S 3045 Introduced – CISA Subpoena Authority

Earlier this month Sen Johnson (R,WI) introduced S 3045, the Cybersecurity Vulnerability Identification and Notification Act of 2019. The bill would provide the Cybersecurity and Infrastructure Security Agency (CISA) with the authority to issue subpoenas “for the production of information necessary to identify and notify the [an] entity at risk”.

Definitions

Section 2(a)(1) of the bill would add a definition of ‘security vulnerability’ to 6 USC 659(a); taking that definition from 6 USC 1501(17).

Added CISA Function

Section 2(a)(2) of the bill would also add a new function to the list found in §659(c). That new function would entail “detecting, identifying, and receiving information about security vulnerabilities relating to critical infrastructure in the information systems and devices of Federal and non-Federal entities for a cybersecurity purpose” {new §659(c)(12)}.

Subpoena Authority

Section 2(a)(3) of the bill would add a new subsection (n) to §659, Subpoena Authority. This new subsection starts with a definition of ‘enterprise device or system’. That term would mean {new §659(n)(1)(a)}:

A device or system commonly used to perform industrial, commercial, scientific, or governmental functions or processes that relate to critical infrastructure, including operational and industrial control systems, distributed control systems, and programmable logic controllers.

The definition would specifically exclude {new §659(n)(1)(b)}:

Personal devices and systems, such as consumer mobile devices, home computers, residential wireless routers, or residential internet-enabled consumer devices.

Paragraph (n)(2) would authorize CISA to “issue a subpoena for the production of information necessary to identify and notify the entity at risk, in order to carry out a function authorized under subsection (c)(12).” This authority would apply when CISA “identifies a system connected to the internet with a specific security vulnerability and has reason to believe that the security vulnerability relates to critical infrastructure and affects an enterprise device or system owned or operated by a Federal or non-Federal entity.

The information sought under the subpoena would be limited to the information described in 18 USC 2703(c)(2)(A), (B), (D) and (E). That would include:

• Name;

• Address;

• Length of service (including start date) and types of service utilized;

• Telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and

Once the subpoenaed entity provides CISA with the requested information, CISA would be required, within 7 days, to “notify the entity at risk identified by information obtained under the subpoena regarding the subpoena and the identified vulnerability” {new§659(n)(5)}.

Moving Forward

Johnson is the Chair, and his sole cosponsor {Sen Hassan(D,NH)} is a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This bill will almost certainly be considered by the Committee early in the new year. The provision of subpoena powers by Executive Agencies is not taken lightly by Congress, but every effort has apparently been made to develop a bipartisan and bicameral consensus on this measure. I suspect that it will be approved by the Committee. It would most likely be taken up by the full Senate under the unanimous consent process.

Commentary

Okay, let’s get the definitions rant out of the way. The CISA cybersecurity authority rests heavily upon an IT-restrictive definition of ‘information systems’. While the bill provides language that specifically includes “industrial control systems, distributed control systems, and programmable logic controllers”, it still uses terms such as ‘incident’ that rely on that IT-restrictive definition. To avoid that confusion Johnson (really the Committee Staff) should have used this bill as an opportunity to clarify the definition problems that I outlined earlier this year. Okay, that rant is over, let’s move on….

Much has been made in the more popular press (see here for example) about how this bill would allow CISA to issue these subpoenas to information services providers. This would certainly be helpful where CISA has been able to identify an IP address where a vulnerable system exists, but needs point of contact information from the ISP.

A more effective use of this subpoena power, however, would be to contact control system equipment vendors or integrators about owners of equipment with known cybersecurity vulnerabilities, particularly where those vulnerabilities do not yet have effective mitigation measures available. There is nothing in this bill that would prevent such subpoenas. The reference to the wire fraud statute in this bill only reference the types of information that can be requested, not from whom the information can be requested.

There is one peculiar oddity in the bill that probably needs to be addressed. In the (n)(7) paragraph discussion of procedures that CISA is required to develop to support this subpoena authority it calls for {(n)(7)(C)(i)} “immediate destruction of information obtained through the subpoena that the Director determines is unrelated to critical infrastructure” {(n)(7)(C)(i)}. This apparently conflicts with the requirement in (n)(5) to notify the “entity at risk identified by information obtained under the subpoena" regarding the subpoena and the identified vulnerability. It would seem only fair that an identified entity that was subsequently identified as not being ‘related to critical infrastructure’ should be notified of the vulnerability before the information was destroyed by CISA. That conflict could be rectified by changing the wording of (n)(7)(C)(i) to read:

(i) immediate, subsequent to notification under (n)(5), destruction of information obtained through the subpoena that the Director determines is unrelated to critical infrastructure; and