Langevin Bill Granting CISA Limited Subpoena Authority Passes House Committee on Homeland Security

Jan 29, 2020 Issues: Cybersecurity

WASHINGTON – This morning, the House Committee on Homeland Security favorably reported H.R. 5680, the Cybersecurity Vulnerability Identification and Notification Act. The bill was introduced by Congressman Jim Langevin (D-RI), a senior member of the committee. H.R. 5680 amends the Homeland Security Act of 2002, granting the Cybersecurity and Infrastructure Security Agency (CISA) administrative subpoena authority to help identify and notify critical infrastructure entities of cybersecurity vulnerabilities on their systems.

“The Internet was not created with security in mind, and in a world that is more interconnected each day through technology, critical systems used to deliver essentials like water and power are at risk of being compromised,” said Langevin. “This legislation is based on a simple premise we’ve all become familiar with: if you see something, say something. We are taking a proactive step that gives CISA the ability to say something when they see something.”

The bill aims to address instances in which the CISA identifies a vulnerable system but is limited in its response because it cannot identify and engage with the system’s owner. Under current policy, telecommunications companies that may have relevant subscriber information that could make it easier to identify the subscriber assigned an IP address, are prohibited under the Electronic Communications Privacy Act from disclosing it to the U.S. government, absent of a compulsory legal process.

“While CISA analysts work diligently to monitor and uncover risks, current policy impedes them in their efforts to warn at-risk critical infrastructure operators,” continued Langevin. “There have been numerous instances where CISA has not been able to identify the owner of a vulnerable system and warn them of their exposure.”

In developing the legislation, Langevin worked to ensure there would be strong privacy protections for industry partners. The CISA Director will only be able to issue a subpoena when the agency knows of a specific cybersecurity risk to an entity but is unable to determine who the entity is. The subpoena authority only applies to basic categories of subscriber information such as name, address, and telephone number. The legislation makes clear that such data are only to be used for notification about a risk, not for surveillance or investigation purposes. After being contacted by CISA, an entity would choose whether to request further assistance or not.

H.R. 5680 is cosponsored by Representatives John Katko (R-NY), Bennie Thompson (D-MS), Cedric Richmond (D-LA), Sheila Jackson Lee (D-TX) and John Ratcliffe (R-TX). Similar legislation was introduced in the Senate by Senators Ron Johnson (R-WI) and Maggie Hassan (D-NH). The bill will now be forwarded to the full House for consideration.

Full bill text of H.R. 5680.