HSGA Amends and Adopts S 3045 – CISA Subpoena

Last week the Senate Homeland Security and Governmental Affairs Committee held a business meeting during which they considered S 3045, the Cybersecurity Vulnerability Identification and Notification Act of 2019. Substitute language was offered by Sen Hassan (D,NH), a co-sponsor of the bill. The substitute language was further modified by an amendment offered by Sen Paul (R,TN) and the modified language was subsequently adopted by a voice vote.

Limit on Authority

The original substitute language modified the language of the proposed §2209(o)(2)(B) by adding a new category of limits to the information that the Cybersecurity and Infrastructure Security Agency (CISA) can seek under the new subpoena authority. The added restriction is that a subpoena cannot be seek information on “more than 20 covered devices or systems” {§2209(o)(2)(B)(ii)}.

Information Sharing Within the Government

Both the substitute language and the Rand amendment made changes to the authorization for CISA to share information obtained through the newly authorized subpoena authority.

The substitute language modified New §2209(o)(7)(A)(ii) by adding two new clauses; additionally allowing the Agency to share information received with another Federal agency if a cybersecurity incident is involved and:

• The Director determines that sharing the nonpublic information with another Federal agency is necessary to take law enforcement or national security actions pertaining to such incident; and
• The entity to which the information pertains is notified of the Director’s determination, to the extent practicable consistent with national security or law enforcement interests

The Paul amendment would modify that authority requiring the affected entity to consent to the disclosure unless “another Federal agency identifies the entity to the Agency in connection with a suspected cybersecurity incident” {new §2202(o)(7)(A)(iv)}.

The Paul Amendment also added a new paragraph (12) that further restricted the sharing of information with other Federal agencies. It would prohibit the sharing of any information produced as a result of the subpoena with “any other Federal agency for any purpose other than a cybersecurity purpose” as defined in 6 USC 1501.

Information Sharing with Affected Entity

The substitute language would revise the proposed §2202(o)(7) by adding a new sub-paragraph (F) that would require CISA, when notifying an entity at risk, to include:

• A discussion or statement that responding to, or subsequent engagement with, the Agency, is voluntary; and
• To the extent practicable, information regarding the process through which the Director identifies security vulnerabilities.

The substitute language also modified the language of §2202(o)(7)(C) requiring, after information received as a result of a subpoena showed that the covered entity was not a critical infrastructure entity, that the affected entity be informed about the vulnerability information before the contact information for the entity was destroyed.

Moving Forward

Once the Committee submits their report on the bill along with the amended language, the bill would be cleared for consideration by the full Senate. It seems to me, however, that this bill is still too controversial to be considered under the Senate’s unanimous consent process; some one would object. That would require the bill to be considered under regular order. That is too time consuming this late in the session and the Senate leadership would never bring it to the floor. The only other hope for this bill is for it to be included in a CISA authorization bill, which may be high-enough priority to be considered under regular order.

I am going to add a new caveat to this ‘moving forward’ discussion; COVID-19. At the seriousness of this epidemic becomes more apparent and the economic consequences become more painful, the normal operations of the House and Senate are going to become affected as a lot of priorities shift. Add to the fact that we are inevitably going to see a number of legislators and their staffs personally affected by the disease and that is going to affect the legislative process in ways that are going to be difficult to predict.

Commentary

I think that the changes made this week by the Committee are all worthwhile changes. I will note that changes did address two items that I noted in my original post about S 3045. My proposed language changes at the end of that post were not specifically made, but the new language for that clause achieves the same end. I will pretend that I helped that change along.

The other change addressed the objections of a number of commenters about the broader than popularly described scope of the subpoena authority. The way this bill written, even after the changes here, does not limit the CISA subpoena power to just contact information from ISPs. As I noted in that post:

“A more effective use of this subpoena power, however, would be to contact control system equipment vendors or integrators about owners of equipment with known cybersecurity vulnerabilities, particularly where those vulnerabilities do not yet have effective mitigation measures available. There is nothing in this bill that would prevent such subpoenas.”

Well, the new language does hinder that use of the subpoena authority by limiting the use “for not more than 20 covered devices or systems”. A clever subpoena crafter could still gain valuable information from a Siemens or Rockwell about owners of vulnerable devices, but there would be some very real limits on that information as a result of this change. Those limits could deny CISA timely information that would prevent a cyberattack on critical facilities.

Does this make this a bill that should not pass? Of course not. No legislation is going to be perfect in a representative democracy. Compromises must be made to get bills passed and signed into law. The CISA subpoena authority is important, and if some limits have to be placed on that authority for it to become available, so be it.