Monday, May 07, 2012
[IWS] CRS: CYBERSECURITY: SELECTED LEGAL ISSUES [20 April 2012]
IWS Documented News Service
_______________________________
Institute for Workplace Studies----------------- Professor Samuel B. Bacharach
School of Industrial & Labor Relations-------- Director, Institute for Workplace Studies
Cornell University
16 East 34th Street, 4th floor---------------------- Stuart Basefsky
New York, NY 10016 -------------------------------Director, IWS News Bureau
________________________________________________________________________
Congressional Research Service (CRS)
Cybersecurity: Selected Legal Issues
Edward C. Liu, Legislative Attorney
Gina Stevens, Legislative Attorney
Kathleen Ann Ruane, Legislative Attorney
Alissa M. Dolan, Legislative Attorney
Richard M. Thompson II, Legislative Attorney
April 20, 2012
http://www.fas.org/sgp/crs/misc/R42409.pdf
[full-text, 48 pages]
Summary
The federal government’s role in protecting U.S. citizens and critical infrastructure from cyber
attacks has been the subject of recent congressional interest. Critical infrastructure commonly
refers to those entities that are so vital that their incapacitation or destruction would have a
debilitating impact on national security, economic security, or the public health and safety. This
report discusses selected legal issues that frequently arise in the context of recent legislation to
address vulnerabilities of critical infrastructure to cyber threats, efforts to protect government
networks from cyber threats, and proposals to facilitate and encourage sharing of cyber threat
information among private sector and government entities. This report also discusses the degree
to which federal law may preempt state law.
It has been argued that, in order to ensure the continuity of critical infrastructure and the larger
economy, a regulatory framework for selected critical infrastructure should be created to require a
minimum level of security from cyber threats. On the other hand, others have argued that such
regulatory schemes would not improve cybersecurity while increasing the costs to businesses,
expose businesses to additional liability if they fail to meet the imposed cybersecurity standards,
and increase the risk that proprietary or confidential business information may be inappropriately
disclosed.
In order to protect federal information networks, the Department of Homeland Security (DHS), in
conjunction with the National Security Agency (NSA), uses a network intrusion system that
monitors all federal agency networks for potential attacks. Known as EINSTEIN, this system
raises significant privacy implications—a concern acknowledged by DHS, interest groups,
academia, and the general public. DHS has developed a set of procedures to address these
concerns such as minimization of information collection, training and accountability
requirements, and retention rules. Notwithstanding these steps, there are concerns that the
program may implicate privacy interests protected under the Fourth Amendment.
Although many have argued that there is a need for federal and state governments, and owners
and operators of the nation’s critical infrastructures, to share information on cyber vulnerabilities
and threats, obstacles to information sharing may exist in current laws protecting electronic
communications or in antitrust law. Private entities that share information may also be concerned
that sharing or receiving such information may lead to increased civil liability, or that shared
information may contain proprietary or confidential business information that may be used by
competitors or government regulators for unauthorized purposes.
Several bills in the 112th Congress would seek to improve the nation’s cybersecurity, and may
raise some or all of the legal issues mentioned above. For example, H.R. 3523 (Rogers (Mich.)-
Ruppersberger) addresses information sharing between the intelligence community and the
private sector. H.R. 3674 (Lungren) includes provisions regarding the protection of critical
infrastructure, as well as information sharing. H.R. 4257 (Issa-Cummings) would require all
federal agencies to continuously monitor their computer networks for malicious activity and
would impose additional cybersecurity requirements on all federal agencies. S. 2102 (Feinstein)
seeks to facilitate information sharing. S. 2105 (Lieberman) includes the information sharing
provisions of S. 2102, as well as provisions relating to the protection of critical infrastructure and
federal government networks. S. 2151 (McCain) and H.R. 4263 (Bono-Mack) also addresses
information sharing among the private sector and between the private sector and the government.
Many of these bills also include provisions specifically addressing the preemption of state laws.
Contents
Legal Issues Related to Protecting Critical Infrastructure ............................................................... 1
Deference to Agency Decisions................................................................................................. 2
Availability of Judicial Review........................................................................................... 3
Questions of Fact................................................................................................................. 4
Interpretations of Law......................................................................................................... 4
Liability Concerns ..................................................................................................................... 5
Freedom of Information ............................................................................................................ 6
Ex Parte Communications ......................................................................................................... 9
Legislation in the 112th Congress .............................................................................................. 9
H.R. 3674, PRECISE Act of 2011..................................................................................... 10
S. 2105, Cybersecurity Act of 2012 .................................................................................. 10
Legal Issues Related to the Protection of Federal Networks ......................................................... 14
EINSTEIN Overview .............................................................................................................. 14
EINSTEIN and the Fourth Amendment .................................................................................. 15
Monitoring Communications from Federal Employees .................................................... 18
Monitoring Communications from Private Persons to Federal Employees ...................... 20
Alternative to Traditional Warrant Requirement ............................................................... 21
Privacy and Civil Liberties Oversight ..................................................................................... 22
Legislation in the 112th Congress ............................................................................................ 23
S. 2105, Cybersecurity Act of 2012 .................................................................................. 23
H.R. 3674, Promoting and Enhancing Cybersecurity and Information Sharing
Effectiveness Act of 2012 (PRECISE Act) .................................................................... 24
H.R. 4257, Federal Information Security Amendments Act of 2012 ................................ 25
Legal Issues Related to Cybersecurity Threat Information Sharing .............................................. 26
Electronic Communications Privacy Act................................................................................. 27
Antitrust Law........................................................................................................................... 29
Liability for Information Sharing ............................................................................................ 31
Protection of Proprietary or Confidential Business Information............................................. 32
Privacy and Civil Liberties...................................................................................................... 32
Legislation in the 112th Congress ............................................................................................ 33
H.R. 3523, Cyber Intelligence Sharing and Protection Act of 2011, As Reported............ 33
H.R. 3674, PRECISE Act.................................................................................................. 36
S. 2102, Cybersecurity Information Sharing Act of 2012................................................. 37
S. 2105, Cybersecurity Act of 2012 .................................................................................. 39
S. 2151, SECURE IT Act .................................................................................................. 40
Preemption..................................................................................................................................... 42
________________________________________________________________________
This information is provided to subscribers, friends, faculty, students and alumni of the School of Industrial & Labor Relations (ILR). It is a service of the Institute for Workplace Studies (IWS) in New York City. Stuart Basefsky is responsible for the selection of the contents which is intended to keep researchers, companies, workers, and governments aware of the latest information related to ILR disciplines as it becomes available for the purposes of research, understanding and debate. The content does not reflect the opinions or positions of Cornell University, the School of Industrial & Labor Relations, or that of Mr. Basefsky and should not be construed as such. The service is unique in that it provides the original source documentation, via links, behind the news and research of the day. Use of the information provided is unrestricted. However, it is requested that users acknowledge that the information was found via the IWS Documented News Service.