The Department of Homeland Security wants new authority to subpoena internet service providers (ISPs) to identify vulnerable IT systems, but some cybersecurity experts and privacy advocates aren’t fans of the plan.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency, known as CISA, has asked Congress to give it the power to issue administrative subpoenas to ISPs as a way to obtain the contact information of the owners of vulnerable devices or systems, TechCrunch recently reported. CISA has said it’s challenging to identify these owners without contact information from ISPs.
Under current law, ISPs aren’t allowed to share subscriber information without subpoenas or court orders. The Department of Homeland Security didn’t respond to a request for comments on its proposal.
Privacy advocates and cybersecurity experts questioned the proposal, saying it might lead CISA to target innocent victims of cybercrime, given the difficulty of identifying sources of attacks.
CISA is the wrong agency to give subpoena power, said Leo Taddeo, chief information security officer of secure data center provider Cyxtera and a former FBI special agent focused on cybercrime. Compared to grand jury subpoenas, administrative subpoenas can speed up investigations for law enforcement agencies, he said.
“However, CISA is not a law enforcement agency,” Taddeo added. “It lacks the personnel, processes, and infrastructure to conduct proper oversight of the power it seeks.”
Subpoena power won’t help CISA find website owners who don’t want to be identified, added Eric Jeffery, a cybersecurity consultant. Many people, when they register an IP address, provide contact information that’s publicly available in the WHOIS domain lookup tool, and that tool is available to CISA.
But owners of websites who want to hide their identity don’t provide accurate information to WHOIS, spoof their IP addresses, or use other tools keep their information private, Jeffery noted.
“Systems without contact data are either nefarious, put up by people or entities that want privacy, or by incompetent or lazy people who don’t update their information,” he said. CISA subpoena power won’t help identify website owners hiding their identities, and “we shouldn’t risk everyone’s privacy” to find website owners who fail to update their information.
“This is a tough and sensitive question,” Jeffrey added. “We’re talking about privacy versus safety and security. My take, due to technical reasons, I lean toward privacy and not allowing the DHS Cyber Unit subpoena power.”
There are other ways to track down the owners of internet-connected systems without subpoenas, Jeffrey said. In one recent case, he was able to identify the owner of an overseas system communicating with a client computer in less than 30 minutes.
“I didn’t need a subpoena to do that, as I used publicly available information to identify the owner,” he said. “If I can do it, so can the DHS, without a subpoena.”
New subpoena power at the Department of Homeland Security could lead to the same privacy problems that have happened at other agencies, said Aaron Turner, CEO of Hotshot, a secure identity and messaging vendor. For example, the FBI has used administrative subpoenas authorized by the Patriot Act to obtain personal data from dozens of companies.
“We should be reducing the U.S. federal government’s executive branch powers in this area, not increasing them,” Turner added.
In addition to subpoena abuses at other agencies in the past, the Department of Homeland Security has a “poor track record of helping to manage the vulnerabilities of the government’s systems,” he said. “Before they start spreading themselves thinner in trying to regulate private infrastructure owners, they need to do a better job showing that they can manage their own government system problems.”
Other observers suggested that Congress may be able to limit the subpoena power it gives CISA. Careful crafting of the authorizing legislation and active oversight would be needed, said Braden Perry, a lawyer specializing in federal enforcement cases with the Kennyhertz Perry law firm near Kansas City, Missouri, said.
Administrative subpoenas, which aren’t issued by a judge, are “powerful tools,” he said. “One issue I see consistently with administrative subpoenas is the broadness that the subpoenas can take, and many times, it’s an easy way to gain a lot of information in a subpoena sweep seeking broad documents or communications among a number of industry participants.”
While ensuring the safety of cyberinfrastructure is a crucial role of CISA, Perry said that “proper controls should be in place before providing the government with greater power.”
