.
Federal Laws Relating to Cybersecurity:
Overview and Discussion of Proposed
Revisions
Eric A. Fischer
Senior Specialist in Science and Technology
February 5, 2013
Congressional Research Service
7-5700
www.crs.gov
R42114
CRS Report for Congress
Pr
epared for Members and Committees of Congress
c11173008
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Summary
For more than a decade, various experts have expressed increasing concerns about cybersecurity,
in light of the growing frequency, impact, and sophistication of attacks on information systems in
the United States and abroad. Consensus has also been building that the current legislative
framework for cybersecurity might need to be revised.
The complex federal role in cybersecurity involves both securing federal systems and assisting in
protecting nonfederal systems. Under current law, all federal agencies have cybersecurity
responsibilities relating to their own systems, and many have sector-specific responsibilities for
critical infrastructure.
More than 50 statutes address various aspects of cybersecurity either directly or indirectly, but
there is no overarching framework legislation in place. While revisions to most of those laws
have been proposed over the past few years, no major cybersecurity legislation has been enacted
since 2002.
Recent legislative proposals, including many bills introduced in the 111th and 112th Congresses,
have focused largely on issues in 10 broad areas (see “Selected Issues Addressed in Proposed
Legislation” for an overview of how current legislative proposals would address issues in several
of those areas):
• national strategy and the role of government,
• reform of the Federal Information Security Management Act (FISMA),
• protection of critical infrastructure (including the electricity grid and the
chemical industry),
• information sharing and cross-sector coordination,
• breaches resulting in theft or exposure of personal data such as financial
information,
• cybercrime,
• privacy in the context of electronic commerce,
• international efforts,
• research and development, and
• the cybersecurity workforce.
For most of those topics, at least some of the bills addressing them have proposed changes to
current laws. Several of the bills specifically focused on cybersecurity received committee or
floor action in the 112th Congress, but none became law. In the absence of enactment of
cybersecurity legislation, the White House has reportedly prepared an executive order, but release
of such an order has been opposed by some Members of Congress.
Comprehensive legislative proposals on cybersecurity that received considerable attention in
2012 are The Cybersecurity Act of 2012 (CSA 2012, S. 2105, reintroduced in revised form as S.
3414), recommendations from a House Republican task force, and a proposal by the Obama
Administration. They differed in approach, with S. 2105 proposing the most extensive regulatory
Congressional Research Service
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
framework and organizational changes, and the task force recommendations focusing more on
incentives for improving private-sector cybersecurity. An alternative to S. 2105 and S. 3414, S.
3342 (a refinement of S. 2151), did not include enhanced regulatory authority or new federal
entities, but did include cybercrime provisions. S. 3414 was debated in the Senate but failed
cloture votes.
Several narrower House bills were introduced that addressed some of the issues raised and
recommendations made by the House task force. Four passed the House the week of April 23 but
were not considered by the Senate:
• Cybersecurity Enhancement Act of 2011 (H.R. 2096), which addressed federal
cybersecurity R&D and the development of technical standards;
• Cyber Intelligence Sharing and Protection Act (H.R. 3523), which focused on
information sharing and coordination, including sharing of classified
information;
• Advancing America’s Networking and Information Technology Research and
Development Act of 2012 (H.R. 3834), which addressed R&D in networking and
information technology, including but not limited to security; and
• Federal Information Security Amendments Act of 2012 (H.R. 4257), which
addressed FISMA reform.
One was ordered reported out of the full committee but did not come to the floor:
• Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness
Act of 2011 or PRECISE Act of 2011 (H.R. 3674), which addressed the role of
the Department of Homeland Security in cybersecurity, including protection of
federal systems, personnel, R&D, information sharing, and public/private sector
collaboration in protecting critical infrastructure.
Together, those House and Senate bills addressed most of the issues listed above, although in
different ways. All included proposed revisions to some existing laws covered in this report.
Congressional Research Service
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Contents
Introduction ...................................................................................................................................... 1
Current Legislative Framework ................................................................................................. 1
Executive Branch Actions ......................................................................................................... 3
Legislative Proposals ................................................................................................................. 4
Discussion of Proposed Revisions of Current Statutes .................................................................. 19
Posse Comitatus Act of 1879 ................................................................................................... 21
Antitrust Laws and Section 5 of the Federal Trade Commission Act ...................................... 22
National Institute of Standards and Technology Act ............................................................... 24
Federal Power Act ................................................................................................................... 24
Communications Act of 1934 .................................................................................................. 25
National Security Act of 1947 ................................................................................................. 26
U.S. Information and Educational Exchange Act of 1948 (Smith-Mundt Act) ....................... 27
State Department Basic Authorities Act of 1956 ..................................................................... 28
Freedom of Information Act (FOIA) ....................................................................................... 28
Omnibus Crime Control and Safe Streets Act of 1968 ............................................................ 30
Racketeer Influenced and Corrupt Organizations Act (RICO) ................................................ 30
Federal Advisory Committee Act (FACA) .............................................................................. 31
Privacy Act of 1974 ................................................................................................................. 31
Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 ............................... 32
Electronic Communications Privacy Act of 1986 (ECPA) ...................................................... 33
Department of Defense Appropriations Act, 1987 .................................................................. 35
High Performance Computing Act of 1991 ............................................................................. 36
Communications Assistance for Law Enforcement Act of 1994 (CALEA) ............................ 37
Communications Decency Act of 1996 ................................................................................... 38
Clinger-Cohen Act (Information Technology Management Reform Act) of 1996 .................. 39
Identity Theft and Assumption Deterrence Act of 1998 .......................................................... 40
Homeland Security Act of 2002 (HSA) ................................................................................... 41
Federal Information Security Management Act of 2002 (FISMA) ......................................... 43
Terrorism Risk Insurance Act of 2002 ..................................................................................... 46
Cyber Security Research and Development Act, 2002 ............................................................ 47
E-Government Act of 2002 ..................................................................................................... 48
Identity Theft Penalty Enhancement Act ................................................................................. 49
Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) ..................................... 50
Tables
Table 1. Comparison of Topics Addressed by Selected Legislative Proposals on
Cybersecurity in the 112th Congress ............................................................................................. 7
Table 2. Laws Identified as Having Relevant Cybersecurity Provisions ....................................... 52
Contacts
Author Contact Information........................................................................................................... 62
Acknowledgments ......................................................................................................................... 62
Congressional Research Service
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Introduction
For more than a decade, various experts have expressed concerns about information-system
security—often referred to as cybersecurity—in the United States and abroad.1 The frequency,
impact, and sophistication of attacks on those systems has added urgency to the concerns.2
Consensus has also been growing that the current legislative framework for cybersecurity might
need to be revised to address needs for improved cybersecurity, especially given the continuing
evolution of the technology and threat environments. This report, with contributions from several
CRS staff (see Acknowledgments), discusses that framework and proposals to amend more than
30 acts of Congress that are part of or relevant to it. For a CRS compilation of reports and other
resources on cybersecurity, see CRS Report R42507, Cybersecurity: Authoritative Reports and
Resources, by Rita Tehan. For additional selected CRS reports relevant to cybersecurity, see CRS
Issues in Focus: Cybersecurity.
Current Legislative Framework
The federal role in addressing cybersecurity is complex. It involves both securing federal systems
and fulfilling the appropriate federal role in protecting nonfederal systems. There is as yet no
overarching framework legislation in place, but many enacted statutes address various aspects of
cybersecurity. Some notable provisions are in the following acts:
1 The term information systems is defined in 44 U.S.C. §3502 as “a discrete set of information resources organized for
the collection, processing, maintenance, use, sharing, dissemination, or disposition of information,” where information
resources is “information and related resources, such as personnel, equipment, funds, and information technology.”
Thus cybersecurity, a broad and arguably somewhat fuzzy concept for which there is no consensus definition, might
best be described as measures intended to protect information systems—including technology (such as devices,
networks, and software), information, and associated personnel—from various forms of attack. The concept has,
however, been characterized in various ways. For example, the interagency Committee on National Security Systems
has defined it as “the ability to protect or defend the use of cyberspace from cyber attacks,” where cyberspace is
defined as “a global domain within the information environment consisting of the interdependent network of
information systems infrastructures including the Internet, telecommunications networks, computer systems, and
embedded processors and controllers” (Committee on National Security Systems, National Information Assurance (IA)
Glossary, April 2010, http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf). In contrast, cybersecurity has also been defined
as synonymous with information security (see, for example, S. 773, the Cybersecurity Act of 2010, in the 111th
Congress), which is defined in current law (44 U.S.C. §3532(b)(1)) as
protecting information and information systems from unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide—
(A) integrity, which means guarding against improper information modification or destruction, and
includes ensuring information nonrepudiation and authenticity;
(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including
means for protecting personal privacy and proprietary information;
(C) availability, which means ensuring timely and reliable access to and use of information; and
(D) authentication, which means utilizing digital credentials to assure the identity of users and validate
their access.
2 See, for example, IBM, IBM X-Force® 2011 Mid-year Trend and Risk Report, September 2011,
http://public.dhe.ibm.com/common/ssi/ecm/en/wgl03009usen/WGL03009USEN.PDF; Barbara Kay and Paula Greve,
Mapping the Mal Web IV (McAfee, September 28, 2010), http://us.mcafee.com/en-us/local/docs/MTMW_Report.pdf;
Office of the National Counterintelligence Executive, Foreign Spies Stealing U.S. Economic Secrets in Cyberspace:
Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011,
http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf; Symantec, Symantec
Internet Security Threat Report: Trends for 2010, Volume 16, April 2011, https://www4.symantec.com/mktginfo/
downloads/21182883_GA_REPORT_ISTR_Main-Report_04-11_HI-RES.pdf.
