Published by The Lawfare Institute
in Cooperation With
Last year, faced with rising threats in cyberspace, Congress established the nation’s first civilian cybersecurity agency—the Cybersecurity and Infrastructure Security Agency (CISA). We serve as the nation’s risk adviser, which means we’re the agency responsible for working with partners throughout government and industry to improve America’s cybersecurity. One of our main responsibilities is protecting critical infrastructure by sharing information about vulnerabilities on networks that—if left unmitigated—leave them susceptible to attack, putting our national security and economic prosperity at risk. CISA analysts work around the clock to identify and address these vulnerabilities and, ultimately, share this timely risk management information with our partners.
Unfortunately, too often we come across cybersecurity vulnerabilities sitting on the public internet and are unable to act because we cannot identify the owner of the vulnerable system. One key area of concern involves industrial control systems and other networks that operate the nation’s critical infrastructure. Among many examples, CISA is currently aware of a system that controls water pumps, one controlling an oil and natural gas facility, and one controlling emergency management equipment that can be accessed without a password and modified by anyone with an internet connection. Unless Congress acts, systems that support critical functions that everyday Americans rely upon could remain wide open to attack, but there’s little we can do to protect them.
For these vulnerable systems and countless others like them, CISA is unable to determine the identity of the owner or operator of the system and, therefore, cannot contact the entity to advise it of the vulnerability. Many of the vulnerable systems CISA finds are identified only by a numerical internet protocol (IP) address. The name and contact information are held by the organization’s internet service provider (ISP). Current law, however, prohibits ISPs from sharing the identity of their customers with the federal government without a legal mechanism requiring it. This leaves systems with known critical vulnerabilities exposed to potential abuse. Hearing directly from CISA will help owners and operators of vulnerable critical infrastructure better understand the risk and appropriately prioritize vulnerability mitigation.
Chairman of the Senate Homeland Security and Governmental Affairs Committee Ron Johnson (R.-Wis.) and Sen. Maggie Hassan (D.-N.H.) have introduced a legislative fix that would grant CISA a narrowly tailored legal mechanism—commonly known as an administrative subpoena—that would allow ISPs to provide information to CISA, limited to a vulnerable entity’s contact information. The administration strongly supports this legislation, and I urge Congress to act on it to close this critical gap in our nation’s cybersecurity. This limited information would enable us to contact an entity subject to vulnerabilities, such as a power plant or hospital, to inform them of the potential risk and offer mitigation advice or assistance.
All our cybersecurity programs and services are completely voluntary. No one has to work with us, though many in the public and private sectors choose to because they find the information and services we provide beneficial to their organization’s security. This legislative change would do nothing to change these facts.
An administrative subpoena is different from a criminal subpoena, and the authority we are seeking is fairly common across the federal government. When Congress grants an agency this authority, it’s usually because it’s needed to fulfill a statutory requirement—in this case, to share timely and actionable cybersecurity risk information with critical infrastructure partners to help them protect their systems.
Some observers have raised concerns about the potential for this authority to be misused, while others have asked questions about what privacy protections would be in place. We understand these concerns. The legislation is intentionally narrowly tailored to fulfill our responsibilities as a cybersecurity agency. We are seeking this authority only to pursue vulnerabilities affecting critical infrastructure, not those related to individual Americans.
Protecting privacy is at the cornerstone of everything we do as an agency that depends entirely on maintaining the trust necessary to work with industry through our voluntary programs. The protection of sensitive information, including personal information, is a national critical function and our agency acts to protect that function. We also have a long history of safeguarding similar data and have a proven track record of protecting it. CISA has a congressionally mandated chief privacy officer, and we require a privacy impact assessment to be conducted on any cybersecurity program we implement. We are committed to protecting privacy and ensuring the appropriate use of this proposed authority.
After years of trying several different methods to contact these affected entities and share what we’ve found, the status quo is simply not working. This new proposed legal authority is a smart, reasonable and targeted tool that will allow the men and women of CISA to live up to the mission Congress set out for us—to improve American critical infrastructure cybersecurity.