The Department of Homeland Security has asked lawmakers for subpoena authority in order to directly contact organizations vulnerable to hacking rather than having to rely on outside parties to communicate with the private sector.
The move is an attempt to speed up the process by which DHS’s Cybersecurity and Infrastructure Security Agency (CISA) interacts with critical infrastructure companies on the front lines of state-sponsored hacking threats. Right now, DHS officials say, they have IP addresses of vulnerable systems in the private sector, but can’t obtain the contact information for equipment owners through internet service providers.
And so DHS is seeking “administrative” subpoena authority, which would compel an ISP to turn over that information and allow the department to contact those potential hacking victims directly.
“Over many years, we have tried many methods to be able to contact these entities,” said Jeanette Manfra, CISA’s assistant director for cybersecurity and communications. “The challenge is that the law actually prohibits an internet service provider from telling us who that customer might actually be.”
Industrial control systems, which underpin a number of critical infrastructure sectors, would be a key area of focus for the subpoena authority.
“A challenge that we have is that we can see a lot of industrial control systems…that have potential vulnerabilities that are accessible from the public internet,” Manfra told reporters Wednesday.
Asked by CyberScoop how DHS would ensure that it would not use the subpoena authority in an overly broad manner that involves more data than necessary, Manfra said the department would draw on its experience working with the private sector on voluntary data-sharing programs.
“We have a long history of collecting similar types of data through voluntary programs and [have] demonstrated ways of protecting that, as well as to ensure that the information is only used for the purposes that it was collected,” she said. CISA officials intend to apply the authority in a “very narrow set of circumstances,” according to Manfra.
One former DHS official familiar with the proposal told CyberScoop: “Right now, DHS may have information that gets them to the ISP layer, but then they are blind. So they have to ask the ISP to do [potential] victim notification for them.”
An aide at the Senate Homeland Security and Governmental Affairs Committee told CyberScoop the committee had received a classified briefing from the Trump administration on the “inability of CISA to identify and warn owners and operators of critical infrastructure systems of potential cybersecurity vulnerabilities.”
The committee, the aide added, is looking at possible legislative solutions to the problem.
A House Homeland Security Committee aide confirmed that the committee had received DHS’s legislative proposal.
“As proponents of CISA’s work, we are interested in ensuring CISA has the authorities it needs to do its work with the public and private sectors,” the aide told CyberScoop. “We also need to be sure that proper privacy measures are in place.”
TechCrunch was first to report on the DHS request.