The Cybersecurity division of Homeland Security is planning to bring in a law which would give it the power to demand information from internet providers to identify vulnerable systems.
As per a report by TechCrunch, the Cybersecurity and Infrastructure Security Agency (CISA), which was founded in November 2016, is now demanding for an administrative subpoena power to legally obtain access to the information of vulnerable systems and operators from their internet providers.
CISA which continues to warn government and private business against security vulnerability, has secretly complained that it is not able to adequately protect businesses from security threats as they are unable to grasp as to who is operating the vulnerable system.
As per the new proposal, CSIA will have the power to warn businesses about critical threats directly. The emphasis here is on the protection of industrial control systems, which, if breached, may have a huge impact on power systems and water supplies.
The existing law does not mandate the internet providers to share their subscribers data to CSIA. For any such data to be obtained, it needs a subpoena from a Federal authority. Lacking these powers, CSIA can not identify the vulnerable systems and its owners. The subpoena is only issued in cases of investigation by the federal government, but CSIA still requires to use it in order to warn the business of potential threats.
However, there is another side to the story as well. Jake Williams, who is the founder of Rendition Infosec and former NSA hacker, called this move as a huge power grab, and cited a heavy misuse.
I cannot fathom that this will not be used in a way that lawmakers who are drafting the legislation will not have intended.
Tarah Wheeler, a cybersecurity personnel at New America said:
When you have traffic originating from a botnet, those IP addresses can be made to appear to be coming from anywhere, which means it can be used as an incredibly thin pretext for the government to knock on someone’s door.
The request of administrative subpoena power from CISA is not a maiden incident. However, these powers have always been controversial as they have no judicial supervision.
FBI already has a similar ability which allows it to demand subscriber data from phone companies and tech behemoths. Courts are still questioning the authenticity of the national security letters (NSLs) which grants them the authority to do so.