ISP Infrastructure Vulnerabilities: New Disclosure Law?
Internet Service Providers (ISPs) would be compelled to inform critical infrastructure owners and operators of vulnerabilities detected on their systems under a proposed bipartisan bill.
The measure would allow the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to issue subpoenas insisting ISPs provide information about potential cyber vulnerabilities in critical infrastructure, such as the energy grid, dams or telecommunications. CISA would then be able to warn the critical infrastructure targets of potential dangers to their facilities and/or equipment, the bill’s sponsors said.
In June 2019, DHS proposed to Congress a law that would authorize CISA to issue administrative subpoenas to telecommunications companies to identify owners and operators of critical infrastructure systems and devices at risk to cyber attacks. The new, related measure zones in on ISPs. Its sponsoring senators Ron Johnson (R-WI), chairman of the Senate Homeland Security and Governmental Affairs Committee, and committee member Maggie Hassan (D-NH), introduced the proposed legislation last month. It would give CISA the “authority necessary to reach out and warn owners of critical infrastructure that they are open and vulnerable to cyberattacks before they become a victim,” Johnson said. “We ask Americans: if you see something, say something. With this legislation we are empowering CISA to do the same.”
The bill is “narrowly tailored” to protect the privacy rights of ISPs, limited to providing only the bare minimum of necessary information, Hassan said. “CISA already has a system to identify cybersecurity vulnerabilities in critical infrastructure, and the bipartisan bill we are introducing today helps to ensure that if CISA finds a vulnerability, it has the tools and information it needs to reach out to the entity maintaining the system,” she said.
Here’s what the proposed law would do (via its sponsors):
- The legislation gives CISA a limited authority to detect, identify, and receive information only related to critical infrastructure systems for a cybersecurity purpose.
- The purpose of this legislation is to provide CISA the legal means necessary to notify the owner of the critical infrastructure system who was the subject of the subpoena, as a result CISA must notify the vulnerable party within 7 days of receiving their information. Additionally, to ensure the privacy of affected parties or entities CISA must destroy personally identifiable information (PII) after 6 months.
- The legislation includes an annual report to both Congress and the public. It requires reporting on the number of cybersecurity vulnerabilities that have been mitigated and number of entities warned because of this new authority. This allows Congress and the public to better understand whether CISA’s administrative subpoena program has been effective at making U.S. critical infrastructure more secure.
- The bill requires subpoenas to be authenticated by electronic signature, or similar future technology, so that the ISP knows it is coming from CISA and has not been fraudulently generated to unlawfully access the PII of ISP subscribers.