The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is circulating draft legislation that would give CISA the authority to issue administrative subpoenas to compel the disclosure of certain subscriber information relating to critical infrastructure. The stated purpose of the legislation is to enhance CISA’s ability to notify entities associated with critical infrastructure of security vulnerabilities that could result in the compromise of an industrial control system.
The Discussion Draft is designed to address a problem that CISA has encountered: it is able to identify cybersecurity vulnerabilities in critical infrastructure systems, but it doesn’t know the identity of the entity that controls the system. Although it has is the IP address of the device with the vulnerability, it does not know how to contact the controller of the device to warn them about the vulnerability. The internet service provider (ISP) that connects that device to the internet assigns the IP address that CISA can see, and it has identifying information about the entity to which the IP address is assigned. CISA proposes that it be given the authority to compel the ISP to disclose the identity of the entity controlling the critical infrastructure so CISA can notify it of the vulnerability and work with that entity to address it.
While the proposed authority is limited, it may not be necessary because ISPs can already notify their customers of security vulnerabilities that CISA identifies to the ISP. In this post, we will provide background information about the proposal, the problem it would address, the privacy concerns it creates and how those concerns could be mitigated. We will also explore an alternative approach: have CISA disclose the vulnerability it has detected to the ISP so the ISP can give its customer notice without disclosing the customer’s identifying information to the government.
To its credit, CISA has reached out to industry and to the privacy community for input regarding its legislative proposal. We believe the proposal is important enough to warrant hearings at which Congress could consider whether alternatives are viable, and if not, how CISA’s proposal could be improved. If alternatives are not viable, CISA’s legislative proposal should be tightened to, among other things, bar the use and the disclosure of subscriber information disclosed pursuant to the subpoena for any purpose other than the stated purpose of the proposal: notifying an entity of a vulnerability in its critical infrastructure system.
CISA, formed in November 2018, is the successor to the DHS National Protection and Programs Directorate (NPPD). It acts pursuant to the 2015 Cybersecurity Information Sharing Act to facilitate the sharing of carefully-defined cyberthreat information from the private sector to the government, and vice-versa. A key premise of the 2015 legislation was that the sharing of cyberthreat information from the private sector to the government would be voluntary because there was concern that mandatory information sharing would be difficult to execute and would result in over-disclosure of non-public personal information. The Discussion Draft CISA is circulating would undermine the premise of this legislation by giving CISA the authority to compel ISPs to disclose certain cyberthreat information that ISPs are prohibited from volunteering to CISA under the Electronic Communications Privacy Act, 18 USC 2702.
The authority sought under the bill is limited in that it: (i) pertains only to a subset of cyberthreat information – a security vulnerability (as defined in 6 USC 1501(17)) that “relates to” critical infrastructure, and (ii) authorizes compelled disclosure of only subscriber information of the type that could be used to identify and notify the entity with the security vulnerability. That is, no communications content could be compelled under this authority. The subscriber information that could be compelled is limited to subscriber name, physical address, length of service, type of service utilized, temporarily assigned IP address, device number, and the subscriber number or identity. 18 USC 2703(c)(2)(A),(B),(D), and (E).
That said, the scope of the disclosures CISA envisions are vast: it would issue one subpoena to each affected ISP for each identified vulnerability. Thus, if a large ISP like AT&T or Verizon receives a subpoena that describes a security vulnerability that thousands of its customers have that “relates to” critical infrastructure, the ISP would be compelled to disclose subscriber information about those thousands of customers in response to that subpoena. “Thousands” of disclosures based on a single subpoena is not imaginary – it is drawn from one of the cases CISA has identified as showing the need for this authority. Other vulnerabilities could involve fewer disclosures.
CISA has made a strong showing to elements the privacy community and to staff for the House Homeland Security Committee and the Senate Homeland Security and Government Affairs Committee. Using publicly-available search tools such as Shodan.io, CISA officials have demonstrated that vulnerabilities in industrial control systems are easy to find on the open internet, and are sometimes easy to exploit, with potentially significant or catastrophic consequence. Industrial control systems are devices, networks, and controls that manage industrial processes electronically. They appear in critical infrastructure such as transportation, energy and water treatment industries. CISA has indicated that use of the Shodan search engine reveals 82,000 industrial control system devices across the United States are directly accessible from the internet. Vulnerabilities in those systems could be targeted.
While Shodan can identify a device that may have a security vulnerability, it cannot reliably identify the entity that owns or controls that device. Typically, it reveals the IP address of the device that has the security vulnerability. CISA is seeking the authority to present the IP address to an ISP and to compel the ISP to reveal identifying information about the entity owning or controlling device to which the IP address was assigned at a particular date and time. ECPA prohibits the voluntary disclosure of this information to a governmental entity in the U.S.; instead, it requires a showing of relevance to a pending criminal investigation – a showing impossible to make in these circumstances. ECPA also permits disclosure of subscriber information in response to an administrative subpoena. In essence, CISA is asking to be added to the list of agencies of the government that have administrative subpoena authority and that therefore can compel disclosure of information with an administrative subpoena in the absence of a criminal investigation.
Risks of Administrative Subpoena Authority
Administrative subpoenas are risky to civil liberties because they can be used to demand sensitive information without any judicial authorization. Typically, administrative subpoena authority is given to an agency with regulatory responsibilities so it can carry them out even though there is no criminal investigation that could be the basis for a criminal subpoena. According to the Congressional Research Service in a 2012 report, (which in turn relied on a 2002 report by the Department of Justice) over 300 statutes authorize administrative subpoenas; the number of such authorizations is increasing.
