CISA Director Makes Case for Subpoena Power over Internet Service Providers

A bipartisan bill that would compel internet service providers to share details of vulnerable entities with the Cybersecurity and Infrastructure Security Agency is not currently being considered for a markup due to concerns over privacy violations, according to Sen. Ron Johnson, R-Wisc.

“We’re trying to create the desire for it,” Johnson, chairman of the Senate Homeland Security and Governmental Affairs Committee, told reporters after a hearing today where CISA Director Christopher Krebs stressed the importance of the Cybersecurity Vulnerability Identification and Notification Act. 

The bill is sponsored by Johnson and committee Democrat Maggie Hassan of New Hampshire. A related bill recently cleared the equivalent committee in the House. 

Krebs was testifying before the committee on “What States, Locals and the Business Community Should Know and Do: A Roadmap for Effective Cybersecurity.” He also called for more field resources he could deploy around the country.

On the subpoena power, Johnson said, “There’s some opposition we have to bat down, so I can’t really talk [markup] timing right now.” He said the opposition was in the form of “general privacy concerns.” 

Krebs told the committee CISA officials can use an automated approach to identifying and plugging vulnerabilities but hit a roadblock because when they find exploitable weaknesses, they’re usually only tied to an internet protocol address. 

ISPs have access to the information necessary to contact the vulnerable system owners but are not allowed, by law, to share it with CISA absent an administrative subpoena. 

Krebs said ISPs can go directly to the owners but many ISPs are also managed security service providers, so the outreach can be interpreted as a sales pitch.

“What we’ve seen in the past is sometimes when they show up and say ‘hey, you’ve got this vulnerability you need to address it, you should do this,’ it looks like an upsell,” he said.

But giving CISA subpoena power is too strongly associated with other powers held by Homeland Security, Johnson said.

“DHS has authority in so many other areas that are also controversial, so people can whip this small little piece, something that makes so much sense into something that sounds pretty scary,” he said.

Johnson said the path for the bill lies either through unanimous consent, which would require taking care of everybody’s concerns or attaching it to must-pass legislation, which would require support from the committees of jurisdiction where it has to move.

Krebs also appealed to the committee to pass legislation that may be a little less controversial—a bipartisan bill Hassan introduced that would put a cybersecurity coordinator in every state.

“We have to get more resources out” to help states prepare for and respond to cyberattacks, Krebs said.

“I cannot be effective if I’m sitting here in Washington, D.C.,” he said. “I need more dedicated state and local resources. The Cyber Coordinator Act I think would help us get along that way.”