The cybersecurity branch of the Department of Homeland Security has requested legal permission from Congress to demand data from internet services providers in a bid to prevent cyber-attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) has chosen National Cybersecurity Awareness Month to seek administrative subpoena authority, which will give it the power to compel ISPs to hand over information.
Currently, when the DHS identifies cybersecurity weaknesses in the private sector, it can obtain only the IP addresses of vulnerable systems. If granted administrative subpoena authority, the DHS will have the power to require ISPs to turn over the contact details of the owners of the vulnerable systems.
The department's plan is to use this information to directly contact the owners and warn them about the vulnerabilities in their cybersecurity.
CISA assistant director for cybersecurity and communications Jeanette Manfra said: "We can see a lot of industrial control systems or potential industrial control systems, in particular, that have potential vulnerable systems that are accessible from the public internet.
"Over many years, we have tried many methods to be able to contact these entities. The challenge is that the law actually prohibits an internet service provider from telling us who that customer might actually be."
Manfra said that while the DHS can often locate the vulnerable entity on its own with a spot of detective work, this process can take hours or even weeks, leaving the entity exposed to threat actors.
The logic of the request is easy to follow; however, it does raise some serious privacy concerns.
"We're very aware of the concerns about overreach," said Manfra. "We have a long history of collecting similar types of data through voluntary programs and demonstrated ways of protecting that, as well to ensure that the information is used only for the purposes for which it was collected."
The proposal is currently being scrutinized by the House of Representatives and Senate Homeland Security panels.
CISA was created in November last year with the mission to partner with both industry and government to understand and manage risks to America's critical infrastructure.