The US Cybersecurity and Infrastructure Security Agency (CISA), in charge of leading national cybersecurity and infrastructure resilience programs, wants a change to federal law that would allow it to inspect systems behind ISPs and notify them to fix problems.
The Department of Homeland Security, which oversees CISA, wants to learn about vulnerable systems before they become a security problem. But it still needs to go through the local federal agency to obtain a subpoena that can be used to oblige ISPs to provide data regarding their customers. Federal agencies won’t serve a subpoena unless an investigation is ongoing.
CISA, established a year ago, is obliged by law to warn owners of vulnerable systems, particularly for public utilities and other vital infrastructure. In theory, Homeland Security is only looking to enforce its mandate, but broadening the scope and powers of the agency would raise questions regarding the intrusion of the federal government into the private sector.
If CISA’s request is approved, the agency would be able to demand any information from ISPs related to any company or private individual. The problem is that IP and MAC addresses, along with other identifying characteristics, are not an absolute indication of who’s using a particular endpoint.
According to a TechCrunch report, a proposal to this effect was already submitted to Congress. “The proposal would ensure that businesses would take action if the advisory came directly from the government. The agency is working with lawmakers to prevent any overreach or potential abuse of the authority,” explained a CISA official speaking with TechCrunch.
As it stands, federal agencies can issues subpoenas in the course of a national security investigation without going through a court. CISA’s new-found powers would be even more encompassing, and it wouldn’t be all that surprising if other law enforcement agencies make the same requests.