CISA subpoena bill set to land
The legislation will make a number of changes from a proposal submitted by DHS, narrowing the scope of the authorities to critical infrastructure IT and only for cybersecurity purposes.
The Senate Homeland Security and Governmental Affairs Committee is expected to unveil legislation Thursday that would give the Department of Homeland Security's cyber agency the power to issue administrative subpoenas to Internet Service Providers for subscriber information related to critical infrastructure IT, according to an individual familiar with the matter.
The draft bill, which FCW has not seen, is based off a legislative proposal submitted to Congress by the Cybersecurity and Infrastructure Security Agency earlier this summer. That document had draft legislative language that would have expanded the mission of the National Cybersecurity and Communications Integration Center to include "detecting, identifying and receiving information about security vulnerabilities in the information systems and devices of federal and non-federal entities" as well as notifying owners and operators that they are at risk.
According to the source, who was not authorized to speak on the record, the committee's legislation will make a number of changes from the version provided by DHS, including narrowing the scope of the authorities to apply only to subscriber information for critical infrastructure entities and only for cybersecurity purposes. There will also be added provisions around data retention.
In selling the idea to Congress and the public, CISA Director Chris Krebs and other officials have said the agency would only issue such subpoenas to contact owners of critical infrastructure. According to the DHS proposal, there are tens of thousands of Industrial Control System devices open to the internet identified by websites like Shodan and internal CISA monitoring, and "we know from experience and current threat reporting that these vulnerable entities are of keen interest to attackers."
The subscriber information sought by CISA includes the name, address, length and type of service utilized and telephone number for the owners of any connected enterprise devices and systems, which the agency's proposal defined as "any system or device commonly used to perform industrial, commercial, scientific or governmental functions or processes."
When DHS' plan was first reported in the media, CISA encountered a wave of questions from Congress and privacy and civil liberties groups concerned about overreach, abuse. Outgoing Assistant Director for Cybersecurity and Communications gave FCW a statement in October saying the agency would work with Congress to address outstanding concerns.
"We will work with Congress to ensure this authority is narrowly tailored and appropriate safeguards are in place," Manfra said.