Australia Just Built the Cyber Review Board the U.S. Disbanded — and Gave It a Power the U.S. Version Never Had
On Friday, May 1, 2026, Australian Home Affairs and Cyber Security Minister Tony Burke announced the establishment of the Cyber Incident Review Board, a seven-member statutory body modeled on the U.S. Cyber Safety Review Board the Trump administration disbanded mid-investigation in January 2025. Australia's version is chaired by Telstra's global CISO Narelle Devine and has one capability the U.S. board never possessed: statutory power to compel information from organizations that decline to cooperate. The first incident-review reference has not yet been made.
Tony Burke MP, in his capacity as Minister for Home Affairs, Cyber Security and the Arts, announced the seven appointments to the Cyber Incident Review Board (CIRB) on May 1, 2026. The board is established under Australia's Cyber Security Act 2024 as an independent statutory advisory body charged with conducting "no-fault, post-incident reviews of significant cybersecurity incidents in Australia." The mandate is structurally distinct from regulatory enforcement: the CIRB's job is systemic lessons, not individual or corporate culpability. Reviews are referred by the National Cyber Security Coordinator, an impacted entity, or a member of the Board, and require the Minister's approval of the Terms of Reference.
The single most important fact in the announcement is the legal architecture, not the personnel. Per The Record's reporting, "unlike its U.S. counterpart, which relied entirely on voluntary cooperation, Australia's board can compel information from entities that decline to participate." This is the structural improvement Jeff Greene, the former Biden administration cyber official who helped establish the U.S. Cyber Safety Review Board (CSRB), specifically recommended in Lawfare after observing the U.S. board's reliance on voluntary cooperation. Australia adopted his recommendation. The U.S. did not — and then disbanded its board in January 2025 mid-investigation into the Salt Typhoon campaign against U.S. telecommunications networks.
| Cyber Incident Review Board (CIRB) Profile | |
|---|---|
| Detail | Information |
| Announcement | Friday, May 1, 2026 by Tony Burke MP, Minister for Home Affairs, Cyber Security and the Arts |
| Statutory authority | Cyber Security Act 2024 (Australia) |
| Chair | Narelle Devine, Global Chief Information Security Officer, Telstra |
| Standing members | Prof. Debi Ashenden (UNSW Institute for Cyber Security), Valeska Bloch (Allens, Partner & Head of Cyber), Jessica Burleigh (Boeing Australia, CISO), Darren Kane (NBN Co, CSO), Berin Lautenbach (Toll Group, Global Head of Information Security), Nathan Morelli (SA Power Networks, Head of Cyber Security and IT Resilience) |
| Composition note | Majority female — a rarity at senior levels in cybersecurity |
| Mandate | No-fault, post-incident reviews of significant cyberattacks on Australian government and industry; systemic lessons, not culpability |
| Statutory threshold | Incident must have "seriously prejudiced the social or economic stability of Australia or its people, the defence of Australia or national security" (s46(3)) |
| Critical legal power | Statutory authority to compel information from entities that decline to participate — a power the U.S. CSRB never had |
| Referral pathways | National Cyber Security Coordinator, the impacted entity, or a Board member; Minister approves Terms of Reference |
| Operational support | Department of Home Affairs staff; Expert Panel may be convened for specific reviews |
| First review | Not yet announced |
The Compulsory-Information Power Is the Story
The U.S. Cyber Safety Review Board, established by President Biden's Executive Order 14028 on May 12, 2021 and formally constituted on February 3, 2022, was modeled on the National Transportation Safety Board (NTSB). It produced three reports during its operational life: on the Log4j vulnerability, the Lapsus$ hacker group, and Microsoft. The Microsoft report — which accused the company of "a cascade of avoidable errors" that allowed Chinese state-linked hackers to access email accounts belonging to senior U.S. government officials — was the most consequential and the most controversial. The CSRB's structural weakness was that all of this work depended on voluntary cooperation. Companies that did not want to talk to the board did not have to.
Jeff Greene, who helped establish the U.S. board during the Biden administration, wrote an analysis in Lawfare arguing that this voluntary-cooperation model "fell short by failing to focus on a specific incident attributable to a single company's failures, limiting their ability to drive accountability." The recommended fix was statutory power to compel information. Australia adopted exactly that recommendation. The CIRB will be able to subpoena documents, communications, and testimony from organizations that decline to participate in a review — within the limits of the Cyber Security Act 2024 and standard Australian privilege protections. Industry groups have not yet litigated where those limits sit, and the case law will develop over the next 12 to 18 months.