Administrative subpoena authority is easy to abuse when the administrative subpoena is issued to a third party who has little incentive to challenge the disclosure that is sought, as is the case with authority CISA is seeking. The ISP who receives a questionable or overbroad CISA administrative subpoena has little incentive to challenge the disclosure of identifying information about its customer. This incentive diminishes further if the ISP is given liability protection for making such disclosure, and if the administrative subpoena can be enforced in a court far from the ISP’s offices. A requirement of prior notice of the disclosure that is sought would ameliorate some of these concerns, but the information needed to give prior notice isn’t available to CISA – that’s the very information for which CISA seeks disclosure.
In fact, administrative subpoena authority has been abused. For example, in May 2019, the Inspector General of the Department of Justice issued a report showing that the Drug Enforcement Administration had abused its authority (21 USC 876(a)) to issue administrative subpoenas in drug investigations. It used this authority to obtain, in bulk, a record of every call from the United States to a list of countries the DEA determined had a “nexus to drugs” from the 1990’s until 2013. It is hard to imagine that every phone call made to one of these countries could be relevant to a drug enforcement investigation. But, somehow the agency convinced itself of this, and because no judge had to sign off, the subpoenas for bulk collection were issued. This practice was stopped in the uproar that followed the 2013 revelations by former National Security Agency contractor Edward Snowden of a similar program for the NSA’s bulk collection of telephone call records.
Specific Concerns with the Administrative Subpoena Authority CISA Seeks
While CISA has, to its credit, built certain privacy protections into its proposed administrative subpoena authority, it has made a glaring omission: there are no restrictions on the use or sharing of the subscriber information that is disclosed to CISA in response to an administrative subpoena. While the subpoenas would be issued for the purpose of “detecting, identifying and receiving information about security vulnerabilities relating to critical infrastructure,” use of the information once disclosed is not limited, and the sharing of such information is not limited to a particular purpose. The subpoenas are issued in coordination with the Department of Justice and the FBI to avoid interference with ongoing criminal investigations. That coordination, coupled with the absence of use and dissemination restrictions, creates a risk that administrative subpoena authority granted for the cybersecurity purpose of notifying critical infrastructure entities of vulnerabilities could also be used for law enforcement purposes.
Instead, the proposal should be amended to limit the purpose for which administrative subpoenas could be issued to, “obtaining information necessary to identify and notify an entity of a vulnerability in critical infrastructure.” The proposal should further be amended to limit the use of the information obtained to that purpose, and to limit the dissemination of information obtained to that purpose. This approach would remedy the absence of use and dissemination limitations, and replace the vague “relates to” critical infrastructure with a requirement that the vulnerability to be addressed is “in” the critical infrastructure system. We believe these changes would go a long way toward protecting the privacy of information obtained through the administrative subpoena authority that CISA seeks.
In addition, the proposal defines in very broad terms the “enterprise device or system” that could have a vulnerability that triggers an administrative subpoena. It is a “device or system commonly used to perform industrial, commercial, scientific or governmental functions or processes that relate to critical infrastructure….” That definition sweeps in most computers regardless of whether they are actually being used in critical infrastructure. A limiting clause excludes from this definition, “personal devices and systems,” but fails to identify what they are. Instead, “personal devices and systems” not subject to this authority should be carefully defined.
Finally, the proposal authorizes the Department of Justice to enforce the administrative subpoenas in any judicial district in which the ISP served with the subpoena transacts business. According to Broadband Now, which endeavors to list all of the ISPs in the United States, a number of relatively small ISPs have customers in many states. To ensure that small ISPs can challenge questionable or overbroad subpoenas for their customers’ records, enforcement actions should be limited to districts in which the ISP resides or has a corporate office.
While the concerns outlined above are significant and need to be addressed, CISA has proactively incorporated a number of privacy protections that are very helpful and that should be maintained should the legislation move forward. The Discussion Draft includes the following protections:
- Only certain classes of subscriber information – not content – can be obtained with the administrative subpoena authority;
- Procedures that govern the use of this authority must be adopted and must require notice within seven (7) days to the subject of the subpoena;
- Information obtained with a subpoena that is determined to be unrelated to critical infrastructure must be destroyed immediately;
- Personally identifiable information obtained with an administrative subpoena must be destroyed within six (6) months, absent consent by the party identified by the subpoena response;
- The procedures required in the Discussion Draft must be published;
- The Director of DHS must submit an annual report to Congress disclosing, among other things, the number of administrative subpoenas issued, the source of security vulnerabilities detected, and the “outcome of the subpoena” including any mitigation of the vulnerability. The legislation should require that there be public version of this report. Because a single subpoena can compel many disclosures, the number of entities whose subscriber information was disclosed to CISA pursuant to this authority should be disclosed to the public as well as the number of subpoenas issued.
An Alternative Solution
Instead of CISA requiring the ISP to disclose identifying information about its customer, CISA could disclose to the ISP the information CISA has about the vulnerability – including the IP address of the entity with the vulnerability – and the ISP could notify its customer of the problem. This approach would have the effect of protecting the subscriber information from disclosure to the government. There are some key questions CDT will be interrogate around this alternative approach to determine its viability, including: Can ISPs provide the necessary notice? Is providing such notice a potentially profitable service? Would such notice be trusted, or would it be disregarded as a marketing ploy? Could DHS work with ISPs to develop notices that would be effective and would be routed to the cybersecurity professionals in the entity with the vulnerability?
Vulnerabilities in critical infrastructure are a significant problem that should be addressed. CISA has put forward a legislative proposal to give it new authority to compel disclosure of subscriber information it would use to provide notice to entities that have vulnerabilities CISA has identified. Before Congress acts on this legislation, it should conduct hearings to determine whether an alternative to CISA’s approach – provider notice of the vulnerability – could be made viable, and to consider privacy protective changes to the proposed legislation.