Inside Cybersecurity

December 7, 2019

Daily News

CISA circulates ISP subpoena-power legislative plan; markup date pending

November 7, 2019

The Cybersecurity and Infrastructure Security Agency is circulating updated language on its legislative proposal for administrative subpoena power related to Internet Service Providers, a measure that could be scheduled for markup this month in the Senate Homeland Security and Governmental Affairs Committee.

The revised language has been circulated on and off Capitol Hill in recent days and was obtained by Inside Cybersecurity.

The measure, a top priority for CISA Director Christopher Krebs, would allow the agency to issue administrative subpoenas to ISPs in order to obtain contact information when malicious cyber activity is detected on critical-infrastructure systems.

According to the text, the measure would help “protect United States critical infrastructure by ensuring that the Cybersecurity and Infrastructure Security Agency has the legal tools it needs to notify private and public sector entities put at risk by cybersecurity vulnerabilities in the networks and systems that control critical assets of the United States."

The language says: “If the Director identifies a specific security vulnerability that relates to critical infrastructure and affects an enterprise device or system used by a Federal or non-Federal entity, and the Director is unable to identify the entity at risk, the Director may issue a subpoena for the production of information necessary to identify and notify the entity at risk, in order to carry out a function authorized under subsection (c)(12).”

It says, “A subpoena issued under the authority under subparagraph (A) may only seek information in the categories set forth in subparagraphs (A), (B), 19 (D), and (E) of section 2703(c)(2) of title 18, 20 United States Code."

It includes language on “the protection of and restriction on dissemination of nonpublic information obtained through a subpoena issued under this subsection,” and calls for a review of the procedures by the CISA privacy officer.

Senate Homeland Security Chairman Ron Johnson (R-WI) last week suggested a markup was imminent, but committee staff say the proposal is still being examined.

“The bill the committee is working on is being vetted by stakeholders and drafted to ensure CISA has limited, discrete authority to identify IP addresses of vulnerable industrial control systems so that it can warn the company of the vulnerability before it is exposed, and nothing more," a committee aide said.

“We are vetting the proposal. I am not sure when we will see action at this time,” a spokesman for House Homeland Security Chairman Bennie Thompson (D-MS) told Inside Cybersecurity earlier this week.

Representatives of ISPs have declined to comment on CISA's request for the subpoena power. -- Charlie Mitchell (cmitchell@iwpnews.com)