Legislation on Information Sharing for Security

The Chairman of the Senate Homeland Security and Government Affairs Committee Ron Johnson and Senator Maggie Hassan have introduced a fixed legislative—that would be granting the Cybersecurity and Infrastructure Security Agency (CISA) an administrative subpoena, allowing it to obtain information about vulnerable entities from the ISPs.

Businesses and states in the US are facing an unprecedented number of cyber threats every day. Recently, in response to rising threats, Congress established the nations’ first cybersecurity agency, CISA. The CISA serves as the nation’s risk advisor; it works with several government entities and industries to improve cybersecurity. The main responsibility of the agency is to protect the critical infrastructure by sharing information about the vulnerabilities on a network, which, if left unmitigated, can make the organization susceptible. Though most of these systems sit in the open, the owners of such risky networks aren’t identifiable by the agency, making the process of identification futile.

In the new legislation the amount of contact information provided would be limited in nature. Therefore, the agency could contact the vulnerable subject, such as a hospital or powerplant, to offer information about the potential risks and henceforth some mitigation assistance. 

The agency said that all the cybersecurity programs provided are voluntary, and it’s not a compulsion for the businesses to work with them. Most of the information provided by the agency is beneficial that assists the organizations to better prepare for the vulnerabilities; hence they find the information and services useful. An administrative subpoena is different from a criminal subpoena, and the authority of both the subpoenas is different.

Some authorities have raised concerns regarding the potential misuse of the authority, while there were questions about privacy. The legislation, however, is narrowly being tailored to satisfy the requirements of the cybersecurity agency. According to the agency, the vulnerabilities are pursued only in relation to critical information or organizations, not with regard to individual Americans.