S 3045 Reported in Senate – CISA Subpoenas

Last month the Senate Homeland Security and Governmental Affairs Committee published their report on S 3045, the Cybersecurity Vulnerability Identification and Notification Act of 2019. The Committee amended and ordered the bill reported at a meeting held in March 2020. . The bill would provide the Cybersecurity and Infrastructure Security Agency (CISA) with the authority to issue subpoenas “for the production of information necessary to identify and notify the [an] entity at risk”.

Subpoenas Limited to ISP’s?

I noted in my commentary on the introduction of S 3045 that:

“Much has been made in the more popular press (see here for example) about how this bill would allow CISA to issue these subpoenas to information services providers. This would certainly be helpful where CISA has been able to identify an IP address where a vulnerable system exists, but needs point of contact information from the ISP.”

There is nothing in the bill that specifically limits the application of the new CISA subpoena authority to just ISPs. In fact, there are just two mentions in the bill that would reference statutes applicable to ISPs. In the new §659(o) being added by the bill subparagraphs (2)(B)(i) and (2)(C) both refer to 18 USC 2703, Required disclosure of customer communications or records. The first two paragraphs of §2703 deal with obtaining copies of electronic communications while paragraph (c)(2) allows, upon application of an administrative subpoena “authorized by a Federal or State statute”, a Federal agency to require a “provider of electronic communication service or remote computing service” certain limited information about a “a subscriber to or customer of such service”.

If the intent of this bill were limited to collecting information from ISP’s, the crafters of the bill would have specifically provided reference to §2703(c)(2) in the new §659(o)(2)(A), rewording the final phrase of that sub-section to read:

“the Director may issue a subpoena under 18 USC 2703(c)(2) for the production of information necessary to identify and notify the entity at risk, in order to carry out a function authorized under subsection (c)(12).”

Failing to limit the subpoena authority to the referenced subparagraph means that someone in the crafting process intended to extend the subpoena authority to obtaining information identifying owner/operators of vulnerable equipment in critical infrastructure to other entities than just ISPs. And there is nothing in the language of the report that obviate that conclusion.

Moving Forward

The publication of the Committee Report technically clears this bill for consideration by the full Senate. It is unlikely that this bill would be considered under regular order with the full debate and amendment process. The bill is just not important enough (in the grand scheme of things, it is important to CISA) to take up any of the limited time left in the session to address this bill.

This leaves two options for consideration. The first would be to take this bill up under the unanimous consent process. This bill would allow a single Senator to object to the consideration of the bill to block consideration. I suspect that there would be a number of Democrats that would object to the bill under general principles just to object to anything from DHS without a chance to debate and amend the bill.

The other path would be to add the provisions of this bill to a must pass bill. There is nothing in this bill that would cause serious enough objections to stall or even delay a must pass bill. I almost expected this to be added to the new Division E added to S 4049, the FY 2021 NDAA. Sen Johnson (R,WI) did propose similar language as two separate amendments (SA 1807 – pgs S3329-30; and SA 2195 – pgs S3584-5) to that bill. Neither were taken up by the Senate. Neither amendment was taken up on the floor of the Senate.

The only other ‘must pass bill’ that this bill could be appended to would be the DHS spending division of the final omnibus spending bill that may be taken up much later this year.