The House Homeland Security Committee approved two bills reflecting confidence that the Cybersecurity and Infrastructure Security Agency would perform its cybersecurity functions while protecting privacy and a need to shield the agency’s chief from the potential whims of changing political administrations and the lure of the private sector.
The Cybersecurity Vulnerability Identification and Notification Act of 2020 would grant CISA the authority to order internet service providers submit to requests for information associated with IP addresses emanating suspicious activity and the CISA Director Reform Act would make the CISA director a five-year appointment. Both bills were unanimously reported to the House.
Subpoena power for ISPs is a legislative priority for CISA Director Christopher Krebs, who has noted a need to warn critical infrastructure owners when they are under attack.
“The Internet was not created with security in mind, and in a world that is more interconnected each day through technology, critical systems used to deliver essentials like water and power are at risk of being compromised,” Rep. Jim Langevin, D-R.I., the bill’s sponsor, said in a press release. “This legislation is based on a simple premise we’ve all become familiar with: if you see something, say something. We are taking a proactive step that gives CISA the ability to say something when they see something.”
A similar bill was introduced in the Senate in December by Sen. Ron Johnson, R-Wisc., who chairs the Homeland Security and Governmental Affairs Committee, and Sen. Maggie Hassan, D-N.H., who recently joined the chamber’s cybersecurity caucus.
“Importantly, our bill is narrowly-tailored to protect the privacy rights of all entities, giving CISA only the bare minimum of information necessary,” Hassan said in a press release at the time.
Rep. John Katko, R-N.Y., also noted the importance of such privacy protections today in supporting Langevin’s bill.
Bipartisan sentiment also echoed through Katko’s introduction of the CISA Director Reform Act.
Acknowledging the disruptive effects of constant turnover at top positions, Katko proposes CISA’s director be committed to a five-year term.
There are currently no defined stipulations for the position, and in addition to DHS’ churning through secretaries—which some associate with pressures around President Trump’s border security and immigration goals—CISA, specifically, recently lost a key leader to Google.
The service requirement would take effect with “the confirmation of the new Director of the Cybersecurity and Infrastructure Protection Agency of the Department of Homeland Security, or on January 1, 2021, whichever comes first,” according to the legislation.
“As CISA grows, it requires continued, steady leadership, from the stakeholder engagement with the private sector to its cybersecurity responsibilities for the federal networks,” Katko said. “By establishing an independently appointed five-year term for the position of director of CISA, we’ll enable CISA to attract the top-level talent required to effectively manage the multitude of responsibilities and threats.”
“Additionally,” he said, “the establishment of a five-year term would also guarantee that CISA remain immune to the type of executive-level turnover that could derail it from accomplishing its mission.”
Michigan Democrat Elissa Slotkin added: “The CISA director shouldn’t be vulnerable to the political winds. This is about protecting our cybersecurity, our national security, so I really applaud representative Katko and others who supported this bill.”