Congressional Research Service
1
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
• The Counterfeit Access Device and Computer Fraud and Abuse Act of 1984
prohibits various attacks on federal computer systems and on those used by banks
and in interstate and foreign commerce.
• The Electronic Communications Privacy Act of 1986 (ECPA) prohibits
unauthorized electronic eavesdropping.
• The Computer Security Act of 1987 gave the National Institute of Standards and
Technology (NIST) responsibility for developing security standards for federal
computer systems, except the national security systems3 that are used for defense
and intelligence missions, and gave responsibility to the Secretary of Commerce
for promulgating security standards.
• The Paperwork Reduction Act of 1995 gave the Office of Management and
Budget (OMB) responsibility for developing cybersecurity policies.
• The Clinger-Cohen Act of 1996 made agency heads responsible for ensuring the
adequacy of agency information-security policies and procedures, established the
chief information officer (CIO) position in agencies, and gave the Secretary of
Commerce authority to make promulgated security standards mandatory.
• The Homeland Security Act of 2002 (HSA) gave the Department of Homeland
Security (DHS) some cybersecurity responsibilities in addition to those implied
by its general responsibilities for homeland security and critical infrastructure.
• The Cyber Security Research and Development Act, also enacted in 2002,
established research responsibilities in cybersecurity for the National Science
Foundation (NSF) and NIST.
• The E-Government Act of 2002 serves as the primary legislative vehicle to guide
federal IT management and initiatives to make information and services available
online, and includes various cybersecurity requirements.
• The Federal Information Security Management Act of 2002 (FISMA) clarified
and strengthened NIST and agency cybersecurity responsibilities, established a
central federal incident center, and made OMB, rather than the Secretary of
Commerce, responsible for promulgating federal cybersecurity standards.
More than 40 other laws identified by CRS also have provisions relating to cybersecurity (see
Table 2). Revisions to many of those laws have been proposed. More than 40 bills and
resolutions with provisions related to cybersecurity have been introduced in the 112th Congress,
including several proposing revisions to current laws. In the 111th Congress, the total was more
3 This term is defined in 44 U.S.C. §3542(b)(2).
Congressional Research Service
2
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
than 60.4 Several bills in both Congresses received committee or floor action, but none have
become law. In fact, no comprehensive cybersecurity legislation has been enacted since 2002.5
Executive Branch Actions
Some significant executive actions have been taken, however.6 The George W. Bush
Administration established the Comprehensive National Cybersecurity Initiative (CNCI) in 2008
through National Security Presidential Directive 54 / Homeland Security Presidential Directive
23 (NSPD-54/HSPD-23). Those documents are classified, but the Obama Administration released
a description of them in March 2010.7 Goals of the 12 subinitiatives in that description include
consolidating external access points to federal systems; deploying intrusion detection and
prevention systems across those systems; improving research coordination and prioritization and
developing “next-generation” technology, information sharing, and cybersecurity education and
awareness; mitigating risks from the global supply chain for information technology; and
clarifying the federal role in protecting critical infrastructure.
In December 2009, the Obama Administration appointed Howard Schmidt to the position of
White House Cybersecurity Coordinator.8 He was a member of the White House national security
staff and was responsible for government-wide coordination of cybersecurity, including the
CNCI. One of the most visible initiatives in which he was involved was the implementation of
automated, continuous monitoring of federal information systems.9 Other stated priorities
included developing a unified strategy for network security and incident response, and
strengthening partnerships with the private sector and other countries. He worked with both the
National Security and Economic Councils in the White House. However, the position has no
direct control over agency budgets, and some observers argue that operational entities such as the
4 Those bills were identified through a two-step process—candidates were found through searches of the Legislative
Information System (LIS, http://www.congress.gov) using “cybersecurity,” “information systems,” and other relevant
terms in the text of the bills, followed by examination of that text in the candidates to determine relevance for
cybersecurity. Use of other criteria may lead to somewhat different results. For example, using the LIS “cybersecurity”
topic search yields about 30 bills in the 112th Congress and 40 in the 111th, with about a 50% overlap in the bills
included. While that difference is higher than might be expected, none of the bills identified uniquely by the LIS topic
search are relevant to the discussion in this report.
5 Among the broader proposals in the 111th Congress, S. 773 (S.Rept. 111-384) and S. 3480 (S.Rept. 111-368) were
reported by the originating committees. H.R. 4061 (H.Rept. 111-405) and H.R. 5136 (Title XVII, mostly similar to
H.R. 4900) both passed the House. A bill combining provisions of the two Senate bills was drafted (Tony Romm,
“Lack of Direction Slows Cybersecurity,” Politico, November 4, 2010, http://www.politico.com/news/stories/1110/
44662.html). In the 112th Congress, S. 413 is similar to S. 3480 in the previous Congress, H.R. 2096 (H.Rept. 112-264)
is similar to H.R. 4061, and the Senate combined bill, S. 2105, includes elements of S. 773, S. 413, S. 2102, and a
proposal put forward by the White House in April 2011 (see below).
6 This update does not include executive branch actions taken since December 2011.
7 The White House, “The Comprehensive National Cybersecurity Initiative,” March 5, 2010,
http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative. For additional information
about this initiative and associated policy considerations, see CRS Report R40427, Comprehensive National
Cybersecurity Initiative: Legal Authorities and Policy Considerations, by John Rollins and Anna C. Henning.
8 The position has been popularly called the “cyber czar.”
9 Jeffrey Zients, Vivek Kundra, and Howard A. Schmidt, “FY 2010 Reporting Instructions for the Federal Information
Security Management Act and Agency Privacy Management,” Office of Management and Budget, Memorandum for
Heads of Executive Departments and Agencies M-10-15, April 21, 2010, http://www.whitehouse.gov/omb/assets/
memoranda_2010/m10-15.pdf.
Congressional Research Service
3
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
National Security Agency (NSA) have far greater influence and authority.10 The Obama
Administration has also launched several initiatives.11 He was succeeded by Michael Daniel in
May 2012.
Under current law, all federal agencies have cybersecurity responsibilities relating to their own
systems, and many have sector-specific responsibilities for critical infrastructure, such as the
Department of Transportation for the transportation sector. Cross-agency responsibilities are
complex, and any brief description is necessarily oversimplified. In general, in addition to the
roles of White House entities, DHS is the primary civil-sector cybersecurity agency. NIST, in the
Department of Commerce, develops cybersecurity standards and guidelines that are promulgated
by OMB, and the Department of Justice is largely responsible for the enforcement of laws
relating to cybersecurity.12 The National Science Foundation (NSF), NIST, and DHS all perform
research and development (R&D) related to cybersecurity. The National Security Agency (NSA)
is the primary cybersecurity agency in the national security sector, although other agencies also
play significant roles. The recently established U.S. Cyber Command, part of the U.S. Strategic
Command in the Department of Defense (DOD), has primary responsibility for military
cyberspace operations.
Legislative Proposals
In general, legislative proposals on cybersecurity in the 111th and 112th Congresses focused
largely on issues in 10 broad areas:
• national strategy and the role of government,
• reform of FISMA,
• protection of critical infrastructure (especially the electricity grid and the
chemical industry),
• information sharing and cross-sector coordination,
• breaches resulting in theft or exposure of personal data such as financial
information,
• cybercrime offenses and penalties,
• privacy in the context of electronic commerce,
• international efforts,
• research and development (R&D), and
10 See, for example, Seymour M. Hersh, “Judging the cyber war terrorist threat,” The New Yorker, November 1, 2010,
http://www.newyorker.com/reporting/2010/11/01/101101fa_fact_hersh?currentPage=all.
11 Among them are White House strategies to improve the security of Internet transactions (The White House, National
Strategy for Trusted Identities in Cyberspace, April 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/
NSTICstrategy_041511.pdf) and to coordinate international efforts (The White House, International Strategy for
Cyberspace, May 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/
international_strategy_for_cyberspace.pdf), and an executive order on sharing and security for classified information
(Executive Order 13587, “Structural Reforms to Improve the Security of Classified Networks and the Responsible
Sharing and Safeguarding of Classified Information,” Federal Register 76, no. 198 (October 13, 2011): 63811-63815,
http://www.gpo.gov/fdsys/pkg/FR-2011-10-13/pdf/2011-26729.pdf).
12 This responsibility is shared to some extent with other agencies such as the U.S. Secret Service.
Congressional Research Service
4
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
• the cybersecurity workforce.
For most of those topics, at least some of the bills addressing them proposed changes to current
laws.13
While no comparable bills to those in the 112th Congress were introduced in the 113th Congress
during January 2013, there appears to be considerable support in principle for significant
legislation to address most of the issues identified above. The House, Senate, and White House
have taken somewhat different approaches to such legislation.
Selected Legislative Proposals in the 112th Congress
The Senate worked over two years on a comprehensive bill synthesizing approaches proposed by
the Homeland Security and Governmental Affairs Committee (S. 3480 in the 111th Congress and
S. 413 in the 112th), the Commerce, Science, and Transportation Committee (S. 773 in the 111th
Congress), and others. S. 2105, the Cybersecurity Act of 2012, which included features of both
those bills and others,14 was introduced in February 2012. A revised version, S. 3414, also known
as CSA2012, was introduced in July. An alternative Senate bill, S. 3342, the SECURE IT Act,15
was a revision of S. 2151, which was originally introduced in March.16 Several other Senate bills
would have addressed specific aspects of cybersecurity, such as data breaches of personal
information and cybercrime. S. 3342 was debated in the Senate in July. A cloture motion failed on
August 2, 2012, and again on November 14.
