DHS cyber unit wants to subpoena ISPs to identify vulnerable systems

Homeland Security’s cybersecurity division is pushing to change the law that would allow it to demand information from internet providers that would identify the owners of vulnerable systems, TechCrunch has learned.

Sources familiar with the proposal say the Cybersecurity and Infrastructure Security Agency (CISA), founded just less than a year ago, wants the new administrative subpoena powers to lawfully obtain the contact information of the owners of vulnerable devices or systems from internet providers.

CISA, which warns both government and private-sector businesses of security vulnerabilities, privately complained of being unable to warn businesses about security threats because it can’t always identify who owns a vulnerable system.

The new proposal would allow CISA to use its new powers to directly warn businesses of threats to critical devices, such as industrial control systems — typically used in critical infrastructure. These systems are highly sensitive and are increasingly the target of hackers to disrupt real-world infrastructure, like the power grid and water supply.

By law, internet providers are not allowed to share their subscriber data without first receiving a legal demand, such as a subpoena, that can be issued from a federal agency without requiring the approval of a court. Lacking those powers, CISA has to rely on its federal law enforcement partners to use their powers to identify owners of vulnerable systems. Law enforcement can only serve subpoenas during an investigation. But CISA says it is still obliged to warn owners of vulnerable systems, even if there is no investigative interest.

The move is likely to spark fresh debate over how much responsibility the federal government has to proactively warn private-sector businesses about possible vulnerabilities in their defenses.

Jake Williams, founder of Rendition Infosec and former NSA hacker, called the move a “huge power grab,” and warned that the proposed new powers are flawed and could be misused.

“I cannot fathom that this will not be used in a way that lawmakers who are drafting the legislation will not have intended,” he told TechCrunch.

Tarah Wheeler, cybersecurity policy fellow at New America, also said technical challenges of the proposals were flawed.

“When you have traffic originating from a botnet, those IP addresses can be made to appear to be coming from anywhere, which means it can be used as an incredibly thin pretext for the government to knock on someone’s door,” she said.

CISA’s request for administrative subpoena powers is not unusual in government. Many federal departments and divisions use these subpoena powers to obtain information from private businesses. But these powers remain controversial, not least because they can be used to obtain large amounts of information without any judicial oversight.

The FBI uses its own controversial administrative subpoena powers to secretly demand subscriber data from phone companies and tech giants. The courts continue to question the legality of these so-called national security letters (NSLs).

A CISA official speaking to TechCrunch on background said that the proposals, which have already been submitted to Congress, would ensure that businesses would be “more motivated” to take action if the advisory came directly from government. The official said the agency was working with lawmakers to prevent any overreach or potential abuse of the authority.

Adam Comis, a spokesperson for the House Committee on Homeland Security, which oversees CISA, did not return a request for comment.

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.