Cybersecurity

Senate bill would give DHS cyber agency subpoena powers

by Maggie Miller

Two senators unveiled bipartisan legislation on Thursday that would give the Department of Homeland Security’s (DHS) cyber agency the ability to subpoena internet service providers to increase transparency about cyber vulnerabilities.

The bill from Sens. Ron Johnson (R-Wis.) and Maggie Hassan (D-N.H.), gives the DHS Cybersecurity and Infrastructure Security Agency (CISA) the power to issue subpoenas to obtain information about potential cyber vulnerabilities related to critical infrastructure, such as in the electric grid or dams. 

CISA would then be able to warn the critical infrastructure companies targeted of the potential dangers found by internet service providers.

The legislation was put together following a request from DHS in July, asking that Congress give CISA subpoena power to force telecommunications companies to provide information on whether critical devices and systems were threatened by cyber attacks. 

Johnson, who serves as chairman of the Senate Homeland Security and Governmental Affairs Committee, said in a statement on Thursday that “every day, CISA is made aware of vulnerabilities to these systems – some easily fixable – but is powerless to warn the potential victims.”

“This legislation gives CISA the authority necessary to reach out and warn owners of critical infrastructure that they are open and vulnerable to cyberattacks before they become a victim,” Johnson said. “We ask Americans: if you see something, say something. With this legislation we are empowering CISA to do the same.”

Hassan, who is a member of the Senate Homeland Security Committee and who has made cybersecurity a priority while in office, emphasized in a statement that “an attack on critical infrastructure could have devastating consequences, from shutting down heating and cooling systems of hospitals to manipulating industrial controls of water treatment facilities to blacking out an entire city.”

Hassan noted that “CISA already has a system to identify cybersecurity vulnerabilities in critical infrastructure, and the bipartisan bill we are introducing today helps to ensure that if CISA finds a vulnerability, it has the tools and information it needs to reach out to the entity maintaining the system.”

The new bill would also require CISA to compile an annual report to Congress on the number of vulnerabilities that were successfully dealt with through subpoenas, and the amount of critical infrastructure companies that were warned of threats by CISA. 

On the other side of Capitol Hill, key members of the House expressed support for the bill on Thursday. 

Asked by The Hill about the new bill, Rep. Bennie Thompson (D-Miss.), the chairman of the House Homeland Security Committee, said that it “makes a lot of sense.”

Rep. James Langevin (D-R.I.), the former chairman of the House Homeland Security Committee’s cybersecurity subcommittee, told The Hill that “erring on the side of more disclosure is better.”

“I believe that we need incident reporting data, vulnerability disclosures are important for understanding the threats and being able to share that information, so it’s something that likely I would support, but I want to look at the bill more closely,” Langevin added.