DHS Cyber Agency Seeks Subpoena Authority to Obtain Cyber ‘Victim’ Info
On Dec. 12, senators Ron Johnson (R. Wis.) and Maggie Hassan (D. N.H.) introduced legislation that would grant DHS’ Cybersecurity and Infrastructure Security Agency (CISA) the authority to issue subpoenas to force ISPs to tell them the true identities of entities that CISA has identified as having security vulnerabilities. As the director of CISA, Christopher Krebs explained in a recent Lawfare Blog post: “Unfortunately, too often we [at CISA] come across cybersecurity vulnerabilities sitting on the public internet and are unable to act because we cannot identify the owner of the vulnerable system,” and “[a]fter years of trying several different methods to contact these affected entities and share what we’ve found, the status quo is simply not working.”
The proposed legislation would permit CISA to issue administrative subpoenas aimed at “detecting, identifying and receiving information about security vulnerabilities in the information systems and devices of federal and non-federal entities,” as well as notifying owners and operators that they are at risk. The subpoenas would apply to enterprise devices and systems, which the agency defines as “any system or device commonly used to perform industrial, commercial, scientific or governmental functions or processes.”
The first question is, How is it that a U.S. government agency is coming across specific vulnerabilities to specific devices on specific IP addresses? Is CISA conducting penetration tests on U.S. infrastructure without the knowledge or consent of the owners of the infrastructure? Is the agency using websites such as SHODAN to identify these sites? Clearly CISA knows a lot about the infrastructure and the vulnerabilities. As Krebs noted, “CISA is currently aware of a system that controls water pumps, one controlling an oil and natural gas facility, and one controlling emergency management equipment that can be accessed without a password and modified by anyone with an internet connection.” These SCADA systems pose a critical vulnerability to the nation and CISA knows the nature of the infrastructure, the nature of what the system controls, the fact that it is controlling an oil and natural gas facility, the IP address that the system is connected to and the owner of the IP address range (the ISP). What the agency apparently doesn’t know is which oil and gas facility is vulnerable. If CISA is not directly conducting pen tests, is it working with third-party testers to identify specific systems with vulnerabilities—and, if so, under what legal authority?
Information Sharing
OK, so let’s assume that CISA has the legal authority to obtain this specific vulnerability information, and it wants to share it with the vulnerable entity. Of course, the ISP knows who the vulnerable entity is. CISA could share this data with the ISP and request that the ISP share it with its customers rather than have the ISP share the customer identity with the federal government. I assume that this is one of the methods CISA has tried and found lacking, although CISA’s Krebs didn’t describe what efforts CISA uses to contact “victims” and how frequently these techniques failed (and why they failed.) If CISA knows the particular software or hardware that is vulnerable, it can provide this information to the developer together with the IP address and have them take care of it, of course. Another possibility is for the ISP to notify its customer that CISA is attempting to contact them and provide CISA’s information to the customer. Finally, for those in the critical infrastructure that participate in vetted ISAC’s (Information Sharing and Analysis Centers), they could be encouraged to search a database that CISA could create which would contain the vulnerability and IP information as well. In none of these cases would CISA need to know the owner of the IP address.
The problem of identifying entities with vulnerabilities is not limited to CISA. Lots of white, grey and black hat hackers identify specific systems with specific vulnerabilities and want to inform others about the vulnerabilities. White hat hackers want to inform the victim so that the vulnerability can be fixed; grey hats often have the same motivation but often with a request or demand of compensation; black hats usually share for exploit purposes. Whatever system we develop to permit those who know about vulnerabilities to share data with those who have the vulnerabilities should include entities in addition to just CISA and other government entities, while protecting both the identity of the vulnerable entities and, of course, the vulnerability data itself.
A better approach than compelling ISPs to give DHS their vulnerable customers’ data is to require ISPs to provide their customers with DHS’ information (and give them both immunity and maybe grants to offset costs for doing so). They could encourage or require those in the critical infrastructure to establish incident response or vulnerability contact information specifically to receive this information from their own ISP (a bellybutton responsible). That way, if credible vulnerability information were provided by CISA or by a white or grey hat hacker (or even through a bug bounty), the ISP could be an effective conduit for sharing (and documenting the sharing) of that information. If the entity failed to act based on the information shared, and this failure led to a breach or disruption, the ISP would have the same liability it currently has under negligence law, but its duty to act would be informed by its knowledge of the vulnerability.
Current Law
Krebs also explained in the blog post, “Current law … prohibits ISPs from sharing the identity of their customers with the federal government without a legal mechanism requiring it.” While many ISPs have Terms of Service or privacy policies that generally assure their customers that their data won’t be sold or shared (and such policies are frequently enforceable as contracts), all of the privacy policies and terms of service I have seen for ISPs specifically permit sharing of certain data to protect the customer. So, it’s a bit of stretch to say that “current law prohibits ISPs from sharing identity information.”
