This report discusses selected legal issues that frequently arise in the context of recent legislation to address vulnerabilities of critical infrastructure to cyber threats.
The federal government's role in protecting U.S. citizens and critical infrastructure from cyber attacks has been the subject of recent congressional interest. Critical infrastructure commonly refers to those entities that are so vital that their incapacitation or destruction would have a debilitating impact on national security, economic security, or the public health and safety. This report discusses selected legal issues that frequently arise in the context of recent legislation to address vulnerabilities of critical infrastructure to cyber threats, efforts to protect government networks from cyber threats, and proposals to facilitate and encourage sharing of cyber threat information amongst private sector and government entities. This report also discusses the degree to which federal law may preempt state law.
It has been argued that, in order to ensure the continuity of critical infrastructure and the larger economy, a regulatory framework for selected critical infrastructure should be created to require a minimum level of security from cyber threats. On the other hand, others have argued that such regulatory schemes would not improve cybersecurity while increasing the costs to businesses, expose businesses to additional liability if they fail to meet the imposed cybersecurity standards, and increase the risk that proprietary or confidential business information may be inappropriately disclosed.
In order to protect federal information networks, the Department of Homeland Security (DHS), in conjunction with the National Security Agency (NSA), uses a network intrusion system that monitors all federal agency networks for potential attacks. Known as EINSTEIN, this system raises significant privacy implications—a concern acknowledged by DHS, interest groups, academia, and the general public. DHS has developed a set of procedures to address these concerns such as minimization of information collection, training and accountability requirements, and retention rules. Notwithstanding these steps, there are concerns that the program may implicate privacy interests protected under the Fourth Amendment.