A bill backed by members of the Senate Homeland Security and Governmental Affairs Committee would give the Cybersecurity and Infrastructure Security Agency (CISA) the power to issue administrative subpoenas to internet service providers (ISPs) in order to identify vulnerabilities in critical infrastructure.
S.3045, introduced on December 12, would give CISA a limited mandate to compel ISPs to reveal the system owner behind an IP address when the system is identified as a critical infrastructure system that has demonstrated vulnerabilities. CISA could not compel system owners to conduct fixes or take specific action.
The bill stems from a legislative proposal by CISA’s parent agency, the Department of Homeland Security (DHS), and is sponsored by committee chair Sen. Ron Johnson, R-Wis., and Sen. Maggie Hassan, D-N.H.
Christopher Krebs, director of CISA, offered his support for the bill in a blog post, highlighting the need for these authorities to carry out CISA’s mission.
“Unfortunately, too often we come across cybersecurity vulnerabilities sitting on the public internet and are unable to act because we cannot identify the owner of the vulnerable system,” he wrote. “Among many examples, CISA is currently aware of a system that controls water pumps, one controlling an oil and natural gas facility, and one controlling emergency management equipment that can be accessed without a password and modified by anyone with an internet connection.”
The bill’s cosponsors highlighted the limited scope of the bill and the measures in place to ensure privacy protections. Those include requirements for the destruction of personally identifiable information after informing the owners, and providing an annual report to Congress on subpoena usage.
“Our bill is narrowly-tailored to protect the privacy rights of all entities, giving CISA only the bare minimum of information necessary,” said Sen. Hassan.
“We ask Americans: if you see something, say something. With this legislation we are empowering CISA to do the same,” said Sen. Johnson.