Justice Department monitors in its ‘lawful intercept’ system,” which would include those individuals that are under wiretap surveillance because they are suspected of committing serious crimes like espionage. From a counterintelligence perspective, “the penetration almost certainly gave China a road map to discover which of China’s spies the United States has identified and which they have missed.”

With the discovery that certain senior national security officials and political leaders were targeted, the FBI concluded that “the Salt Typhoon hackers were so deep in the system that they could actually listen in to some conversations and read some unencrypted text messages.” There is also evidence that the intrusion went beyond telecommunications companies, compromising some internet service providers and “potentially allowing the Chinese to read some email.”

There are likely multiple vulnerabilities that allowed the Chinese to exploit U.S. networks. One that has been discussed is the so-called “lawful access” wiretapping system itself, created in response to the 1994 Communications Assistance for Law Enforcement Access Act, which “was intended to give law enforcement wiretapping capabilities as digital switching technologies were making older methods obsolete.”

In early December 2024, House Committee on Homeland Security Chairman Mark E. Green, MD (R-Tenn.) issued a statement in advance of the CSRB beginning its investigation:

[T]he Board’s members have an immense task ahead of them. There is no doubt that a nation-state sponsored intrusion of this scale and sophistication into internet service providers is unprecedented and unnerving…There is bipartisan concern—and frustration—in Congress about the shocking extent of the [Communist Chinese Party] CCP-affiliated threat actor’s ongoing access to sensitive data.

The disbanding of the CSRB has, however, stopped its investigation of the Salt Typhoon hack, which presumably would have included an examination and analysis of how and why the hack occurred. It is unclear whether a comprehensive, rigorous fact-finding and analysis along the lines of the CSRB investigation of the 2023 Microsoft Online Exchange Intrusion will ever happen.

While most Americans may never have heard of the PCLOB or CSRB, the dismantling of these entities compromises the privacy and national security interests of the American public. It robs Congress of critical information it needs to engage in oversight and legislative action and has become part of a larger set of Trump administration actions that are destroying the ability of the government to protect and serve the American people.