According to the U.S. Department of Homeland Security (DHS), the scale and scope of the threats currently facing the nation’s critical infrastructure has reached a point where it must now start taking some unprecedented steps in the name of public safety. DHS is now requesting that the U.S. Congress grant it extraordinary administrative subpoena powers so that it can request that Internet Service Providers (ISPs) turn over the contact information for the owners of different industrial control systems. As might be imagined, this is now setting up a debate between proponents of greater public safety and proponents of greater individual privacy.
Why DHS is requesting subpoena authority for industrial control systems
What is important to keep in mind is that this request for new subpoena powers did not suddenly materialize out of the blue, as some sort of government power grab. Instead, the momentum behind subpoena powers has been building steadily since November 2018, when the Department of Homeland Security created the Cybersecurity and Infrastructure Security Agency (CISA) to oversee the safety and security of the nation’s critical infrastructure and industrial control systems.
In the course of carrying out its mandated duties, however, CISA often found itself in a very difficult situation. It might have isolated a potential threat to the nation’s critical infrastructure, but when it came time to alert the owner of industrial control systems of a potential threat, it often found itself stymied. Often, the identity of the owner was not publicly available, and the only way to find out the identity would be to request that information from an ISP. However, in the current legal environment, the DHS cannot issue a subpoena to force an ISP to identify the owners of vulnerable systems or hand over information about IP addresses. And, even when the DHS worked side-by-side with law enforcement to ascertain the identity of the owner, it was again stymied because law enforcement can only issue a subpoena in the course of a criminal investigation. If there is no crime (or no potential crime), then it is not possible to issue a subpoena.
Which bring us to where we are today – the DHS is looking for another alternative to getting subpoena powers, and the only avenue open to it right now is asking Congress directly for those subpoena powers. According to DHS, it is only doing so in the name of public safety, given the clear and present danger facing the nation’s industrial control systems.
Privacy advocates question the real intentions of DHS
While the request from DHS and CISA sounds reasonable on the surface, it’s perhaps not surprising that it has drawn the attention of privacy advocates, who worry that the government is heading down a slippery slope. There is a very real fear that subpoena powers will be misused or abused. They see subpoena powers as being a clear example of government overreach. Surely, they say, there must be a way to figure out who owns the different industrial control systems without having to resort to subpoena powers, right? As they see it, DHS could use subpoena powers to gather as much information as they want about any company that is part of the nation’s critical infrastructure, and not just those that maintain industrial control systems.
Moreover, there is a very real risk that granting subpoena powers to DHS will enable “bullying” behavior, in which the government begins to mandate fixes and changes to elements of critical infrastructure, all in the name of national security. For example, say that CISA discovers a potential new vulnerability affecting utilities, and wants to warn them of this vulnerability. Since CISA is part of DHS, it might also know that rogue Russian, Iranian or North Korean hackers are also working to infiltrate public utilities in the U.S. Armed with this information, they might be able to browbeat companies into making changes to their IT infrastructure: “Fix this vulnerability or face penalties or fines for not doing so.”
DHS defends its request for subpoena powers
To all this, of course, the U.S. Department of Homeland Security says that people are over-thinking things way too much. First of all, it says, it is not requesting “criminal” subpoena powers – it is requesting “administrative” subpoena powers. Thus, just because the government is issuing a subpoena doesn’t mean that any crime has taken place, or that any wrongdoing has taken place.
In addition, DHS says that businesses will be much more motivated to make fixes and changes to security vulnerabilities if they hear it from the government. The owner of a water treatment plant, for example, would be much more willing to make the necessary fixes – even if they are very costly – if the U.S. government tells it is needed to protect the nation’s clean water supply.
Moreover, DHS proudly notes that it has a stellar track record of working alongside industrial control systems operators, and protecting all of the data, much of it granted voluntarily. It has a long history of collecting similar data through voluntary programs. The message here from CISA officials appears to be: “Trust us, we’re the government.”
A decade ago, when concerns about terrorism and rogue international states were popular topics of public discussion, a simple request for subpoena powers might have gone unnoticed. But we live in much different times now. Within the U.S. Congress, a massive debate over privacy is taking place, and the push is building for the nation’s first-ever federal privacy law. For politicians, it has suddenly become very trendy to punish companies like Facebook and Google for their privacy violations.
Given this context, what would be the optics if legislators and politicians suddenly made a sharp 180-degree turn and started to back government subpoena powers? In essence, they would be saying that public safety mattered more than privacy. As a result, even if some politicians are inclined towards granting subpoena powers to protect industrial control systems, they simply might not have the right amount of political capital to do so.
Protecting the nation’s critical infrastructure is obviously a more complex issue than it might seem on the surface. To protect energy grids and chemical plants, though, the government does not need broad subpoena powers. Granting these powers would be simply enabling government overreach and creating new risks to personal privacy.