CISA’s Request for Subpoena Power

Recent stories in Cyberscoop and TechCrunch indicate that the Department of Homeland Security is asking Congress to grant the Cybersecurity and Infrastructure Security Agency (CISA) the power to issue administrative subpoenas to internet service providers (ISPs). The subpoena power will be used to compel ISPs to identify certain private-sector subscribers that CISA has found to be vulnerable to external threats, requiring ISPs to share contact information for those subscribers.

Cyberscoop quotes Jeannette Manfra, CISA’s assistant director for cybersecurity and communications, as saying, “Over many years, we have tried many methods to be able to contact these entities. The challenge is that the law actually prohibits an internet service provider from telling us who that customer might actually be.” Both Cyberscoop and TechCrunch indicate that a primary focus of such subpoenas would be businesses that operate industrial control systems, such as those that operate critical infrastructure. CISA would issue such subpoenas with the intent of warning these businesses of their systems’ vulnerabilities, presumably so that the businesses would remediate them.

This is a distinctly worthy goal if there ever was one. It’s entirely true that many businesses operate industrial control systems for critical infrastructure, that many of these systems are accessible through the public internet, that many of these have exploitable vulnerabilities, that these vulnerabilities are unknown to their operators, that warnings of such vulnerabilities to these businesses would be helpful and that CISA does have some capability to identify vulnerable systems.

But Cyberscoop and TechCrunch also reported on concerns about abuse of such authorities if they were granted. Sensitive to such concerns, Manfra remarked that CISA officials intended to apply the authority only in a “very narrow set of circumstances.” So, as in so many other cases, the U.S. government’s view appears to be: “Please trust us to not abuse any authority to demand identifying information.”

There are ways to solve this problem without the risk of compromising privacy interests. The government could, for example, provide a notification to the ISP, which could then pass it along to the compromised business. The ISP would not have to tell the government anything about the identity of the business involved.

However, according to TechCrunch, that’s not good enough for the government. From the story:

A CISA official speaking to TechCrunch on background said that the proposals, which have already been submitted to Congress, would ensure that businesses would be “more motivated” to take action if the advisory came directly from government. The official said the agency was working with lawmakers to prevent any overreach or potential abuse of the authority.

So the government wants to communicate directly with the business, rather than using the ISP as an intermediary. And just why would the business be “more motivated” to take action with direct communication? It seems to me there’s only one answer—the U.S. government wants to be able to pass along something else in addition to any information that might be contained in a notification.

What might that something else be? If, as is reported, the government really believes that its immediate presence will be more motivating, it sounds to me like the business on the receiving end might see the government’s immediate presence as intimidation.

Yes, I know that there would also be the opportunity for a face-to-face exchange of technical information. And, indeed, many questions that could come up in a notification could likely be resolved much more easily through direct interaction, just as in-person conversations are often more effective than email in clarifying issues. But the ISP could certainly set up real-time discussions, complete with two-way video and audio feeds, to facilitate such conversations without needing to divulge identity information. Why isn’t the government interested in exploring that approach?

If the government wants trust, all parts of it have to behave in ways that engender trust from businesses. In the absence of such behavior, it's not surprising that the business community would resist measures that could easily be abused.