The US Cybersecurity and Infrastructure Security Agency (CISA), in charge of leading national cybersecurity and infrastructure resilience programs, wants a change to federal law that would allow it to inspect systems behind ISPs and notify them to fix problems.
The Department of Homeland Security, which oversees CISA, wants to learn about vulnerable systems before they become a security problem. But it still needs to go through the local federal agency to obtain a subpoena that can be used to oblige ISPs to provide data regarding their customers. Federal agencies won’t serve a subpoena unless an investigation is ongoing.
CISA, established a year ago, is obliged by law to warn
owners of vulnerable systems, particularly for public utilities and other vital
infrastructure. In theory, Homeland Security is only looking to enforce its
mandate, but broadening the scope and powers of the agency would raise questions
regarding the intrusion of the federal government into the private sector.
If CISA’s request is approved, the agency would be able
to demand any information from ISPs related to any company or private
individual. The problem is that IP and MAC addresses, along with other
identifying characteristics, are not an absolute indication of who’s using a particular
endpoint.
According to a TechCrunch report, a proposal to this
effect was already submitted to Congress. “The proposal would ensure that
businesses would take action if the advisory came directly from the government.
The agency is working with lawmakers to prevent any overreach or potential
abuse of the authority,” explained
a CISA official speaking with TechCrunch.
As it stands, federal agencies can issues subpoenas in
the course of a national security investigation without going through a court.
CISA’s new-found powers would be even more encompassing, and it wouldn’t be all
that surprising if other law enforcement agencies make the same requests.