Cybersecurity and Infrastructure Security Agency Director Jen Easterly called administrative subpoena power "a really, really important authority" at a House Homeland Security hearing Wednesday, detailing for the first time how often that authority has been used.
The agency received the ability to scan the internet for industrial devices with vulnerabilities and subpoena internet service providers to discover who owned those systems in the hopes of informing them in this year's defense authorization act.
"We have issued over, I believe, 35 administrative subpoenas to date," she said, praising the results.
"Because we go back and we rescan the infrastructure where we saw those vulnerabilities, we've seen those vulnerabilities actually get closed. So we believe this tool is enabling us to mitigate and remediate vulnerabilities, and to make folks aware of vulnerabilities that they probably were not tracking. So we've used that aggressively since we've gotten it and I'm really pleased to say that we've operationalized it in a way that is helping us reduce risk," she said.
The authority to issue subpoenas came with some controversy. Civil liberties groups worried that giving a new agency an invasive power might lead to misuse or mission creep.
CISA had lobbied for the ability to issue warrants since June of 2019, when it told Congress: "In the past year alone, there have been at least six occasions in which CISA has been delayed, restricted, or altogether foreclosed in responding to known and actionable cyber risks because it lacked a way to identify the targets."
Elsewhere in the hearing, Easterly said that information was still waiting for its Woodsy Owl-type slogan to drill its importance into the public psyche.
"We need a campaign like 'Click It or Ticket' or Smokey the Bear or 'This Is Your Brain on Drugs' — something that really makes an impact on the American people so that they know exactly what they need to do to protect themselves," she said.
It would not be the first time the agency deployed virality for common security. CISA had some meme success during the election in 2020 by using the "does pineapple belong on pizza" debate to discuss malicious information campaigns.
