The House Homeland Security Committee has approved legislation that would give the Cyber and Infrastructure Security Agency (CISA) power to subpoena information from internet service providers on critical infrastructure vulnerabilities.
The Cybersecurity and Vulnerability Identification and Notification Act of 2020 now goes to the full House for a vote. The measure would enable CISA to compel ISPs to release information on any cyber vulnerabilities detected on the networks of critical infrastructure facilities. It amends the Homeland Security Act of 2002 to ensure that CISA has “necessary legal tools to notify entities at risk of cybersecurity vulnerabilities in the enterprise devices or systems that control critical assets of the United States, and for other purposes.”
Reps. Jim Langevin (D-RI) initially introduced the bipartisan bill, which is co-sponsored by Reps. Sheila Jackson Lee (D–TX), Cedric Richmond (D–LA), Bennie Thompson (D–MS), John Katko (R–NY), and John Ratcliffe (R–TX). A Senate companion bill was introduced in December by Homeland Security Committee chair Sen. Ron Johnson (R–WI), who chairs the Committee, and Sen. Maggie Hassan (D–NH).
“This legislation is based on a simple premise we’ve all become familiar with: if you see something, say something,” said Langevin. “While CISA analysts work diligently to monitor and uncover risks, current policy impedes them in their efforts to warn at-risk critical infrastructure operators,” he said. “There have been numerous instances where CISA has not been able to identify the owner of a vulnerable system and warn them of their exposure.” Rep. Thompson has said the bill will likely be part of a bigger package of "DHS authorization legislation."
The bill may not have much chance to pass the Senate. Skopos Labs, an automated platform that predicts the impacts of policy-making on companies and financial markets, gives the bill a 6 percent chance of being enacted.
DHS has 16 sectors of critical infrastructure, including chemical plants, telecommunications, energy, transportation, financial services and government facilities, among others and extending to commercial targets such as amusement parks, apartment buildings, casinos, movie studios, professional sports leagues and shopping malls. Under the new bill, as long as CISA considers the potential risk is to critical infrastructure, it can use its subpoena power. It’s not clear how CISA will define risk.
The House committee also unanimously approved legislation that would create a set five-year term for CISA directors. Rep. Katko said that “establishing a set term limit of five years for the CISA Director position...will provide certainty outside of the ad hoc appointments and varying term lengths that are currently in place.”