January 1, 2020 – Senators Ron Johnson (R-WI) and Margaret Wood Hassan (D-NH) have introduced the Cybersecurity Vulnerability Identification and Notification Act of 2019.[1] The primary purpose of the bill (S. 3045) is to give the Department of Homeland Security power to subpoena Internet service providers (ISPs) for subscriber information related to IP addresses that are associated with critical infrastructure systems and devices that are vulnerable to cybersecurity threats.

First, the bill codifies an additional “function” for DHS’ National Cybersecurity and Communications Integration Center’s (NCCIC) mission – “detecting, identifying, and receiving information about security vulnerabilities relating to critical infrastructure in the information systems and devices of Federal and non-Federal entities for a cybersecurity purpose.” The NCCIC is “a national hub for cyber and communications information, technical expertise, and operational integration.” It is located within DHS’ Cybersecurity and Infrastructure Security Agency (CISA), which “is responsible for protecting the Nation’s critical infrastructure from physical and cyber threats.”

Second, the bill gives the Department of Homeland Security limited power to subpoena ISPs for information related to critical infrastructure that is vulnerable to cyber threats. Let’s say CISA and NCCIC discover an information system or Internet-connected device which has a security vulnerability, and the system or device controls or interfaces with critical infrastructure, such as a power grid. If this happened, CISA would contact the owner of the system or device and tell them to fix the problem.

But, what if CISA does not know who owns or controls vulnerable information system or connected device, and is only able to identify the numerical IP address assigned to the system or device. CISA could call the ISP that controls the IP address, but the ISP would not be able to voluntarily give CISA information about who is using the IP address.

Current federal law, the Stored Communications Act, prohibits ISPs and other communications service providers from voluntarily disclosing information regarding subscriber accounts, including which subscriber is associated with or uses a certain IP address.[2] This is why CISA cannot email an ISP to asks for details about who controls a device connected to a certain IP address. Rather, that’s why the ISP wouldn’t be able to provide an answer.

However, the Stored Communications Act establishes ways a governmental entity can compel an ISP to disclose customers records.[3] A governmental entity can obtain information about the owner of an IP addresses with a valid warrant, court order, or subpoena. Also, and what’s relevant here, a governmental entity also may use an administrative subpoena authorized by federal or state statute to obtain six pieces of subscriber information.[4] This is what the Cybersecurity Vulnerability Identification and Notification Act of 2019 would do – give DHS the power to issue an administrative subpoena. The subpoena, though, would be limited to obtaining four pieces of subscriber information: name, address, length of service (including start date) and types of service utilized, and telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address.[5]

There are a few more things in the bill, such as how DHS must implement the subpoena process, a requirement to coordinate with other agencies so as not to interrupt an ongoing investigation, measures to enforce the subpoena, and requirements on the retention, use, and destruction of information obtained from a subpoena.

*****

[1] Cybersecurity Vulnerability Identification and Notification Act of 2019, S. 3045, 116th Cong., 1st Sess. (Dec. 12, 2019).

[2] 18 U.S.C. §§ 2701–2712. The Stored Communications Act makes up Title II of the Electronic Communications Privacy Act. Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848. Title I of the ECPA extended the Wiretap Act to the contents of electronic communications in transit. 18 U.S.C. §§ 2510–2522. Title III added the pen register and trap and trace statutes covering non-content communications. 18 U.S.C. §§ 3121–3127.

[3] 18 U.S.C. § 2703(c).

[4] 18 U.S.C. § 2703(c)(2).

[5] The subpoena may only seek information in the categories set forth in subparagraphs (A), (B), (D), and (E) of section 2703(c)(2) of title 18, United States Code.