One Greene recommendation Australia did not adopt: the ability to expand board composition for individual reviews requiring specialist expertise. The CIRB's seven-member composition is fixed; the Expert Panel mechanism provides additional capacity but does not vary core membership. That is a structural choice with consequences. A review of, say, an OT/ICS attack on water infrastructure would benefit from rotating in subject-matter experts; the current architecture relies on the seven standing members plus discretionary Expert Panel additions.
What the U.S. Disbanded, and Why It Matters Here
On January 21, 2025, Acting DHS Secretary Benjamine Huffman signed a memo disbanding the CSRB along with several other Biden-era advisory bodies. The stated rationale was to "eliminate misuse of resources" and prioritize national security efforts. At the time of disbandment, the CSRB was in the middle of an investigation into Salt Typhoon, the Chinese intelligence operation that had compromised major U.S. telecommunications networks including AT&T, Verizon, and Lumen — and had reportedly accessed lawful-intercept systems. The disbandment ended that investigation. Members at the time included Heather Adkins of Google, Dmitri Alperovitch of CrowdStrike, Chris Krebs of SentinelOne, and Rob Joyce, the former NSA director.
Daniel Cuthbert, co-chair of the UK Cyber Security Advisory Board, called the disbandment "disappointing... especially given their work looking into Salt Typhoon. That report would have been vitally important for not just the U.S. but many others." That observation captures the international dimension. CSRB reports were a public good with cross-border value: U.S. defenders and allied-country defenders both relied on the board's findings. The Australian CIRB now occupies, partially, the institutional space the CSRB vacated. The two are not equivalent — the CIRB reviews Australian incidents — but the model exists and is operating.
The European Union has its own analogue under the Cyber Solidarity Act, which tasks ENISA with conducting post-incident reviews of significant cross-border attacks. ENISA has not yet exercised that function. The current ecosystem of post-incident review boards is therefore: Australia (CIRB, operational and statutorily empowered), EU (ENISA, established but unused), U.S. (CSRB, disbanded). Singapore, the UK, and Japan are reportedly considering similar mechanisms. CyberSignal's policy and government coverage tracks how these institutional choices accumulate into a global accountability framework.
The Board's Composition Is a Statement
The seven appointees are weighted toward critical infrastructure operators rather than academic researchers or pure-play threat intelligence firms. Telstra (telecommunications), NBN Co (national broadband), SA Power Networks (electricity distribution), Toll Group (logistics), Boeing Australia (aerospace), and Allens (legal services) all sit at sectors that have either been targeted directly by major Australian breaches in recent years (Optus, Medibank, et al.) or that operate the systems most likely to be targeted next. UNSW's Institute for Cyber Security is the academic counterweight.
The majority-female composition is unusual at this seniority level in cybersecurity and is worth noting on its own terms. Narelle Devine, Debi Ashenden, Valeska Bloch, and Jessica Burleigh together constitute four of the seven seats. This is not the field's typical demographic distribution at CISO-and-above level; the deliberateness of the appointment is a governance signal independent of the structural-empowerment story.
Notably absent: a representative of the Australian Signals Directorate, the country's signals-intelligence agency, or any active intelligence-community participant. The CIRB's no-fault posture means it sits adjacent to, rather than inside, the intelligence apparatus. Whether that boundary holds during the first politically sensitive review — particularly one involving a state-sponsored actor — is the open question. The structural design makes the boundary clear; operational practice will test it.
What the First Review Will Reveal
The CIRB has not yet been referred a first incident. Several recent Australian breaches sit comfortably within its statutory threshold: the Medibank breach (2022, 9.7 million Australians' data exfiltrated), the Optus breach (2022, 9.8 million customer records), and any number of more recent infrastructure-targeting events. The Cyber Security Act's "seriously prejudiced the social or economic stability of Australia or its people" threshold is not high; the first reference is likely to come within months, not years.
The shape of that first review will tell defenders most of what they need to know about how the CIRB will operate in practice. Will the board exercise its compulsory-information power, or rely on voluntary cooperation as the U.S. CSRB did? Will it produce a report that names specific corporate failures, or focus narrowly on systemic lessons? Will it publish full findings or summary conclusions? Each answer is a precedent. The structural design is more aggressive than the U.S. model; whether the operational practice matches the statutory authority is what to watch.