In April 2011, the White House sent a comprehensive, seven-part legislative proposal (White
House Proposal) to Congress.17 Some elements of that proposal were included in both House and
Senate bills. The White House is also reportedly considering issuing an executive order on
cybersecurity that would implement some additional measures for information sharing and
protection of critical infrastructure.18 Opposition to such an action has been expressed by some
Members of Congress, citing reasons relating to potential impacts on legislative efforts, the
private sector, and international negotiations.19
13 For specific analysis of legal issues associated with several of the bills being debated in the 112th Congress, see CRS
Report R42409, Cybersecurity: Selected Legal Issues, by Edward C. Liu et al.
14 The title on information sharing is similar to S. 2102.
15 SECURE IT is an acronym for Strengthening and Enhancing Cybersecurity by Using Research, Education,
Information and Technology.
16 A very similar but not identical bill, H.R. 4263, was introduced in the House April 9. It is not discussed separately in
this update.
17 The White House, Complete Cybersecurity Proposal, 2011, http://www.whitehouse.gov/sites/default/files/omb/
legislative/letters/law-enforcement-provisions-related-to-computer-security-full-bill.pdf. One part does not appear to be
directly related to cybersecurity. It would restrict the authority of state and local jurisdictions with respect to the
location of commercial data centers.
18 Josh Smith, “GOP Senators Assail White House for Pushing Executive Order on Cybersecurity,” Nextgov,
September 14, 2012, http://www.nextgov.com/cybersecurity/2012/09/gop-senators-assail-white-house-pushing-
executive-order-cybersecurity/58123/; Jaikumar Vijayan, “Obama to Issue Cybersecurity Executive Order This
Month,” Computerworld: Cyberwarfare, February 1, 2013,
http://www.computerworld.com/s/article/9236438/Obama_to_issue_cybersecurity_executive_order_this_month?source
=CTWNLE_nlt_pm_2013-02-01.
19 The Honorable Fred Upton et al. to President Barack Obama, October 11, 2012,
http://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/letters/20121011Cybersecurity.pd
f; Senate Committee on Homeland Security and Government Affairs, “Senators Collins, Snowe, and Lugar to White
(continued...)
Congressional Research Service
5
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
In October 2011, the 12-Member House Republican Cybersecurity Task Force, which had been
formed by Speaker Boehner in June, released a series of recommendations (Task Force Report) to
be used by House committees in developing cybersecurity legislation.20 Unlike the other
proposals, it was not presented in the form of a bill or bills. Several House bills were introduced
subsequently that addressed some of the issues raised and recommendations made by the Task
Force Report. Four passed the House the week of April 23, 2012:
• Cybersecurity Enhancement Act of 2011 (H.R. 2096), which addressed federal
cybersecurity R&D and the development of technical standards;
• Cyber Intelligence Sharing and Protection Act (H.R. 3523), which focused on
information sharing and coordination, including sharing of classified
information;21
• Advancing America’s Networking and Information Technology Research and
Development Act of 2012 (H.R. 3834), which addressed R&D in networking and
information technology, including but not limited to security;22 and
• Federal Information Security Amendments Act of 2012 (H.R. 4257), which
addressed FISMA reform.
A fifth bill was ordered reported out of full committee on April 18 but was not included in the
cybersecurity bills debated on the House floor the week of April 23:23
• Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness
Act of 2011 or PRECISE Act of 2011 (H.R. 3674), which addressed the role of
the Department of Homeland Security in cybersecurity, including protection of
federal systems, personnel, R&D, information sharing, and public/private sector
collaboration in protecting critical infrastructure.
Specific issues addressed by several of those bills and proposals are noted in Table 1. Together,
they addressed most of the issues listed above, although in different ways. All included or
discussed proposed revisions to some existing laws covered in this report.
(...continued)
House: Refrain from Executive Order on Cybersecurity,” Press Release, October 10, 2012,
http://www.hsgac.senate.gov/media/minority-media/senators-collins-snowe-and-lugar-to-white-house-refrain-from-
executive-order-on-cybersecurity.
20 House Republican Cybersecurity Task Force, Recommendations of the House Republican Cybersecurity Task Force,
October 5, 2011, http://thornberry.house.gov/UploadedFiles/CSTF_Final_Recommendations.pdf.
21 The Obama Administration has objected to this bill, claiming that it does not address cybersecurity needs for critical
infrastructure, and contains overly broad liability protections for private-sector entities and insufficient protections for
individual privacy, confidentiality, and civil liberties (The White House, “H.R. 3523—Cyber Intelligence Sharing and
Protection Act,” Statement of Administration Policy, April 25, 2012, http://www.whitehouse.gov/sites/default/files/
omb/legislative/sap/112/saphr3523r_20120425.pdf). The Administration has not released statements of administration
policy for any of the other bills discussed in this report.
22 For discussion of this bill and H.R. 2096, see also CRS Report RL33586, The Federal Networking and Information
Technology Research and Development Program: Background, Funding, and Activities, by Patricia Moloney Figliola.
23 H.R. 3674 was marked up by the Subcommittee on Cybersecurity, Infrastructure Protection, and Security
Technologies of the Committee on Homeland Security on February 1 and forwarded to the full committee, which
substantially amended the bill in its April 18 markup and was reported by the committee on July 11 (see H.Rept. 112-
592).
Congressional Research Service
6
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Table 1. Comparison of Topics Addressed by Selected Legislative Proposals
on Cybersecurity in the 112th Congress
Selected
Task
White
House
Force
S. 3342
House
Topic
Bills
Report
S. 2105
S. 3414
(S. 2151)
Proposal
DHS authorities for protection H.R.
3674
X X X X
of federal systems
New DHS office/center
H.R. 3674
X
X
X
Cybersecurity workforce
H.R. 2096
X X X X X
authorities and programs
H.R. 3674
H.R. 3834
Supply-chain vulnerabilities H.R.
3674
X X X X
Cybersecurity R&D
H.R. 2096
X X X X X
H.R. 3674
H.R. 3834
FISMA
reform
H.R.
4257
X X X X X
Protection of privately held
H.R. 3674
X
Xa
Xa X
critical infrastructure (CI)
Government/private-sector
H.R.
3674
X X X X
collaboration on CI protection
Additional regulation of
X X X X
privately held critical
infrastructure
Information sharing
H.R. 3523
X X X X X
H.R. 3674
FOIA exemption for
H.R.
3523
X X X X X
cybersecurity information
New information-sharing
(H.R.
X X X
entities
3674)b
Public awareness
H.R. 2096
X
X
X
X
Cybercrime law
X
X
X
Data breach notification
X
X
Internet security provider
X
code of conduct
National security/defense and
X
federal civil sector
coordination
Source: CRS.
Note: S. 3342 was a revised version of S. 2151, and S. 3414 was a revised version of S. 2105.
a. S. 3414 would have permitted regulatory agencies to adopt certain cybersecurity practices as mandatory
requirements, but did not provide regulatory authority beyond that in other law. S. 2105 would have
provided the Secretary of Homeland Security with new regulatory authority for cybersecurity.
b. The subcommittee version of this bill would have created a new nonprofit quasi-governmental information-
sharing entity, but the committee version omitted those provisions (see “Information Sharing” below).
Congressional Research Service
7
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Those addressed in the House bills are
• “Cyber Security Research and Development Act, 2002” (H.R. 2096, S. 2105, S.
2151, S. 3342, S. 3414);
• “Federal Information Security Management Act of 2002 (FISMA)” (H.R. 4257,
the Task Force Report, S. 2105, S. 2151, S. 3342, S. 3414, the White House
Proposal);
• “High Performance Computing Act of 1991” (H.R. 3834, S. 2105, S. 2151, S.
3342, S. 3414)
• “Homeland Security Act of 2002 (HSA)” (H.R. 3674, S. 2105, S. 3414, the White
House Proposal); and
• “National Security Act of 1947” (H.R. 3523).
Those addressed in other legislative proposals are
• “Antitrust Laws and Section 5 of the Federal Trade Commission Act” (Task
Force Report, S. 2151, S. 3342)
• “Clinger-Cohen Act (Information Technology Management Reform Act) of
1996” (S. 2105, S. 3414, White House Proposal);24
• “Counterfeit Access Device and Computer Fraud and Abuse Act of 1984” (Task
Force Report, S. 2151, S. 3342, White House Proposal);
• “E-Government Act of 2002” (White House Proposal);
• “Electronic Communications Privacy Act of 1986 (ECPA)” (Task Force Report);
• “Identity Theft Penalty Enhancement Act” (Task Force Report); and
• “Racketeer Influenced and Corrupt Organizations Act (RICO)” (Task Force
Report).
Also, some legislative proposals would have provided exemptions under the “Freedom of
Information Act (FOIA)” for certain kinds of information provided to the federal government
(Task Force Report, H.R. 3523, S. 2105, S. 2151, S. 3342, S. 3414, White House Proposal). H.R.
3523, S. 2151, and S. 3342 would also have permitted information sharing that might otherwise
be subject to antitrust or other restrictions on sharing,25 and the Task Force Report stated that an
antitrust exemption might be necessary.
Selected Issues Addressed in Proposed Legislation
The proposals listed in Table 1 took a range of approaches to address issues in cybersecurity. The
discussion below compares those approaches for several issues—“DHS Authorities for Protection
of Federal Systems,” the “Cybersecurity Workforce,” “Research and Development,” “FISMA
Reform,” “Protection of Privately Held Critical Infrastructure (CI),” and “Information Sharing.”
For discussion of legal issues associated with protection of federal systems, critical infrastructure,
24 See also “Federal Information Security Management Act of 2002 (FISMA).”
25 See CRS Report R42409, Cybersecurity: Selected Legal Issues for more detail.
Congressional Research Service
8
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
and information sharing, see CRS Report R42409, Cybersecurity: Selected Legal Issues, by
Edward C. Liu et al.
