A bipartisan bill that would compel internet service providers to share details of vulnerable entities with the Cybersecurity and Infrastructure Security Agency is not currently being considered for a markup due to concerns over privacy violations, according to Sen. Ron Johnson, R-Wisc.
“We’re trying to create the desire for it,” Johnson, chairman of the Senate Homeland Security and Governmental Affairs Committee, told reporters after a hearing today where CISA Director Christopher Krebs stressed the importance of the Cybersecurity Vulnerability Identification and Notification Act.
The bill is sponsored by Johnson and committee Democrat Maggie Hassan of New Hampshire. A related bill recently cleared the equivalent committee in the House.
Krebs was testifying before the committee on “What States, Locals and the Business Community Should Know and Do: A Roadmap for Effective Cybersecurity.” He also called for more field resources he could deploy around the country.
On the subpoena power, Johnson said, “There’s some opposition we have to bat down, so I can’t really talk [markup] timing right now.” He said the opposition was in the form of “general privacy concerns.”
Krebs told the committee CISA officials can use an automated approach to identifying and plugging vulnerabilities but hit a roadblock because when they find exploitable weaknesses, they’re usually only tied to an internet protocol address.
ISPs have access to the information necessary to contact the vulnerable system owners but are not allowed, by law, to share it with CISA absent an administrative subpoena.
Krebs said ISPs can go directly to the owners but many ISPs are also managed security service providers, s ..
Support the originator by clicking the read the rest link below.
