The Cybersecurity and Infrastructure Security Agency is set to receive new administrative authorities that will allow the agency to obtain subscriber information for vulnerable IT assets related to critical infrastructure. The provision was included in the final conference version of the National Defense Authorization Act.
A legislative proposal from CISA disclosed last year revealed that the agency was having trouble identifying owners of insecure, unpatched systems or devices that were connected to the internet. They requested Congress grant them new authorities to issue administrative subpoenas that would compel internet service providers to turn over basic subscriber information so the agency could contact the owners, notify them and offer assistance. The idea was endorsed by the Cyberspace Solarium Commission and eventually worked its way into the House and Senate versions of the NDAA.
In an interview hours before the finalized conference bill was publicly released, Rep. Jim Langevin, D-R.I., sponsor of House legislation pushing the idea and a chief proponent in Congress, said he was excited to see the provision make it into the final NDAA.
“It goes a long way toward allowing [the federal government] to be proactive at being able to reach out to vulnerable parties to let them know they have a security vulnerability that they need to close, as opposed to waiting until after the fact, [when] it’s the FBI knocking on your door saying ‘the bad guys are already in,’” Langevin said.
The original proposal received a critical reaction from civil liberties groups, some of whom worried about the potential for abuse or mission creep at an agency that lacks a law enforcement background or history of issuing subpoenas. A version of the NDAA seen by SC Media requires CISA to set up new procedures and training around issuing subpoenas within 90 days of the bill’s passage.
The authority would cover systems “commonly used to perform industrial, commercial, scientific, or governmental functions or processes that relate to critical infrastructure” such as operational and industrial control systems, distributed control systems, and programmable logic controllers. It would not apply to personal devices and systems, such as consumer mobile devices, home computers, residential wireless routers, or residential internet enabled consumer devices.
CISA can only issue subpoenas to fulfill “a cybersecurity purpose” and the agency cannot request information for more than 20 covered devices in a single subpoena.
Langevin said the language and expectation of Congress is that this will be the last tool in the agency’s toolbox and it must demonstrate that it has tried and failed to contact the owners in other ways. He also said Congress will robustly exercise its oversight powers to ensure the authorities are being used appropriately.
“We want to make sure that these administrative subpoenas are handled judiciously…within the parameters of what we laid out in the bill and that’s something that we’re going to routinely touch base on as we exercise our oversight responsibilities,” he said.
CISA officials have pitched the new authorities as being in line with the agency’s mission to engage with critical infrastructure and fix cybersecurity holes that could have cascading negative affects across society. Rex Booth, then the director of cyber threat analysis at CISA, described the proposal last year as "basically helping us to identify the precise identity of victims where we see malicious activity or indications beaconing from an IP but not being able to trace the identity of the organization behind" the attack.
Representative Mike Gallagher, R-Wis., co-chair of the Solarium, said increasing cyber attacks on critical infrastructure like hospitals, vaccine research institutions and pharmaceutical companies during COVID-19 pandemic have validated the idea that leaving vulnerable systems in place and exposed can have catastrophic consequences for society.
“I would say the work we did in the pandemic annex really underscored or reemphasized the need for not only such authority but also to enhance penalties for those who try to attack our critical infrastructure in the midst of a pandemic crisis or otherwise,” said Gallagher during a Dec. 2 event hosted by the R-Street Institute and Foundation for Defense of Democracies.