DHS Authorities for Protection of Federal Systems
DHS currently has very limited statutory responsibility for the protection of federal information
systems. The degree to which its role should be modified has been a matter of some debate. Five
of the legislative proposals listed in Table 1 addressed DHS authorities for federal civil systems.26
All five bills would have enhanced DHS authorities, although to varying degrees and in varying
ways.
The Task Force Report proposed that Congress “formalize” DHS’s current coordinating role in
cybersecurity. H.R. 3674 would have added new provisions on DHS cybersecurity activities to
Title II of HSA; S. 2105, S. 3414, and the White House Proposal would have added a new subtitle
to HSA. All four proposals would have provided specific authorities and responsibilities to DHS
for risk assessments, protective capabilities, and operational cybersecurity activities.
S. 2105 and S. 3414 had similar provisions that would have created a new, consolidated DHS
cybersecurity and communications center with a Senate-confirmed director who would be
responsible for managing federal cybersecurity efforts; for developing and implementing
information-security policies, principles, and guidelines; and other functions, including risk
assessments and other activities to protect federal systems. The White House Proposal would
have provided such enhanced authority to the DHS Secretary rather than a new center. However,
the White House Proposal would have required the Secretary to establish a center with
responsibilities for protecting federal information systems, facilitating information sharing, and
coordinating incident response. H.R. 3674 would have established a DHS center with
responsibility for information sharing (see “Information Sharing”) and technical assistance, and
would have authorized DHS to conduct specific activities to protect federal systems, including
risk assessments and access to agency information-system traffic.
S. 2151 would not have amended the HSA but would have provided the Secretary of Homeland
Security with new responsibilities under FISMA. S. 3342 omitted some of those responsibilities
and modified others (see “FISMA Reform”).
Cybersecurity Workforce
Concerns have been raised for several years about the size, skills, and preparation of the federal
and private-sector cybersecurity workforce.27 Six proposals in Table 1 would have addressed
those concerns in various ways:
26 As used here, civil systems means federal information systems other than national security systems (defined in 44
U.S.C. §3542) and mission-critical Department of Defense and Intelligence Community systems (i.e., compromise of
those systems “would have a debilitating impact on the mission” of the agencies [see 44 U.S.C. 3543(c)]).
27 See, for example, CSIS Commission on Cybersecurity for the 44th Presidency, Securing Cyberspace for the 44th
Presidency, December 2008, http://www.csis.org/tech/cyber/; Partnership for Public Service and Booz Allen Hamilton,
Cyber IN-Security: Strengthening the Federal Cybersecurity Workforce, July 2009, http://ourpublicservice.org/OPS/
publications/download.php?id=135; CSIS Commission on Cybersecurity for the 44th Presidency, A Human Capital
Crisis in Cybersecurity, July 2010, http://csis.org/files/publication/
100720_Lewis_HumanCapital_WEB_BlkWhteVersion.pdf.
Congressional Research Service
9
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
• Provide additional federal hiring and compensation authorities (Task Force
Report, H.R. 3674, S. 2105, S. 3414, White House Proposal).
• Establish or enhance educational programs for development of next-generation
cybersecurity professionals28 (Task Force Report, H.R. 2096, H.R. 3834, S. 2105,
S. 3414, S. 2151, S. 3342).
• Assess workforce needs (H.R. 2096, S. 2105, S. 3414, S. 2151, S. 3342).
• Use public/private-sector personnel exchanges (Task Force Report, White House
Proposal).
The workforce-related provisions in S. 2105 and S. 3414 were largely identical. The latter omitted
some education provisions involving the Secretary of Education but added an initiative on state
and local education and training.
Research and Development
The need for improvements in fundamental knowledge of cybersecurity and new solutions and
approaches has been recognized for well over a decade29 and was a factor in the passage of the
Cybersecurity Research and Development Act in 2002 (P.L. 107-305, H.Rept. 107-355). That law
focuses on cybersecurity R&D by NSF and NIST. The Homeland Security Act of 2002, in
contrast, does not specifically mention cybersecurity R&D. However, DHS and several other
agencies make significant investments in it. About 60% of reported funding by agencies in
cybersecurity and information assurance is defense-related (invested by the Defense Advanced
Research Projects Agency [DARPA], NSA, and other defense agencies), with NSF accounting for
about 15%, NIST, DHS, and DOE 5%-10% each.30 Seven of the nine legislative proposals in
Table 1 addressed cybersecurity R&D. Five would have established requirements for R&D on
specific topics such as detection of threats and intrusions, identity management, test beds, and
supply-chain security. Agencies for which the proposals included provisions specifying research
topics or providing funding authorization are
• DHS (H.R. 3674, S. 2105, S. 3414),
• NIST (H.R. 2096, S. 2151, S. 3342),
28 This includes providing requirements or statutory authority for existing programs, such as the joint NSF/DHS
Scholarship-for Service Program (see Office of Personnel Management, “Federal Cyber Service: Scholarship For
Service,” n.d., https://www.sfs.opm.gov/; National Science Foundation, Federal Cyber Service: Scholarship for Service
(SFS), NSF 08-600, Program Solicitation, December 2, 2008, http://www.nsf.gov/pubs/2008/nsf08600/nsf08600.htm),
the NSA/DHS National Centers of Academic Excellence and National Security Agency (“National Centers of
Academic Excellence,” January 10, 2012, http://www.nsa.gov/ia/academic_outreach/nat_cae/index.shtml), and the U.S.
Cyber Challenge (National Board of Information Security Examiners, “US Cyber Challenge,” 2012,
https://www.nbise.org/uscc).
29 See, for example, National Research Council, Trust in Cyberspace (Washington, DC: National Academies Press,
1999), http://www.nap.edu/catalog/6161.html.
30 The percentages were calculated from data in Subcommittee on Networking and Information Technology Research
and Development, Committee on Technology, Supplement to the President’s Budget for Fiscal Year 2013: The
Networking and Information Technology Research and Development Program, February 2012, http://www.nitrd.gov/
PUBS%5C2013supplement%5CFY13NITRDSupplement.pdf. The total investment for FY2011 was $445 million.
However, agencies may perform additional research not reported as cybersecurity R&D (e.g., some research on
software design or high-confidence systems).
Congressional Research Service
10
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
• NSF (H.R. 2096, S. 2105, S. 2151, S. 3342, S. 3414), and
• Multiagency31 (H.R. 3834, S. 2105, S. 2151, S. 3342, S. 3414).
The Task Force Report, H.R. 2096, H.R. 3834, S. 2105, S. 2151, S. 3342, and S. 3414 addressed
planning and coordination of research among federal agencies through the White House National
Science and Technology Council (NSTC) and other entities. The White House Proposal did not
include any specific R&D provisions but included cybersecurity R&D among a set of proposed
requirements for the Secretary of Homeland Security.
FISMA Reform
The “Federal Information Security Management Act of 2002 (FISMA)” was enacted in 2002. It
revised the framework that had been enacted in several previous laws (see Table 2). FISMA has
been criticized for focus on procedure and reporting rather than operational security, a lack of
widely accepted cybersecurity metrics, variations in agency interpretation of the mandates in the
act, excessive focus on individual information systems as opposed to the agency’s overall
information architecture, and insufficient means to enforce compliance both within and across
agencies. Seven legislative proposals in the 112th Congress (the Task Force Report, H.R. 4257, S.
2105, S. 2151, S. 3342, S. 3414, and the White House Proposal) would have revised FISMA,
while retaining much of the current framework:
• All would have continued requirements for agency-wide information security
programs, annual independent review of security programs, and reports on
program effectiveness and deficiencies.
• All included requirements for continuous monitoring of agency systems,
including automated monitoring.
• All would have retained the responsibility of NIST for development of
cybersecurity standards, including compulsory standards. H.R. 4257 would have
retained OMB’s current responsibility for promulgating the standards, whereas S.
2105, S. 2151, S. 3342, S. 3414, and the White House Proposal would have
transferred that responsibility to the Secretary of Commerce.32
• H.R. 4257 would also have retained OMB’s current responsibility for overseeing
federal information-security policy and evaluating agency information-security
programs. S. 2105, S. 3414, and the White House Proposal would have
transferred authorities and functions for information security policy from OMB
to DHS. OMB has already delegated some authorities to DHS administratively,33
31 For example, through the Director of the Office of Science and Technology Policy (OSTP).
32 This authority had been granted to the Secretary of Commerce under the Clinger-Cohen Act of 1996 (P.L. 104-106)
but was transferred to the Director of OMB by the FISMA title in the HSA in 2002 (P.L. 107-296, Section 1002, 40
U.S.C. §11331). Note that the version of the Chapter 35 provisions that is currently in effect (Subchapter III) was
enacted by the FISMA title in the E-Government Act of 2002 (P.L. 107-347, Title III), but that is not the case for 40
U.S.C. §11331, for which the version in the E-Government Act would have retained the authority of the Secretary of
Commerce to promulgate those standards, even though it was enacted after the HSA. The reason for this potentially
confusing difference appears to be that (1) the effective date of HSA was later than that of the E-Government Act, and
(2) HSA changed 44 U.S.C. Chapter 35 by amending the existing subchapter II, which the E-Government Act
explicitly suspended (see also “Federal Information Security Management Act of 2002 (FISMA)”).
33 See Jeffrey Zients, Vivek Kundra, and Howard A. Schmidt, “FY 2010 Reporting Instructions for the Federal
(continued...)
Congressional Research Service
11
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
and the Task Force Report expressed support for that approach. S. 2151 and S.
3342, in contrast, would have transferred that responsibility to the Secretary of
Commerce. However, none of the proposals would have given the Secretaries of
Commerce or Homeland Security authority to approve or disapprove agency
information security plans. Only H.R. 4257 would have expressly retained
OMB’s current power to use its financial authority to enforce accountability.
