CISA requests administrative subpoena power over ISPs

The proposal would allow government cybersecurity officials to legally request identifying information from internet providers about the owners of vulnerable systems

The Cybersecurity and Infrastructure Security Agency is seeking new authorities to issue administrative subpoenas to compel internet service providers to turn over customer information that allows the agency to identify owners of critical infrastructure systems that have identified cybersecurity vulnerabilities.

FCW has confirmed the department has submitted a proposal for legislative language to Congress, and a spokesperson for the House Homeland Security Committee said the committee is currently "vetting the proposal." The proposal was submitted earlier this year and a briefing at the staff level has taken place. Other sources close to the committees have indicated that not every member has been briefed on or seen the proposal yet.

TechCrunch was first to report on the proposal.

Part of that vetting will deal with building in legal safeguards to ensure the authorities aren't abused, a prospect still fresh in the minds of lawmakers after a recent court ruling found that the FBI had been abusing a key government spying program to conduct tens of thousands of illegal searches of American citizens and residents.

"As proponents of CISA's work, we are interested in ensuring CISA has the authorities it needs to do its work with the public and private sectors," the spokesperson said, "We also need to be sure that proper privacy measures are in place."

A spokesperson for Sen. Mark Warner (D-Va.), who has been active in cybersecurity policy, told FCW he was looking into the issue and found it "interesting" but that due diligence still needed to be conducted regarding outstanding privacy concerns.

A spokesperson for the Senate Homeland Security and Governmental Affairs Committee told FCW that "committee members have received a classified briefing from the administration on the inability of CISA to identify and warn owners and operators of critical infrastructure systems of potential cybersecurity vulnerabilities, and the Committee is reviewing potential legislative solutions."

At an Oct. 10 FCW event, Rex Booth, Director of Cyber Threat Analysis described the proposal as "basically helping us to identify the precise identity of victims where we see malicious activity or indications beaconing from an IP but not being able to trace the identity of the organization behind [it]."

"When we got to ISPs and say 'hey listen, we know there's a problem behind that IP, can you let us know who that is so we can help them or at least make them aware?', in many cases they're not legally allowed to share that," he said.

CISA Director Chris Krebs told attendees at a Oct. 10 cybersecurity conference hosted by FireEye that the proposal envisions leveraging internal technologies and third-party tools like Shodan to identify systems and devices that have known vulnerabilities or shouldn't be connected to the Internet.

Krebs said the authorities would be used to target exposed infrastructure systems, not individuals.

"We're working with Congress right now on a concept for an administrative subpoena, where we can work, whether with our tools or Shodan…we can isolate the IP [address] of a critical infrastructure system – not you folks at home – but a sensitive critical infrastructure system and industrial control systems piece," said Krebs. "We need to be able to go to the ISP and say look we need some help getting to this person, can you help us?"