The U.S. Senate’s 2021 National Defense Authorization Act (NDAA) includes legislation that
would help the Cybersecurity and Infrastructure Security Agency (CISA) warn the owners and operators of critical infrastructure computer systems that it is vulnerable to cyberattacks.
The bill gives CISA a limited authority to detect, identify, and receive information only related to critical infrastructure systems for a cybersecurity purpose. It is designed to give CISA the legal means necessary to notify the owner of the critical infrastructure system who was the subject of the subpoena. Subpoenas must be authenticated by electronic signature so that the internet service provider (ISP) knows it is coming from CISA and has not been fraudulently generated.
CISA must notify the party within 7 days of receiving their information. Further, CISA must destroy personally identifiable information after 6 months.
“When CISA identifies a potential cyber vulnerability in an electrical grid or other critical infrastructure, it cannot always identify the owner of the company in order to alert the company about the vulnerability,” U.S. Sen. Maggie Hassan (D-NH), one of the billʻs sponsors, said. “This commonsense proposal gives CISA the ability to get the information it needs from an Internet Service Provider in order to reach out to critical infrastructure companies to help prevent damaging cyberattacks.”
U.S. Sen. Ron Johnson (R-WI) also introduced the bill, which was cosponsored by U.S. Sens. Angus King (I-ME) and Ron Wyden (D-OR).
The legislation requires CISA to make an annual report to both Congress and the public. The report must detail the number of cybersecurity vulnerabilities that have been mitigated and number of entities that have been warned.
“We ask Americans: if you see something, say something. With this legislation, we are empowering CISA to do the same,” Johnson said.