• S. 2105, S. 3414, and the White House Proposal would have provided new
protective authorities to the Secretary of Homeland Security, including intrusion
detection, use of countermeasures, access to communications and other system
traffic at agencies, as well as the power to direct agencies to take protective
actions and, in the case of an imminent threat, to act without prior consultation to
protect agency systems. S. 2151 would have provided DHS a much more limited
role, requiring it to conduct ongoing security analyses using information
provided by the agencies. S. 3342 would have given that responsibility instead to
OMB.
• Only H.R. 4257 would have retained the current FISMA provision giving OMB
responsibility for ensuring operation of a federal incident center. However, S.
2105, S. 3414, and the White House Proposal each contained other provisions
that would have established centers within DHS that would have provided for
incident reporting, information sharing, and other cybersecurity activities. S.
2151 and S. 3342, in contrast, contained provisions to facilitate reporting to a
number of centers (see “Information Sharing” below).
Protection of Privately Held Critical Infrastructure (CI)
The federal government has identified 18 sectors of critical infrastructure (CI),34 much of which is
owned by the private sector. The federal role in protection of privately held CI has been one of
the most contentious issues in the debate about cybersecurity legislation. There appears to be
broad agreement that additional actions are needed to address the cybersecurity risks to CI,35 but
(...continued)
Information Security Management Act and Agency Privacy Management,” Office of Management and Budget,
Memorandum for Heads of Executive Departments and Agencies M-10-15, April 21, 2010,
http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-15.pdf; and Peter R. Orszag and Howard A. Schmidt,
“Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department
of Homeland Security (DHS),” Office of Management and Budget, Memorandum for Heads of Executive Departments
and Agencies M-10-28, July 6, 2010, http://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-
28.pdf.
34 See Department of Homeland Security, “Critical Infrastructure”, May 4, 2012, http://www.dhs.gov/files/programs/
gc_1189168948944.shtm; and CRS Report RL30153, Critical Infrastructures: Background, Policy, and
Implementation, by John D. Moteff.
35 See, for example, House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies, Examining the Cyber Threat to Critical Infrastructure and the American
Economy, 2011, http://homeland.house.gov/hearing/subcommittee-hearing-examining-cyber-threat-critical-
infrastructure-and-american-economy; Stewart Baker, Natalia Filipiak, and Katrina Timlin, In the Dark: Crucial
Industries Confront Cyberattacks (McAfee and CSIS, April 21, 2011), http://www.mcafee.com/us/resources/reports/rp-
critical-infrastructure-protection.pdf; and R. E. Kahn et al., America’s Cyber Future: America’s Cyber Future: Security
and Prosperity in the Information Age (Center for a New American Security, May 31, 2011), http://www.cnas.org/files/
documents/publications/CNAS_Cyber_Volume%20I_0.pdf.
Congressional Research Service
12
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
there is considerable disagreement about how much, if any, additional federal regulation is
required. Four of the proposals in Table 1 addressed protection of privately held CI.
Both S. 2105 and the White House Proposal would have required the Secretary of Homeland
Security to
• designate as covered CI those private-sector CI entities for which a successful
cyberattack could have debilitating or catastrophic impacts of national
significance,36 with S. 2105 further requiring the Secretary of Homeland Security
to perform a sector-by-sector risk assessment and use it in prioritizing
designations,
• determine what cybersecurity requirements or frameworks are necessary to
protect them,
• determine whether additional regulations are necessary to ensure that the
requirements are met,
• develop such regulations in consultation with government and private-sector
entities, and
• enforce the regulations.
The regulations proposed by S. 2105 would have required CI owners and operators, unless
exempted,37 to certify compliance annually, based on self- or third-party assessments, and would
have provided civil penalties for noncompliance. The Secretary would also have been authorized
to perform assessments where risks justify such action.
S. 3414, a revision of S. 2105, would instead have established a federal interagency council to
perform the risk assessments through a member agency, identified critical cyber infrastructure,
identified and adopted recommended practices, established incentive-based programs to
encourage voluntary adoption of those practices by owners and operators, and provided
information and technical assistance to them. The council would have been required to coordinate
its activities with relevant private-sector entities. The bill would have permitted federal regulatory
agencies to require use of adopted practices by CI entities they regulate, provided that such
actions are authorized by existing federal law. S. 3414 would also have established a voluntary
program to certify CI entities as complying with the adopted practices. It would have required the
use of third-party assessments and authorize the Council to perform assessments where risks
justify such action.
The White House Proposal would have required owners and operators of covered entities, unless
exempted,38 to submit and attest to compliance plans, and certify compliance annually.
36 S. 2105 would largely exempt information technology products and services from designation as covered CI and the
cybersecurity regulations the bill would authorize.
37 An entity would be exempted if the Secretary of Homeland Security determined that it was already sufficiently
secure or that additional requirements would not substantially improve its security (Section 105(c)(4)). The President
would also be permitted to exempt an entity from the requirements upon determining that current regulations
sufficiently mitigate the risks to the entity (Section 104(f)).
38 This exemption (Section 9(c) in the part of the proposal on CI protection) is similar to the Presidential exemption in
S. 2105 (footnote 37) except that the White House Proposal would give the authority to the Secretary of Homeland
Security.
Congressional Research Service
13
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Independent evaluations would have been performed on a schedule determined by the Secretary.
Civil penalties, shutdown orders, and requirements for use of particular measures would have
been prohibited as enforcement methods.
The Task Force Report recommended that Congress consider targeted and limited additional
regulation of highly regulated industries where required to improve cybersecurity, and that
existing regulations be streamlined. For most CI, however, the report recommended that Congress
adopt a menu of voluntary incentives.39 It also recommended limitations on liability for entities
that comply. S. 2105, S. 3414, and the White House Proposal would also have limited liability for
entities in compliance.
The subcommittee version of H.R. 367440 would have amended the HSA to require the Secretary
of Homeland Security to perform continuous risk assessments of CI for inclusion annually in the
National Infrastructure Protection Plan.41 It would also have required relevant federal regulatory
agencies to review cybersecurity regulations for covered CI (as determined by the Secretary)42
and fill any gaps using a collection of recognized consensus standards, where applicable, and to
work with NIST to develop such standards where necessary. It would have prohibited additional
regulatory authority beyond the collected standards.
The full-committee version of H.R. 367443 would have amended the HSA in a substantially
different way from the subcommittee version. It would have permitted the Secretary to engage in
risk assessments and other protective activities with respect to privately held CI only upon request
by owners and operators. It would have required the Secretary to develop a cybersecurity strategy
for CI systems and stipulates that the bill would not have provided additional authority to DHS
over federal or nonfederal entities.
S. 2151 and S. 3342 did not contain specific provisions for protection of CI similar to those in the
proposals discussed above. However, they would have provided criminal penalties for damage to
CI computers, and, like the proposals discussed above, they contained information sharing
provisions that could be useful in CI protection.
Information Sharing
Barriers to the sharing of information on threats, attacks, vulnerabilities, and other aspects of
cybersecurity—both within and across sectors—have long been considered by many to be a
significant hindrance to effective protection of information systems, especially those associated
with CI.44 Examples have included legal barriers, concerns about liability and misuse, protection
39 Among the possibilities discussed are tying adoption of standards to incentives such as grants and streamlined
regulation, using tax credits, and facilitating the development of a cybersecurity insurance market.
40 This is the version approved by voice vote by the Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies of the House Committee on Homeland Security on February 1, 2012, and forwarded to the full
committee.
41 See Department of Homeland Security, National Infrastructure Protection Plan, 2009, http://www.dhs.gov/xlibrary/
assets/NIPP_Plan.pdf.
42 The criteria in the subcommittee version of H.R. 3674 are generally similar to those in S. 2105 and the White House
Proposal in that they focus on entities for which successful cyberattack could have major negative impacts. The
definitions in the three legislative proposals differ somewhat in emphasis and specificity.
43 This is the version ordered reported by the Committee on Homeland Security on April 18, 2012.
44 See, for example, The Markle Foundation Task Force on National Security in the Information Age, Nation At Risk:
(continued...)
Congressional Research Service
14
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
of trade secrets and other proprietary business information, and institutional and cultural
factors—for example, the traditional approach to security tends to emphasize secrecy and
confidentiality, which would necessarily impede sharing of information.
Proposals to reduce or remove such barriers, including provisions in bills in Table 1, have raised
concerns,45 some of which are related to the purpose of barriers that currently impede sharing.
Examples include risks to individual privacy and even free speech and other rights, use of
information for purposes other than cybersecurity, such as unrelated government regulatory
actions, commercial exploitation of personal information, or anticompetitive collusion among
businesses that would currently violate federal law (see “Antitrust Laws and Section 5 of the
Federal Trade Commission Act”).
Seven proposals in Table 1 had provisions for improving information sharing and addressing
privacy and other concerns:46
• Create entities for information sharing. S. 2105 and S. 3414 would have required
the Secretary of Homeland Security to establish a process for designating federal
and nonfederal information exchanges, including a lead federal exchange
responsible for facilitating information sharing among federal and nonfederal
entities. S. 3414 further specified that federal exchanges be in civilian agencies.
The Task Force Report recommended establishment of a nongovernmental
clearinghouse for sharing cybersecurity information among private-sector and
government entities. The subcommittee version of H.R. 3674 would have created
such an organization, the National Information Sharing Organization (NISO).47
However, those provisions were omitted from the committee version, which
would instead have provided statutory authorization for and specify governance
and responsibilities of the DHS National Cybersecurity and Communications
Integration Center (NCCIC),48 which was established administratively in 2009.49
(...continued)
Policy Makers Need Better Information to Protect the Country, March 2009, http://www.markle.org/
downloadable_assets/20090304_mtf_report.pdf; CSIS Commission on Cybersecurity for the 44th Presidency,
Cybersecurity Two Years Later, January 2011, http://csis.org/files/publication/
110128_Lewis_CybersecurityTwoYearsLater_Web.pdf.
