The cybersecurity agency within the Department of Homeland Security is seeking subpoena power to protect critical infrastructure.
Speaking at the FireEye Defense Summit Oct. 10, Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency, said that his agency wants the ability to compel internet service providers to give his agency the contact information of customers who operate critical infrastructure that CISA identifies as having known vulnerabilities.
Krebs said that CISA wants to be able to notify users running critical infrastructure systems, like industrial control systems, of vulnerabilities in their system that the agency identifies through its scanning systems. Right now, CISA can identify the user IP addresses but can’t do anything about it because IP addresses don’t pinpoint locations and users.
“What we want to be able to do is if we can’t resolve the issue through any other way, then we should be able to go to an ISP and say, ‘We’re concerned about this, can you provide us your customer contact information so we can go let them know that they have whatever [internet] port open or are running a vulnerable system,'” Krebs said. "
Under current law, ISPs cannot voluntarily turn over information to the government. But Krebs said there’s an exception in the law that ISPs can turn information to if served with an administrative subpoena by an authorized federal agency. CISA wants to be one of those federal agencies.
“We need to be able to go to the ISP and say ‘Look, we need some help getting to this person, can you help us?'” said Krebs.
However, the proposal raises privacy concerns among experts, according to TechCrunch, which first reported the story.
Krebs stressed to reporters that CISA is looking at a “lawful process."
“This not about ... the average user,” Krebs said. "This is about hard critical infrastructure and known vulnerabilities and risks.”
CISA is working with its oversight committees in the House and Senate on the legislation. According to the Congressional Research Service, administrative subpoenas allow for agencies to acquire documents “in aid of the agencies’ performance of their duties."
“It will be a game-changer in terms of really taking a proactive, risk-resilience building steps,” Krebs said.