A new bill introduced in the Senate Dec. 12 would allow the Department of Homeland Security’s cyber unit to subpoena internet service providers for customer information.
The bipartisan legislation, introduced by Sens. Ron Johnson, R-Wis., and Maggie Hassan, D-N.H., would give the Cybersecurity and Infrastructure Security the authority to compel ISPs to provide information on customers that CISA has identified as operating vulnerable critical infrastructure.
"This legislation gives CISA the authority necessary to reach out and warn owners of critical infrastructure that they are open and vulnerable to cyberattacks before they become a victim,” said Johnson in a statement.
Under the legislation, CISA would receive the power to “detect, identify and receive” information about critical infrastructure systems only for cybersecurity purposes through administration subpoenas. If enacted, CISA would have to notify the owner of the critical infrastructure within one week of receiving the information. After six months, CISA must destroy it.
Administrative subpoenas allow agencies to acquire documents that further the ability to achieve their mission. Currently operating without the authority, CISA has been receiving tips on vulnerabilities, but doesn’t have the ability to provide warning.
“The bipartisan bill we are introducing today helps to ensure that if CISA finds a vulnerability, it has the tools and information it needs to reach out to the entity maintaining the system,” Hassan said in a statement.
When CISA Director Chris Krebs first acknowledged that his agency was talking to its oversight committees about the legislation, it prompted push-back from privacy advocates about the implications of giving CISA such authority, as reported by TechCrunch. The news release stressed that the authority that would be handed to CISA is “limited," with Hassan trying to assuage those concerns in her statement.
“Importantly, our bill is narrowly tailored to protect the privacy rights of all entities, giving CISA only the bare minimum of information necessary,” she said.
In October, Krebs said that the authority would be a “game-changer” for promoting resiliency.
“What we want to be able to do is if we can’t resolve the issue through any other way, then we should be able to go to an ISP and say, ‘We’re concerned about this, can you provide us your customer contact information so we can go let them know that they have whatever [internet] port open or are running a vulnerable system,'” Krebs said at the FireEye Defense Summit Dec. 10.
The legislation also mandates an annual public report that includes the number of vulnerabilities found and the number warned.