45 See, for example, Greg Nojeim, “WH Cybersecurity Proposal: Questioning the DHS Collection Center,” Center for
Democracy & Technology, May 24, 2011, http://cdt.org/blogs/greg-nojeim/wh-cybersecurity-proposal-questioning-dhs-
collection-center; and Adriane Lapointe, Oversight for Cybersecurity Activities (Center for Strategic and International
Studies, December 7, 2010), http://csis.org/files/publication/101202_Oversight_for_Cybersecurity_Activities.pdf. See
also comments received by a Department of Commerce task force (available at http://www.nist.gov/itl/
cybersecnoi.cfm) in conjunction with development of this report: Internet Policy Task Force, Cybersecurity,
Innovation, and the Internet Economy (Department of Commerce, June 2011), http://www.nist.gov/itl/upload/
Cybersecurity_Green-Paper_FinalVersion.pdf. See also footnote 21.
46 H.R. 3674 would address the issue by amending the HSA and H.R. 3523 by amending the National Security Act of
1947. The other proposals do not couch their provisions as amendments to current law.
47 House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security
Technologies, “Hearing on Draft Legislative Proposal on Cybersecurity,” 2011, http://homeland.house.gov/hearing/
subcommittee-hearing-hearing-draft-legislative-proposal-cybersecurity.
48 Department of Homeland Security, “National Cybersecurity and Communications Integration Center”, December 6,
2011, http://www.dhs.gov/files/programs/nccic.shtm.
49 Department of Homeland Security Office of Inspector General, “Secretary Napolitano Opens New National
Cybersecurity and Communications Integration Center,” Press Release, October 30, 2009, http://www.dhs.gov/ynews/
releases/pr_1256914923094.shtm. The subcommittee version of H.R. 3476 would also have provided statutory
(continued...)
Congressional Research Service
15
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
S. 2151 and S. 3342 would not have authorized any new entities but listed a set
of existing centers to which their information-sharing provisions would have
applied. The DHS center that the White House Proposal would have established
(see “DHS Authorities for Protection of Federal Systems”) would have had
information sharing as one of its responsibilities.
• Establish provisions for sharing classified information. The Task Force Report,
H.R. 3523, S. 2105, S. 2151, S. 3342, and S. 3414 would have established
procedures to permit sharing of classified cybersecurity information with private-
sector entities that meet specific criteria.
• Establish authority for information sharing by and with private-sector entities.
• H.R. 3523 would have permitted cybersecurity providers or self-protected
entities to share threat information with other designated entities,
notwithstanding any other provision of law. Federal agencies receiving such
information would have been required to share it with NCCIC, which could
have shared it with other federal entities upon request of the provider of the
information.
• S. 2105 would have expressly permitted disclosure of lawfully obtained
threat indicators among private-sector entities, with the exchanges the bill
would establish, and by federal entities with other relevant federal or private
entities, notwithstanding any other provision of law. S. 3414 was similar but
restricted disclosure by federal entities to cybersecurity and law-enforcement
purposes.
• S. 2151 and S. 3342 would have permitted nonfederal entities to share threat
information with cybersecurity centers or with other nonfederal entities for
the purpose of addressing threats. S. 2151 would have required providers of
communications, remote computing, and cybersecurity services under federal
contracts to share with cybersecurity centers, through the contracting agency,
any threat information related to the contract. S. 3342 would instead have
required a coordinated process through which providers would inform federal
entities of significant incidents with impacts on their missions, with the entity
reporting the information to a cybersecurity center. S. 2151 would have
permitted centers to disclose threat information for specified purposes to
federal entities, service providers, and nonfederal government entities,
whereas S. 3342 would not have permitted centers to disclose such
information to service providers.
• The White House Proposal would have permitted nonfederal entities to
disclose information to a designated cybersecurity center for purposes of
protection from cybersecurity threats and would have permitted federal
agencies to disclose such information to relevant private entities.
• Limit disclosure of shared information. The Task Force Report, the subcommittee
version of H.R. 3674, H.R. 3523, S. 2105, S. 2151, S. 3342, S. 3414, and the
White House Proposal would all have provided exemptions from the “Freedom
(...continued)
authority for NCCIC, but would have given it somewhat different responsibilities.
Congressional Research Service
16
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
of Information Act (FOIA)” for cybersecurity information.50 All would also have
restricted disclosure in other ways, such as expressly requiring that it be for
specified cybersecurity purposes, although specific requirements vary.
• Limit government use of information to specified purposes. The Task Force
Report, H.R. 3523, H.R. 3674, S. 2151, and S. 3342 would have expressly
restricted or prohibited regulatory use of shared information. S. 2105, S. 3414,
and the White House Proposal would have limited use of acquired information to
cybersecurity or law enforcement purposes. In addition to those uses, H.R. 3523,
S. 2151, and S. 3342 would have permitted use for national security, and H.R.
3523 and S. 3414 would have added protection from physical harm and, for
minors, from sexual exploitation and threats to physical safety.
• Limit liability for information sharing. The Task Force Report, H.R. 3523, S.
2105, S. 2151, S. 3342, S. 3414, and the White House Proposal would have
protected nonfederal entities from liability for information shared or other
specified actions taken in accordance with the provisions in the legislative
proposal. H.R. 3523 would also have provided for limited liability for federal
violations of restrictions in the bill on disclosure, use, and protection of shared
information, and S. 3414 for violations of title provisions or related regulations.
The subcommittee version of H.R. 3674 would have permitted actual and
punitive civil damages against persons who disclose or use for purposes other
than cybersecurity the information that is disclosed to private entities.
• Provide privacy and civil liberties protections. All five proposals called for
privacy protections. The Task Force Report recommended that in providing safe
harbors for entities involved in information sharing, “the protection of personal
privacy should be at the forefront” (p. 7). It also recommended that the proposed
nongovernmental clearinghouse have a privacy board.
• H.R. 3523 would have permitted the federal government to “undertake
reasonable efforts to limit the impact on privacy and civil liberties” of shared
information and required the Inspector General of the Intelligence
Community to include, in an annual report to Congress, metrics on impacts
of sharing on privacy and civil liberties.51 It would also have required
“appropriate” anonymization of shared information.52 In addition, the bill
would have prohibited federal use of identifying information from specified
sets of library, sales, tax, education, or medical records.
• The subcommittee version of H.R. 3674 would have required that two
members of the NISO board of directors be representatives from the privacy
and civil liberties community (the committee version), that the NISO charter
and procedures include privacy and civil liberties protections, and that
anonymization procedures, such as removal of personally identifiable
information, be used for shared information. The committee version would
have created a similar board for the NCCIC and would have required
50 The committee version of H.R. 3674 includes a FOIA exemption by reference to the amendments to Title XI of the
“National Security Act of 1947” that would be made by H.R. 3523.
51 Section 1104(c)(7) of the National Security Act as added by Section 2(a) of the bill.
52 Section 1104(b)(3)(A) as added.
Congressional Research Service
17
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
ongoing review by the DHS privacy officer of departmental policies and
activities.
• S. 2105 and S. 3414 would have required the director of the DHS center to
appoint a privacy officer, create guidelines for protection of privacy and civil
liberties, and ensure that center activities comply with federal requirements.
The bill would also have required the Secretary of Homeland Security to
develop policies and procedures to minimize the impacts of information
sharing involving the exchanges that would be established by the bill. It
would have required three relevant reports: (1) an annual joint report to
Congress by the DHS and Department of Justice privacy officers assessing
impacts; (2) a report from the Privacy and Civil Liberties Oversight Board53
assessing impacts and recommending statutory changes; and (3) a joint report
by the Secretary of Homeland Security, the Director of National Intelligence,
the Attorney General, and the Secretary of Defense that would have included
disclosure of significant noncompliance by nonfederal entities with the
requirements of the information sharing title of the bill, especially with
respect to privacy and civil liberties, with recommendations for any statutory
changes (S. 2105) or that identified changes in the information technology
environment that challenged the adequacy of the law (S. 3414).
• S. 2151 would have required the heads of agencies with cybersecurity centers
to jointly develop procedures for sharing information. Those would have
considered the need for protection of privacy and civil liberties through
anonymization and other means. S. 3342 would in addition have permitted
efforts to limit impacts from sharing on privacy and civil liberties. Both bills
would also have required biennial joint implementation reports from the
agency heads, including review of how shared information may impact
privacy and civil liberties, the adequacy of steps to reduce such impact, and
any recommended changes to authorities.
• The White House Proposal would have required that “reasonable efforts” be
taken “to remove information that can be used to identify specific persons
unrelated to the cybersecurity threat.”54 It would have added a new Section
248 to the HSA on privacy and civil liberties relating to cybersecurity. It
would have required the Secretary of Homeland Security, in consultation
with privacy and civil liberties experts, to develop and periodically review
policies and procedures on information access, disclosure, and use. The
policies and procedures would have been required to minimize impacts on
privacy and civil liberties, safeguard identities, protect confidentiality as
much as possible, and provide limits on access, use, and disclosure of
information. Agency heads would have been required to develop policies for
handling information associated with specific persons, to establish programs
to monitor and oversee compliance with DHS and agency policies, and to
develop and enforce sanctions for violations by agency personnel. The above
policies and procedures would have been subject to review and approval by
the Attorney General. Like S. 2105, the White House Proposal would have
53 The board was established by the “Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA).”
54 Section 245(a)(1) as added to the HSA by the proposal.
Congressional Research Service
18
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
required an annual joint report to Congress by the DHS and Department of
Justice privacy officers assessing impacts, and a report from the Privacy and
Civil Liberties Oversight Board assessing impacts and recommending
statutory changes.
