Looking to bolster the cyber resilience of industrial control systems and sensitive critical infrastructure systems, the Department of Homeland Security has asked Congress to allow it to subpoena the companies that provide internet access so that they can warn owners and operators of specific vulnerabilities to their critical infrastructures, the senior DHS official for cyber security said on Thursday.
Having administrative subpoena authority would "be a game changer in terms of really taking proactive risk-reduction, resilience-building steps" to protect a "sensitive critical infrastructure system…an industrial control systems piece," Christopher Krebs, director of the DHS Cybersecurity and Infrastructure Security Agency (CISA), said at a cyber security conference hosted by FireEye [FEYE].
CISA officials first disclose their request to be able to issue administrative subpoenas on Wednesday during a media event.
Right now, tools like the Shodan search engine are valuable in discovering what is connected to the internet, what shouldn't be connected to the internet, and if something that is connected has outdated software, Krebs said. But Shodan doesn't provide who the user is, where they are and what they do, he said.
But once a vulnerability is discovered, the administrative subpoena will allow CISA to go to the internet service provider to get the contact information associated with an internet protocol address so that the agency can then go directly to the affected party.
"So what we want to be able to do is if we can't resolve the issue any other way, then we should be able to go to an ISP and say, ‘We're concerned about this, can you provide us your customer contact information so we can go let them know that they have whatever port open or running an old system?'" Krebs told reporters after his presentation. "That's it. This is not about the users, the average user, this is about hard critical infrastructure and known vulnerabilities and risks."
Krebs said administrative subpoenas are allowed under exceptions to existing law.
Krebs also said that CISA is "tweaking" one of its key information sharing mechanisms to focus on quality versus quantity. The Automated Indicator Sharing (AIS) portal allows DHS and the private sector to share cyber threat indicators in real time, providing more situational awareness around active cyber threats found on networks.
The previous focus was on speed on volume but Krebs said a chief information security officer doesn't want to sift through thousands of threat indicators every day whether their relevant to his or her organization or not.
"We want to say, ‘This is the good stuff, there's no nation-state, we've seen this active in the last couple weeks," he said. "And then having a feedback loop that if it does hit then that can come back to us" and that there are "unknown countermeasures that work against these indicators."