Inside Cybersecurity

September 19, 2021

Daily News

Krebs identifies administrative subpoena power as top legislative priority, ahead of enhanced liability protections for info-sharing

By Mariam Baksh / October 25, 2019

CISA Director Christopher Krebs would put subpoena power over Internet Service Providers above expanding liability protections from antitrust laws – as a way to improve private-sector information sharing – on a list of ways Congress can advance the agency’s mission.

“Right now, at the top of the heap for us is the administrative subpoena,” Krebs said. “That for us is something that would be very useful in terms of enabling our mission.”

Krebs spoke to Inside Cybersecurity following remarks at the CyberNext conference, a day-long conference hosted Thursday by the Cybersecurity Coalition, a collaboration of the tech and telecom industries; the Cyber Threat Alliance, a collection of cybersecurity firms focused on sharing threat intel; and the National Security Institute, an initiative of George Mason University’s Antonin Scalia Law School.

He answered the question in the context of other legislative asks the agency might have, including on election security and the need to expand liability protections from antitrust laws, which leaders of CISA’s Information and Communications Technology Supply Chain Risk Management Task Force have suggested might be in order to foster greater information sharing on cyber threats by private-sector entities.

The task force’s recommendation was well received by House Homeland Security Chairman Bennie Thompson (D-MS).

“We always have an ongoing list of legislative proposals, things we need to get done,” Krebs said, but added “I think with our existing resources, our existing partners, we have all we need to get our job done on a daily basis.”

He said the subpoena power, though, is something “we are highly focused on right now,” because, as CISA Assistant Director Jeanette Manfra noted earlier in the day, fiscal 2020 is being referred to as “the year of vulnerability management” within the agency.

Krebs said “we’ve been working with the House and the Senate” on the expanded authority, which would force ISPs to provide the names of entities where system vulnerabilities are found.

“We are really trying to drive down the attack surface, and I think we've been highly successful,” but, he said, “I think there are some things we can do to take the next step.”

Krebs noted, “this is not like last year when getting the [Cybersecurity and Infrastructure Security Agency] act across the finish line was the clear top priority, but we're also very practical in realizing there are only so many days on the calendar this year, Congress is being pulled in a lot of different directions, so we'll keep plugging away.”

Rep. Will Hurd (R-TX), a supporter of the original legislation providing liability protections for information sharing -- the Cybersecurity Act of 2015 – was also mindful of the limits of Congress’ time and attention, when asked about the need for enhanced liability protections for info sharing.

“I know the [Cybersecurity Act of 2015], I was involved in it,” he told Inside Cybersecurity, after speaking at the CyberNext conference earlier in the day. “Doing something on top of that, I have not been involved in any serious conversations about that. Something like that is certainly not going to happen this year.”

Asked whether the idea should be considered by the next Congress, Hurd said, “I think if there's bandwidth and opportunity we should always be looking at these things, but I would prioritize it differently.”

Hurd, an author of the Secure Technologies Act which authorized the Federal Acquisition Security Council that is expected to play a crucial role in facilitating the information sharing needed to secure supply chains, is not seeking re-election. – Mariam Baksh (mbaksh@iwpnews.com)