Other Topics
Cybercrime Law. S. 2151, S. 3342, the White House Proposal, and the Task Force Report would
each have revised current criminal statutes relating to cybersecurity, including criminalizing the
damaging of computers associated with critical infrastructure (CI).55
Data Breach Notification. The White House Proposal and the Task Force Report would also both
have set federal requirements for data breach notification—public notification in cases where a
security breach poses significant risks of exposure of sensitive personal information. For more
information on this issue, including discussion of bills that would address it, see CRS Report
R42474, Selected Federal Data Security Breach Legislation, by Kathleen Ann Ruane and CRS
Report R42475, Data Security Breach Notification Laws, by Gina Stevens.
Some proposals addressed additional topics not discussed in this overview. For example, H.R.
2096 would have require NIST to develop a strategy for federal use of cloud computing. The
White House Proposal would have restricted the power of state and local governments to require
business entities to locate data centers within the state or locality. To the extent that such topics
would have been addressed by amending current statutes, they are discussed below under the
relevant laws.
Discussion of Proposed Revisions of
Current Statutes
To identify laws that might be considered candidates for revision, CRS conducted a broad search,
consulting with various experts and examining various sources, including legislative proposals in
the 111th and 112th Congresses. That search yielded more than 50 potentially relevant statutes (see
Table 2), of which proposed revisions were identified for 31.56 For each of the latter group, the
report contains an entry that includes
• the popular name of the statute;57
• the public law number, along with Statutes-at-Large and relevant U.S. Code
citations;58
55 For discussion of federal cybercrime laws, see CRS Report 97-1025, Cybercrime: An Overview of the Federal
Computer Fraud and Abuse Statute and Related Federal Criminal Laws, by Charles Doyle; and CRS Report R40599,
Identity Theft: Trends and Issues, by Kristin M. Finklea. See also the discussions of criminal statutes in this report.
56 There are 27 entries, but the one on antitrust laws consists of four different statutes. Neither of the two lists is
intended to be definitive or exhaustive. For example, some analysts may argue that more agency authorization statutes
should be included, or, alternatively, that some of the statutes that are included are not of significant relevance.
57 This is the name by which the statute is commonly known.
58 The public law (P.L.) and United States Statutes at Large (Stat.) citations refer to the original law to which the
popular name currently applies. Laws enacted before 1957 generally do not have public law numbers but chapter
(continued...)
Congressional Research Service
19
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
• a brief description of the relevance of the statute for cybersecurity;59 and
• discussion of potential revisions or updates that have been suggested.60
Entries are in chronological order.61 The statutes discussed include only those for which CRS
identified specific proposals to revise them from various observers and in public sources.62 It does
not include proposals for new provisions of federal law that were not identified explicitly as
revisions of current named statutes.
One example is the recommendations for statutory language on data-breach notification in the
White House Proposal and the Task Force Report. Neither those two documents, nor the bills on
the issue that have been introduced in the 112th Congress,63 specify named statutes to be revised.
One of those bills, S. 1151, would revise 18 U.S.C. Chapter 47 (Fraud and False Statements) by
adding a new section at the end, but that provision does not modify any named statute specified
either in the bill or in the U.S. Code. It is therefore not included in the discussion below.
However, the bill would also revise 18 U.S.C. §1030, which was added by the “Counterfeit
Access Device and Computer Fraud and Abuse Act of 1984,” so that provision is discussed.
Another example is bills with provisions clearly related to a named statute, but that do not
explicitly modify that statute. One example from the 111th Congress is H.R. 5590, which had
cybersecurity provisions that might be interpreted as modifications to the HSA but were not cited
as such. Such provisions are not discussed in this report because their effects on specific statutes
could not be determined with certainty.
The approach taken in this report of focusing on statutes by their popular names is useful in many
cases, but it has some significant limitations, particularly with respect to the U.S. Code. Some
laws, such as the USA Patriot Act of 2001 (see Table 2), may be classified across many titles and
(...continued)
numbers (Ch.) instead. U.S. Code (U.S.C.) citations refer to the codified law, including any amendments, of those
provisions deemed most relevant for cybersecurity as discussed in the text under that law (see also footnote 59). For
more information about citation forms, see Law Library of Congress, “Federal Statutes,” April 4, 2011,
http://www.loc.gov/law/help/statutes.php. More complete cross-references of public laws to corresponding provisions
of U.S. Code can be found in classification tables (see, for example, U.S. House of Representatives, Office of the Law
Revision Counsel, “U.S. Code Classification Tables,” 2011, http://uscode.house.gov/classification/tables.shtml).
59 In some cases, such as the Cybersecurity Research And Development Act, P.L. 107-305, the entire statute is relevant
to cybersecurity. In others, such as the Omnibus Crime Control and Safe Streets Act of 1968, P.L. 90-351, the statute
has a broader focus and only the provisions relevant to the text are cited and described. However, given that
cybersecurity is not a precise concept, there may in some cases be legitimate disagreements among experts about which
provisions are relevant. Therefore, the descriptions and U.S. Code citations cannot be considered definitive.
60 The discussion is provided for purposes of information only. CRS does not propose legislation or take positions or
make recommendations on legislative proposals or issues. Contributing CRS staff include Patricia Moloney Figliola,
Kristin M. Finklea, Eric A. Fischer, Wendy R. Ginsberg, John Rollins, Kathleen Ann Ruane, Gina Stevens, Rita Tehan,
and Catherine A. Theohary. Entries for which no contributor is indicated were written by Eric A. Fischer.
61 The order is by date of enactment of the earliest relevant statute, as assessed by CRS. This organization, rather than
alternatives such as by topic or U.S. Code title, was chosen because it provides the best view of the evolution of
legislation in this area.
62 Sources are cited where they could be specifically identified.
63 Data-breach notification is also covered by H.R. 1528, H.R. 1707, H.R. 1841, H.R. 2577, S. 1151, S. 1207, S. 1480,
and S. 1535.
Congressional Research Service
20
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
sections,64 which may make analysis more challenging. Fortunately, that did not prove to be a
significant concern for this report.
However, lack of correspondence between named laws and proposed modification of provisions
in the U.S. Code, described above, may in some cases result in significant gaps in coverage of
relevant provisions of law relating to cybersecurity by an approach such as the one taken here.
Therefore, the analysis presented here should not be regarded as complete.
Posse Comitatus Act of 1879
Ch. 263, 20 Stat. 152.
18 U.S.C. §1385.65
Major Relevant Provisions
• Restricts the use of military forces in civilian law enforcement within the United
States, unless it is within a federal government facility.66
• Courts have ruled that violations of the act occur when civilian law enforcement
makes “direct active use” of military investigators, when use of the military
pervades the activities of the civilian officials, or when the military is used so as
to subject citizens to military power that is regulatory, prescriptive, or
compulsory in nature.
Possible Updates
• Some observers claim that the act prevents the military from cooperating on
cybersecurity with civil agencies that may lack the resident expertise and
capabilities of the military and DOD.67 In addition, it may sometimes be difficult
to distinguish a criminal cyber attack from one involving national defense,
especially if the attack is on a component of critical infrastructure.
• Some have therefore proposed that the act be amended to clarify when U.S.
military can operate domestically regarding cyber threats to such infrastructure,
most of which is privately owned. Others maintain that no revision is needed
because the President has the authority under current law to direct the military to
support civil authorities in the event of a domestic disaster.
• A memorandum of agreement signed between DHS and DOD may increase the
likelihood that the military would play a significant role in responding to a major
64 This act was classified to 15 titles.
65 Prepared by Catherine A. Theohary, Analyst in National Security Policy and Information Operations
(ctheohary@crs.loc.gov, 7-0844).
66 For further discussion, see CRS Report RS22266, The Use of Federal Troops for Disaster Assistance: Legal Issues,
by Jennifer K. Elsea and R. Chuck Mason.
67 For example, see Jeffrey K. Toomer, “A Strategic View of Homeland Security: Relooking the Posse Comitatus Act
and DOD’s Role in Homeland Security” (monograph, School of Advanced Military Studies, United States Army
Command and General Staff College, Fort Leavenworth, Kansas, July 11, 2002), http://www.dtic.mil/cgi-bin/
GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA403866.
Congressional Research Service
21
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
cyber attack on U.S. information networks.68 However, some argue that the
defense of U.S. information systems should be solely the purview of civilian
agencies such as DHS and the FBI, because involvement of the military creates
unacceptable privacy and civil liberties concerns.
Antitrust Laws and Section 5 of the Federal Trade Commission Act
Sherman Antitrust Act
Ch. 647, 26 Stat. 209.
15 U.S.C. §§1-7.
Wilson Tariff Act
Ch. 349, §73, 28 Stat. 570.
15 U.S.C. §§8-11.
Clayton Act
P.L. 63-212, 38 Stat. 730.
15 U.S.C. §§12-27.
Section 5 of the Federal Trade Commission Act (FTC Act)
Ch. 311, §5, 38 Stat. 719.
15 U.S.C. §45(a).69
When referred to in statute, the term “antitrust laws” generally means the three laws listed in 15
U.S.C. §12(a), which are the first three statutes listed above. Also frequently included in the list
of antitrust laws is Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.
Section 5 is included because courts have found that unfair competition includes, at the least,
activity that would violate the Sherman or Clayton Acts.70
Major Relevant Provisions
• The antitrust laws as well as Section 5 of the FTC Act are a collection of statutes
that forbid combinations or agreements that unreasonably restrain trade.71
Whenever competitors in a given market share information, antitrust concerns
may be raised due to the risk of collusion among competitors.72
68 Department of Homeland Security and Department of Defense, “Regarding Cybersecurity.” The MOA provides
terms for sharing of personnel, equipment, and facilities by the two agencies to improve planning, capabilities, and
mission activities in national cybersecurity efforts.
