HR 5680 Introduced – CISA Subpoena Authority

Today Rep Langevin introduced HR 5680, the Cybersecurity Vulnerability Identification and Notification Act of 2020. The bill would provide the DHS Cybersecurity and Infrastructure Security Agency (CISA) with the authority to issue subpoenas to identify owners of critical infrastructure identified as having cybersecurity vulnerabilities. The bill is similar to S 3045 that was introduced in the Senate last month.

Definitions

There are some significant differences in the definitions used in this bill and S 3045. First it moves the definition of ‘enterprise device or system’ from the new paragraph (n) of 6 USC 659 to paragraph (a), ensuring that the definition is of more general use in that section.

Then HR 5680 changes two existing definitions in (a):

Adds a reference to ‘cybersecurity purpose’: the terms ‘cyber threat indicator’, ‘cybersecurity purpose’ and ‘defensive measure’ have the meanings given those terms in section 102 of the Cybersecurity Act of 2015 [6 U.S.C. 1501];

Changes the definition of ‘information system’: the term ‘‘information system’’ has the meaning given that term in section 3502(8) of title 44; and terms ‘information system’ and ‘security vulnerability’ have the meanings given those terms in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501);

Other Changes from S 3045

The language in HR 5680 is a significant re-write of S 3045, but it is mainly due to the removal of the definition portion of the paragraph. However, in developing a subpoena procedure under (n)(8) the House bill adds a new requirement to include {new §659(n)(8)(A)(v)}:

The process for tracking engagement with each party that is subject to such a subpoena and the entity at risk identified by information obtained pursuant to such a subpoena.

At the end of (n)(8) HR 5689 adds a new congressional notification requirement:

(B) CONGRESSIONAL NOTIFICATION.— The Director shall brief the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate upon establishment of internal procedures and associated training required under this subsection.

Finally, this bill adds a new requirement under new §659(n):

(10) RESOURCE ASSESSMENT.—Not later than 120 days after the date of the enactment of this subsection, the Director shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate an assessment regarding whether additional resources are required to—

‘‘(A)(i) ensure timely notifications to entities at risk pursuant to paragraph (6); and

‘‘(ii) provide such entities at risk with timely support to mitigate security vulnerabilities; and

‘‘(B) provide associated training applicable to employees and operations of the Agency to comply with internal procedures established pursuant to paragraph (8).

Moving Forward

This bill is being considered in the House Homeland Security Committee tomorrow. I suspect that it will be adopted by a significant bipartisan majority. The bill will probably move forward to the House floor later this year under the suspension of the rules process. It will likely pass with similar bipartisan support. The Senate has yet to take action on S 3045. It is not clear whether or not the Senate will accept this version or insist on their own.

Commentary

I applaud Langevin’s addressing my pet peeve, the IT restrictive definition of ‘information system’ used in §659. The addition of the definition of ‘enterprise device’ would currently only apply to this subpoena authorization portion of §659, but it will be available for future changes to CISA authority.

The other changes in this bill do little to address my concerns about S 3045.