One law, 47 USC 222, provides that telecommunications providers (not ISPs) may not disclose Consumer Proprietary Network Information (CPNI) without a court order, but also notes that CPNI does not include subscriber list information.
A 2017 U.S. Supreme Court Decision in Carpenter v. United States required that the government get a search warrant to compel a cell phone provider to disclose location data about a subscriber to the government, but I am aware of no law or interpretation that prohibits an ISP from sharing the identity of its customers with the federal government without a legal mechanism requiring it. Most ISPs, desiring to protect the privacy of their customers, would ordinarily refuse to provide subscriber information without compelled process (or some emergency), but this is not the same as saying that the law forbids such disclosure.
It would have been more persuasive if Krebs had cited a particular statute or ruling that prohibited ISPs from disclosing data, rather than a general statement. Various privacy laws, including California’s CCPA, generally prevent unnecessary disclosure of personal information, which could include subscriber information, but it’s not clear that CCPA would apply to disclosures to a federal agency (probably should, though) or that it would prevent disclosures that are intended to prevent harm to the data subject themselves. To claim, without support, that the law prohibits ISPs from providing what amounts to non-content information when providing it will prevent imminent harm to the customer is … well, strange. It’s not that such a law may not exist, it’s just that it’s difficult to pin it down.
Administrative Subpoenas
The legislation would permit CISA to issue administrative subpoenas to ISPs that would have the effect of compelling them to produce the personal data of ISP subscribers—over their own objections and/or over the objection of the customer. While Krebs notes that CISA participation is “voluntary,” there is nothing “voluntary” about an administrative subpoena. Krebs noted: “An administrative subpoena is different from a criminal subpoena, and the authority we are seeking is fairly common across the federal government …” That makes it sound like an administrative subpoena is less compulsory and less risky than a criminal subpoena.
Yes, an administrative subpoena is different from a criminal subpoena. A criminal subpoena requires a federal prosecutor to open a grand jury investigation and get the authority to issue subpoenas on behalf of the grand jury, and for the investigators to obtain the participation of a trained federal prosecutor and the grand jury to compel production. It also permits the ISP and/or the customer to object by filing a motion to quash or to require the government to file a motion to compel. It’s issued in the name of the court and enforced by the court. Criminal subpoenas are limited by the jurisdiction of the court in whose name it is issued and must call for production of non-privileged, material evidence (broader than simply “relevant”) within the investigative authority of a grand jury that is properly convened and production of which is not unduly burdensome and oppressive and not sought for some improper purpose.
An administrative subpoena does not require the approval of a prosecutor, a judge or a grand jury. It does not require any law enforcement purpose. More than 300 federal agencies have the power to issue such subpoenas (including various components of the Department of Homeland Security). Administrative subpoenas may be issued by one person—an agency head or anyone to whom is delegated that authority—and must be just reasonably related to the statutory purpose (unlike criminal subpoenas, which require a higher standard). An administrative subpoena will be enforced unless it is “plainly incompetent or irrelevant to any lawful purpose of the [requesting official] in the discharge” of their statutory duties.
With tens of thousands of exposed IP addresses, and more “rogue” IP addresses being used by botnets, we could expect CISA to issue tens of thousands of such administrative subpoenas compelling ISPs to produce information about their customers. Once produced, it’s not clear whether the legislation (which has not yet been printed by GPO) would require CISA to only use that information to notify the “victim” and then delete or destroy the information thereafter, or whether CISA could share the information with others, including regulators to establish that the entity with the vulnerability, for example, was in breach of a contract with the federal government requiring security or had liability to third parties for failure to secure their data. Data, like life in Jurassic Park, will find a way.
It seems here that the tail may be wagging the dog. CISA wants subpoena authority, and this “problem” may be one way for them to get it. For example, when CISA issues an administrative subpoena to an ISP, will the ISP be permitted to notify its customer before it provides the information? If the customer objects (or refuses to respond), can the ISP be excused from complying? Are there civil, administrative or criminal sanctions on CISA employees who issue administrative subpoenas outside the scope of the authority? Must the subpoenaed data be destroyed by CISA after the agency has notified the customer about the vulnerability, and are there sanctions to CISA employees for failure to delete the data? Will CISA be required to report to Congress and the public about the number and scope of such administrative subpoenas issued? Can they compel U.S.-based or resident ISPs to produce data about IP addresses of entities located outside the U.S.? Will CISA share subpoenaed data with foreign regulators or security entities?
It’s a laudable goal to tell people that they are vulnerable so they can fix the problem. I’m not sure that, in the wake of the Department of Justice Office of Inspector General report on investigative abuse of FISA, giving a government agency more power to secretly compel production of information is the best way to achieve this goal.
