Senate bill would give DHS cyber agency subpoena powers

Senate bill would give DHS cyber agency subpoena powers
© Getty

Two senators unveiled bipartisan legislation on Thursday that would give the Department of Homeland Security’s (DHS) cyber agency the ability to subpoena internet service providers to increase transparency about cyber vulnerabilities.

The bill from Sens. Ron JohnsonRonald (Ron) Harold JohnsonHillicon Valley: Barr asks Apple to unlock Pensacola shooter's phone | Tech industry rallies behind Google in Supreme Court fight | Congress struggles to set rules for cyber warfare with Iran | Blog site Boing Boing hacked Congress struggles on rules for cyber warfare with Iran Senators set for briefing on cyber threats from Iran MORE (R-Wis.) and Maggie HassanMargaret (Maggie) HassanCyberattacks against North Dakota state government skyrocket to 15M per month Hillicon Valley: Biden calls for revoking tech legal shield | DHS chief 'fully expects' Russia to try to interfere in 2020 | Smaller companies testify against Big Tech 'monopoly power' Bipartisan group of senators introduces legislation to boost state cybersecurity leadership MORE (D-N.H.), gives the DHS Cybersecurity and Infrastructure Security Agency (CISA) the power to issue subpoenas to obtain information about potential cyber vulnerabilities related to critical infrastructure, such as in the electric grid or dams. 

CISA would then be able to warn the critical infrastructure companies targeted of the potential dangers found by internet service providers.

ADVERTISEMENT

The legislation was put together following a request from DHS in July, asking that Congress give CISA subpoena power to force telecommunications companies to provide information on whether critical devices and systems were threatened by cyber attacks. 

Johnson, who serves as chairman of the Senate Homeland Security and Governmental Affairs Committee, said in a statement on Thursday that “every day, CISA is made aware of vulnerabilities to these systems – some easily fixable – but is powerless to warn the potential victims.”

“This legislation gives CISA the authority necessary to reach out and warn owners of critical infrastructure that they are open and vulnerable to cyberattacks before they become a victim,” Johnson said. “We ask Americans: if you see something, say something. With this legislation we are empowering CISA to do the same.”

Hassan, who is a member of the Senate Homeland Security Committee and who has made cybersecurity a priority while in office, emphasized in a statement that “an attack on critical infrastructure could have devastating consequences, from shutting down heating and cooling systems of hospitals to manipulating industrial controls of water treatment facilities to blacking out an entire city.”

Hassan noted that “CISA already has a system to identify cybersecurity vulnerabilities in critical infrastructure, and the bipartisan bill we are introducing today helps to ensure that if CISA finds a vulnerability, it has the tools and information it needs to reach out to the entity maintaining the system.”

ADVERTISEMENT

The new bill would also require CISA to compile an annual report to Congress on the number of vulnerabilities that were successfully dealt with through subpoenas, and the amount of critical infrastructure companies that were warned of threats by CISA. 

On the other side of Capitol Hill, key members of the House expressed support for the bill on Thursday. 

Asked by The Hill about the new bill, Rep. Bennie ThompsonBennie Gordon ThompsonHillicon Valley: Trump turns up heat on Apple over gunman's phone | Mnuchin says Huawei won't be 'chess piece' in trade talks | Dems seek briefing on Iranian cyber threats | Buttigieg loses cyber chief House Democrats request briefings on Iranian cyber threats from DHS, FCC Democrats sound election security alarm after Russia's Burisma hack MORE (D-Miss.), the chairman of the House Homeland Security Committee, said that it “makes a lot of sense.”

Rep. James Langevin (D-R.I.), the former chairman of the House Homeland Security Committee’s cybersecurity subcommittee, told The Hill that “erring on the side of more disclosure is better.”

“I believe that we need incident reporting data, vulnerability disclosures are important for understanding the threats and being able to share that information, so it’s something that likely I would support, but I want to look at the bill more closely,” Langevin added.