The Senate Homeland Security and Governmental Affairs Committee soon plans to mark up proposed legislation that would give the Department of Homeland Security the ability to subpoena internet access providers so that it can warn owners and operators of critical infrastructures of cyber security vulnerabilities to their networks, Sen. Ron Johnson (R-Wis.), the committee chairman, said on Thursday.
The Administrative Subpoena authority is being sought by the Cybersecurity and Infrastructure Security Agency (CISA) within DHS, which can spot a vulnerable system through an internet protocol address but doesn't have visibility into where the system is located and whom to contact. The subpoena power would allow CISA to contact Internet Service Providers to get the contact information of a business or other entity associated with the internet protocol address.
"That's a big priority for me," Christopher Krebs, director of CISA, told the committee. "Once we identify vulnerable systems out there, whether it's an industrial control system or telecommunication system, we need to be able to get to the people that are managing those systems so that we can close down those vulnerabilities before a bad guy gets to them."
Johnson said that "Hopefully we'll get that passed with strong bipartisan support and then figure out some way to wind it through the congressional process and get it signed into law."
The Senate panel is scheduled to mark up a number of bills on Nov. 6 but the proposed Administrative Subpoena legislation isn't part of that meeting.
The House Homeland Security Committee is also vetting the proposed authorities for CISA and potentially will consider legislation early next year.
Krebs, replying to a question from Johnson about the top three things he needs from Congress, said that in addition to the Administrative Subpoena power, his top priority is for the private sector to overcome legal concerns it may have in sharing information about a vendor whose products present cyber security risks, such as the Russia-based anti-virus software company Kaspersky Labs.
"At the top of the list right now is make it easier for companies to share information on risky vendors they come across and make it similarly easy for me to share that information," Krebs said. "I don't want to ever have to go through another Kaspersky Labs anti-virus product situation. We need to be able to rapidly get information out."
In September, a task force co-chaired by CISA and industry examining issues related to risk in the information and communication technology supply chain issued a report saying that vendors are concerned about potential legal action against them if they share information about suspect suppliers (Defense Daily, Sept. 23).
Krebs said that "number two" on his list of needs is for Congress to make it easier to bring together different organizations for the development of "frameworks" to share cyber security information "more broadly."
Johnson asked if there are anti-trust concerns here.
Krebs replied there are some anti-trust issues.
"I'm restricted to some of the sector coordinating councils at this point in terms of those trusted convening mechanisms, so I think we can take a harder look at the way we pull groups together," he said.
There are 17 sector coordinating councils representing various national critical infrastructures such as the defense industry, communications sector and emergency services. The councils allow owners and operators of their respective critical infrastructures to network on various issues.