Senate Committee OKs Bill to Give CISA Subpoena Authority Over Internet Service Providers

The Senate Committee on Homeland Security and Governmental Affairs unanimously approved a bill—S. 3045—that would empower the Cybersecurity and Infrastructure Security Agency to compel internet service providers to identify entities whose systems the agency determines to be vulnerable. 

The committee favorably reported the legislation today along with S. 3207, which would put a cybersecurity coordinator in every state with the CISA director responsible for overseeing the placement.

Subpoena authority for CISA cleared the equivalent House Committee at the end of January but was held up in the Senate due to privacy concerns.

Lawmakers across the political spectrum have repeatedly expressed confidence in CISA Director Christopher Krebs, who has described the bill as his top legislative priority.

“This is the authority that Chris Krebs came to us to ask for,” said Chairman Ron Johnson, R-Wisc., during today’s markup. “In order to keep this nation safe and secure, they need the ability to actually notify a person that they know as being attacked. Right now they don’t have that capability. You know this is an incredibly important piece of legislation. I know there’s some resistance to it, I think because there’s unfounded concern.”

Notwithstanding his popularity with lawmakers, Krebs found himself on the defensive during a hearing on CISA’s budget earlier in the day. Republicans joined Democrats in opposing President Trump’s proposal to cut the agency’s funding. 

“Despite bipartisan support for increasing CISA’s cybersecurity budget, the president’s budget cuts it by about over $150 million,” said Rep. Cedric Richmond, D-La., chairman of the House Homeland Security’s subcommittee on Cybersecurity, Infrastructure Protection, & Innovation where Krebs testified in the morning. 

Krebs detailed his plans for the agency—including strengthening the workforce by lowering clearance requirements—as appropriators prepare to assemble the federal budget for fiscal 2021.  

“I don’t understand how a cut of that magnitude makes communities trying to defend themselves against ransomware attacks, federal networks, or critical lifeline services—from power to communications—any more secure,” Richmond said.

Republicans weighed in just as stridently, opposing the budget proposal President Trump made last month.

“I must say I agree with the chair, cutting CISA’s budget is not a good idea at all. In fact, the opposite is true. We need to expand your resources so you can better handle the emerging threats,” Subcommittee Ranking Member Rep. John Katko, R-N.Y., said. “I’m very interested in what else you need, you know we will respond if you tell us what you need. And I encourage you not to be shy about it, Mr. Krebs.”

Full Committee Ranking Member Mike Rogers, R-Ala., added: “CISA’s work is critical, that’s why I was disappointed to see this year’s budget request for the agency. I’m very concerned any cuts like this would undermine CISA’s ability to successfully carry out its mission.”

“I do take comfort in knowing the president only proposes budgets. We write budgets,” Rogers noted. “And I can tell you that these cuts are not going to happen.”

Krebs said the agency could always do more with more. He argued the matter was just an issue of bad timing.

“The ‘21 budget request, the president’s budget request, was built on the ‘19 enacted. So if you look at it through that lens, it’s actually an increase over the ‘19 enacted,” he said. 

“Because we didn’t receive the FY ‘20 appropriations till late December, by that time, the ‘21 president’s budget was already baked. So it was out of my control, that was already cooked. There was not time to peg it against the ‘20 approps,” he added. “So what you see in the president’s budget request are the key areas of focus for the agencies, and there’s plenty of room for investment.”