Thursday, July 20, 2017

Notes on Eric Fischer: Federal Legislation of Cybersecurity

Notes on Eric Fischer: Federal Legislation of Cybersecurity
Necessity to change the current legislative framework for cybersecurity
Role of the federal government complex.
sector specific responsibilities
individual federal agency demands pertaining to various systems

Currently 50 statutes in place but no overarching framework
infrastructure, private
sharing of CI among private and gov
DHS authorities for federal systems
R and D
cybercrime law, data breach notification and defense related cybersecurity

Several attempts to enact comprehensive legislation have failed.

Passage in the house but not the senate led to reform FISMA and DHS workforce and information sharing inadequacies

The continuing evolution of technology and threat environments has created a scenario in which legislative reform is necessitated

Enacted statutes currently only allow federal involvement in securing federal and non-federal systems in specific statutes, but without an overarching framework mentioned above.
Counterfiet access device and computer fraud and abuse act of 1984
electronic comm privacy act of 1986
the computer security act of 1987
paperwork reduction act of 1995
clinger-coven act of 1996 - CIO and responsibility burdens placed in hierarchy for information security, mandatory standards
the homeland security act of 2002 
cybersecurity research and development act
the e-government act of 2002 - primary legislative vehicle for federal IT management and initiatives to make information and services available online
the federal security management act of 2002 clarification and amplification, federal incident center, redistribution of responsibilities

40 other laws include provisions relating to cybersecurity

Executive branch actions
NIST in the department of commerce > cybersecurity standards promulgated by OMB and prosecuted/enforced by DOJ
US Cyber Command > responsibility for military cyberspace operations
Comprehensive National. Cybersecurity Initiative (2008)
12 subinitiatives declassified in 2010: consolidation of external access points to federal systems, deploying intrusion detection and prevention systems, research coordination, info sharing, ad education… mitigation of risks from the global supply chain for info tech

“cyber czar” - created in 2009 to orchestrate federal cybersecurity activity, no direct control over budgets, NSA is argued to pre-empt

FISMA gives OMB authority to automate continuous monitoring of federal info systems by agencies in April 2010, delegated a few months later to the DHS
Within 2 years an interagency program called FedRAMP was established for cloud-computing cybersecurity

Protection of cyber infrastructure
Information sharing, coordination
Responsibilities and authority
Reform of FISMA
research and Dev.
Cybersecurity workforce
Data breaches resulting in theft or exposure of personal data such as financial information
Cybercrime offenses and penalties
National cybersecurity strategy
International efforts

Discussion of proposed revisions
Posse Comitatus Act of 1879
Ch 263 20 stat. 152
18 U.S.C. §1385
Restricts use of military forces in civilian law enforcement unless it is within a federal governement facility
Violations of the act include direct active use of military investigators, use of military pervades the activities of the civilian officials or when the military is used so as to subject the civilians to military power regulatory prescriptive or compulsory in nature.

There are difficulties identifying when a cyberattack involves national defense
some argue that defense of US information systems must be the purview of civilian agencies such as DHS and FBI due to privacy and civil liberty concerns unique to cybersecurity, even If the other option is more feasibly implemented

Anti trust laws
Sherman Antitrust Act
Wilson Tariff Act
Clayton Act
Section 5 of the Federal Trad Commission Act - prohibits unfair and deceptive trade practices

These are relevant to cyber law reform because any sharing of information will give companies an edge to compete unfairly with one another.

National institute of standards and tech act

Federal Power Act
Authority over interstate sale and Transmission of electric power
Must change in light of the development of smart-grid systems

Communications act of 1934
FCC - all wired and wireless communications
Presidential authority to control all stations capable of emitting EM radiation
To close such facilities as well.
This could be considered an internet kill switch interpreted directly (section 706), there has been considerable debate about whether such an authority exists, or whether further authority needs to be meted through legislation to clarify and delimit

National security act of 1947
Created NSC CIA and Sec. of Def.
Precedures of access to classified information

US information and educational exchange act of 1948 (Smith-Mundt Act)
Domestic dissemination provision originally applied to the now defunct USIA

Restrictive to USIA, claimed to be a Cold War Relic to protect Americans from being propagandized by their own federal agencies.
State Department Basic Authorities Act of 1956
DoS org counterterrorism and HIV response efforts
3 exemptions the act about withholding information pertain to cybersecurity:
Information properly classified for national defense or foreign policy purposes as secret as established by an executive order
data specifically exempted from disclosure by a statute, if that statutes meets criteria laid out in FOIA
trade secrets andcommerical or financial information obtained from a person that is privileged or confidential

Omnibus Crime Control and Safe Streets Act of 1968
Federal grant programs and other forms of assistance to state and local law enforcement
Comprehensive and electronic eavesdropping statute outlawed both activities in general terms but permitted federal and state use of them under strict limitations

Racketeer Influenced and Corrupt Organizations Act (RICO)
Enlarges civil and criminal consequences of organized crime
Repeated recommendation to include computer fraud within the definition of racketeering.

Federal Advisory Committee Act 

Specifies the circumstances under which a federal advisory committee can be established and its responisibilities and limitations requires that such meetings be open to the public and records be available fro public inspection

Privacy act of 1974
Limits disclosure
Requires transparency in cases pertaining to an individual
Code of fair information practices for collection management and dissemination of records by agencies including requirements for security and confidentiality of records

Counterfeit Access Devic and computer fraud and abuse act of 1984
First incident of criminal penalties including asset forfeiture for unauthorized access and wrongful use of computers and networks of the federal government or financial institutions or in interstate or foreign commerce or communication
Criminalized electronic trespassing on and exceeding authorized access to federal government computers
Statutory exemption for intelligence and law enforcement activities

Electronic communications privacy act of 1986
Balance between the fundament al privacy rights of citizens and the needs of law enforcement
Internet was much smaller at the time of passage
Prohibition of the interception of wire oral or electronic communications unless an exception to the general rule applies
Prohibition of wiretapping or electronic eavesdropping
Disclosure of information secured through court-ordered wiretapping
Terrorism Risk Insurance Act of 2002
Risk provided for concrete losses during an act of terror, such as oil fields
Does not currently apply to cybersecurity, and modification may be appropriate

E-government act of 2002

Serves as the primary legislative vehicle to guide federal IT management and initiatives to make information and services available online