Sen. Ron Johnson, R-Wis., tacked on an amendment to the National Defense Authorization Act (NDAA) that would allow the cyber agency of the Department of Homeland Security (DHS) to subpoena internet service providers (ISPs) for information relating to vulnerabilities of critical infrastructure.
Johnson, who originally introduced S.3045 last December, added an amendment to the NDAA on June 25. The amendment allows DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to issue subpoenas to compel ISPs to reveal the system owner behind an IP address when the system has demonstrated vulnerabilities and is deemed critical infrastructure.
“The administration strongly supports this legislation, and I urge Congress to act on it to close this critical gap in our nation’s cybersecurity,” said CISA Director Christopher Krebs, in a blog post, championing the original legislation last December. “This limited information would enable us to contact an entity subject to vulnerabilities, such as a power plant or hospital, to inform them of the potential risk and offer mitigation advice or assistance.”
Similar stand-alone legislation has been introduced in the House by Rep. Jim Langevin, D-R.I., but the provision was not in the House Armed Services Committee chairman’s mark, which was debated last week. The House NDAA advanced out of committee last week.
The Senate will complete consideration of its bill after its July recess, according to a July 2 floor speech of Sen. Jim Inhofe, R-Okla. The final bills passed by the two chambers will then enter a reconciliation process. “Very likely it could be November before we actually end up passing this bill,” Sen. Inhofe said.