Defender Actions for Australian and Multinational Organizations
- For organizations operating in Australia in critical infrastructure, telecommunications, financial services, healthcare, or energy: review your incident-response playbook for compatibility with CIRB review. Document your incident response in real time with the assumption that documentation will be reviewed. Engage legal counsel at incident outset — the CIRB's compulsory power does not override privilege, but the boundary will be litigated, and you want counsel involved before the question becomes contested. Pre-script communication protocols for board cooperation. Map your existing reporting obligations under the Security of Critical Infrastructure Act, the Privacy Act, and APRA prudential standards against the CIRB review process; expect overlap and potential conflict.
- For multinational CISOs: the global cyber-review-board landscape is now multi-jurisdictional. Australia (CIRB), EU (ENISA), and historically the U.S. (CSRB) represent three different models. Singapore, UK, and Japan are reportedly considering similar mechanisms. If your organization operates across jurisdictions, post-incident review obligations will stack — and an adverse finding in one jurisdiction may have cascading legal and reputational effects in others. Build a cross-jurisdictional incident-response governance model now, before the first multi-board review forces it.
- For board members and general counsel: the CIRB's no-fault model is structurally novel. The intent is to encourage cooperation; the practical effect on litigation, regulatory enforcement, and shareholder action is untested. Counsel should be involved in deciding what to share, when, and under what protections from the start of any incident touching CIRB jurisdiction. Treat the no-fault framing as a signal of intent, not as a guarantee against parallel action by ASIC, OAIC, APRA, or class-action plaintiffs.
- For U.S.-based federal-policy and government-relations teams: this story matters to the CSRB-reinstatement debate. Several Democratic senators have called for the U.S. board's restoration. Australia's launch — with structural improvements specifically designed to address the U.S. board's documented weaknesses — strengthens the case in the U.S. policy context. Engage with the relevant congressional offices and CISA leadership now if your organization has a position on this question.
- For practitioners watching the no-fault model emerge globally: track the first CIRB review carefully when it is announced. The shape of that review — what powers are exercised, what report is produced, what corporate response is documented — will set precedent for how every subsequent national incident-review board operates. The U.S. CSRB never resolved the voluntary-cooperation question; Australia's board will be the first to test whether statutory compulsion plus no-fault framing produce different outcomes than voluntary cooperation alone.
The CyberSignal Analysis
Signal 01 — The compulsory-information power changes incident-review economics
The U.S. CSRB's voluntary-cooperation model produced three reports in three years. Each required a target organization willing to engage. Microsoft's cooperation — itself partial and contested — made the most consequential CSRB report possible. A target that simply declined to participate could effectively block a review. Australia's design eliminates that possibility. A statutorily empowered board that can compel testimony and documents has fundamentally different leverage than one that has to ask. The implication for affected organizations is that the cost of a significant cyber incident in Australia now structurally includes review participation; that participation cannot be opted out of through corporate communications strategy. For board members and CISOs, this changes how to think about disclosure timing, internal investigation scope, and counsel engagement. The decision tree is no longer "talk to the board or not"; it is "talk to the board on what terms, in what sequence, with what counsel posture."
Signal 02 — The model is exportable, and other countries will copy it
Australia did not invent the post-incident-review concept — it imported it from the NTSB-modeled U.S. CSRB. What Australia added was the statutory teeth. That addition is now public, observable, and easy for other governments to replicate. Singapore, the UK, Japan, and the EU all have legislative environments capable of producing equivalent statutes. The disbandment of the U.S. CSRB has paradoxically made the Australian model more attractive: Western governments looking for a credible incident-review framework now have a working example that addressed the U.S. version's documented weaknesses. Within 24 months, expect at least two additional countries to launch CIRB-equivalents, probably with similar compulsory-information powers. Multinational CISOs who plan only for Australian compliance now will find themselves planning for parallel compliance in three or four jurisdictions by 2028.
Signal 03 — The U.S. policy gap is real and growing
The disbandment of the CSRB in January 2025 left a structural hole in the U.S. cybersecurity governance apparatus. Australia has now filled an analogous hole in its own apparatus, with structural improvements. The contrast is uncomfortable for U.S. policy stakeholders who argued that the CSRB was unnecessary or duplicative. Australia's CIRB demonstrates that an independent post-incident review board is a serviceable governance tool when properly empowered. The question for the U.S. is whether Congress will eventually legislate a successor to the CSRB — possibly with the compulsory-information power the original lacked — or whether the void will persist. The Australian launch will be cited in U.S. policy debates for years; the empirical record it produces will be evidence for or against the model's effectiveness. CISA leadership and congressional cyber staff should be tracking the CIRB's first review with significant interest.