69 Prepared by Kathleen Ann Ruane, Legislative Attorney (kruane@crs.loc.gov, 7-9135).
70 See, e.g., United States v. American Airlines Inc., 743 F.2d 1114 (5th Cir. 1984); FTC v. Motion Picture Advertising
Serv. Co., 344 U.S. 392, 394-95 (1953); FTC v. Cement Institute, 333 U.S. 683, 694 (1948); Fashion Originators’
Guild v. FTC, 312 U.S. 457, 463-64 (1941).
71 See Standard Oil Co. v. U.S., 221 U.S. 1 (1911).
72 See Federal Trade Commission and Department of Justice, Antitrust Guidelines for Collaborations among
Competitors, April 2000, http://www.ftc.gov/os/2000/04/ftcdojguidelines.pdf.
Congressional Research Service
22
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Possible Updates
Information sharing agreements between private corporations may be subject to antitrust scrutiny,
because the sharing of information among competitors could create opportunities for
collaboration with the goal of restraining trade.73 However, information sharing agreements to
combat cybersecurity may be in compliance with antitrust principles so long as their goals are to
combat cyber threats rather than restrain competition.74
Some may argue that in order to develop effective and efficient information sharing agreements to
combat cybersecurity threats, an explicit exemption from the antitrust laws for these agreements
is necessary. Congress has previously proposed such an exemption. For example, H.R. 2435
(107th Congress) would have granted an express exemption from the antitrust laws and from
Section 5 of the FTC Act to persons making and implementing agreements entered into solely for
the purpose of “facilitating the correction or avoidance of a cyber security-related problem or
communication of or disclosing information to help correct or avoid the effects of a cyber
security-related problem.” Such an exemption, if enacted by Congress, would allow market
participants to engage in information sharing for the purposes of combating cybersecurity threats
without concern for implicating the antitrust laws. In the 112th Congress, the Task Force Report
stated that an antitrust exemption might be required.75 H.R. 3523 did not specifically mention
antitrust laws, but would have permitted sharing of cybersecurity information among private-
sector entities “notwithstanding any other provision of law.” S. 2151 and S. 3342 would have
expressly exempted from antitrust laws the exchange among private entities of information
relating to cybersecurity threats.
Others may argue that the antitrust laws are flexible in nature, particularly as they relate to
information sharing agreements, and the laws are flexibly applied by the agencies of
jurisdiction.76 This flexible nature may obviate the need for express exemptions from the
application of the laws, while keeping the antitrust agencies involved in and aware of the
information sharing agreements companies are making.77 The agencies have expressed a view
that if competitors are collaborating for reasons that do not restrain trade or hamper competition,
and safeguards are in place to prevent such restraint, the antitrust laws should not hinder such
collaboration.78 The Department of Justice (DOJ) currently allows companies wishing to create
information sharing arrangements for permissible and procompetitive purposes to submit their
plans for collaboration to the agency.79 The agency then reviews the plans and, if the plans are
approved, issues what is known as a business review letter.80 The business review letter will
generally state that DOJ does not intend to enforce the antitrust laws against the proposed
73 Ibid.
74 Ibid. (noting that many collaborations among competitors are “not only benign, but procompetitive”).
75 House Republican Cybersecurity Task Force, Recommendations, p. 11.
76 See Amitai Aviram, “Network Responses to Network Threats,” in The Law and Economics of Cybersecurity, ed.
Mark Grady and Francesco Parisi (New York: Cambridge University Press, 2006), 157-158.
77 See Federal Trade Commission and Department of Justice, Antitrust Guidelines.
78 Ibid.
79 28 C.F.R. §50.6.
80 Federal Trade Commission and Department of Justice, Antitrust Guidelines.
Congressional Research Service
23
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
collaboration. DOJ has issued business review letters to companies who have developed plans to
share information to combat cybersecurity threats.81
National Institute of Standards and Technology Act
Ch. 872, 31 Stat. 1449.
15 U.S.C. §271 et seq.
Major Relevant Provisions
The original act gave the agency responsibilities relating to technical standards. Later
amendments added more generally relevant provisions and, more specifically,
• Identified relevant research topics, among them computer and telecommunication
systems, including information security and control systems.82
• Established a computer standards program at the National Institute of Standards
and Technology (NIST).83
Possible Updates
Despite NIST’s current authority to conduct research on computers and information security,
some concerns have been raised about whether those activities should be enhanced in light of the
evolving threat environment for cybersecurity. In the 111th Congress, H.R. 4061, which was
passed by the House, would have required NIST to conduct intramural research on identity
management and the security of information systems, networks, and industrial control systems. A
similar bill, H.R. 2096, was considered in the 112th Congress.
Federal Power Act
Ch. 285, 41 Stat. 1063.
16 U.S.C. §791a et seq., §824 et seq.84
Major Relevant Provisions
• Established the Federal Energy Regulatory Commission (FERC) and gave it
regulatory authority over interstate sale and transmission of electric power.
81 Joel I. Klein, Assistant Attorney General, to Barbara Greenspan, Associate General Counsel, Electric Power Institute,
Inc., October 2, 2000, http://www.justice.gov/atr/public/busreview/6614.htm.
82 15 U.S.C. §272, as amended by the Technology Competitiveness Act, Subtitle B of Title V of P.L. 100-418, the
Omnibus Trade and Competitiveness Act of 1988, which also changed the name of the agency from the National
Bureau of Standards to the National Institute of Standards and Technology, and changed the name of the act to the
National Institute of Standards and Technology Act.
83 15 U.S.C. §§278g-3 and -4, as added by the Computer Security Act of 1987. See also “Federal Information Security
Management Act of 2002 (FISMA).”
84 The law was originally enacted in 1920 as the Federal Water Power Act but was renamed the Federal Power Act in
1935 (49 Stat. 863, 16 U.S.C. §791a).
Congressional Research Service
24
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Possible Updates
Concerns about the vulnerability of the electric grid to cyber attack have increased substantially
over the last several years.85 Although the Energy Policy Act of 2005 (P.L. 109-58) gave FERC
responsibility for developing reliability standards for power systems, limitations to that authority
and to the usefulness of the standards-development process to respond effectively to rapidly
emerging cybersecurity threats have raised concerns about the need for enhancing FERC’s
authority to address those threats, especially in light of the development of smart-grid
technology.86 Several bills were introduced in the 111th Congress (H.R. 2165, H.R. 2195, H.R.
5026, S. 946, S. 1462) in response. H.R. 5026, which was passed by the House, would have
expanded FERC’s jurisdiction over electric infrastructure and authorized FERC to order actions
by relevant entities in response to threats to cybersecurity. In the 112th Congress, S. 1342 would
also have provided expanded cybersecurity authorities to FERC, and H.R. 668 would have given
FERC emergency authorities in response to events causing large-scale disruptions of the electric
grid.
Communications Act of 1934
Ch. 652, 48 Stat. 1064.
47 U.S.C. §151 et seq.87
Major Relevant Provisions
• Established the Federal Communications Commission (FCC) and gave it
regulatory authority over both domestic and international commercial wired and
wireless communications.
• Provides the President with authority in a national emergency to control “any or
all stations or devices capable of emitting electromagnetic radiations,” and in
case of war or threat of war, to close “any facility or station for wire
communication” (Section 706 of the act, 47 U.S.C. §606).
Possible Updates
Some observers have proposed that the act should be revised to give the FCC more of a role in
cybersecurity, especially given the growing merging of information and communications
technology (ICT) and their increasing importance in the U.S. economy. In fact, a number of other
countries have more unified governance of ICT than the United States.88
Some controversy exists about whether the Section 706 authorities described above permit the
President to shut down Internet communications during a war or national emergency, a power that
85 See, for example, H.Rept. 111-493, S.Rept. 111-331.
86 CRS Report R41886, The Smart Grid and Cybersecurity—Regulatory Policy and Issues, by Richard J. Campbell.
87 See also “Communications Decency Act of 1996.”
88 See, for example, Elgin M. Brunner and Manuel Suter, International CIIP Handbook 2008/2009 (Center for Security
Studies, ETH Zurich, 2008), http://www.css.ethz.ch/publications/CIIP_HB_08.
Congressional Research Service
25
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
has sometimes been referred to as the “Internet kill switch.”89 However, there does not appear to
be a consensus about whether in fact such additional authority is needed, or, if it is not, whether
additional legislation is needed to clarify and delimit it.
That debate became acute during Senate consideration of S. 773 and S. 3480 in the 111th
Congress. Those bills would have authorized emergency measures by the President if the
operation of critical infrastructure were threatened by cyber attack. A similar provision was
proposed in S. 413 in the 112th Congress.90 This bill also contained a provision that would
expressly deny the federal government of any authority to “shut down the Internet.”
National Security Act of 1947
Ch. 343, 61 Stat. 495
50 U.S.C. 401 et seq.
Major Relevant Provisions
• Provided the basis for the modern organization of U.S. defense and national
security by reorganizing military and intelligence functions in the federal
government.
• Created the National Security Council, the Central Intelligence Agency, and the
position of Secretary of Defense.
• Established procedures for access to classified information.
Possible Updates
A broad consensus exists that a significant barrier to improving cybersecurity is limitations on
sharing of information, including classified information, about cyber-threats and attacks.91 H.R.
3523 would have addressed that concern by amending the act to facilitate sharing of intelligence
information relating to cybersecurity, including classified information, between federal
intelligence entities and private-sector providers of cybersecurity services, and to facilitate the
identification and sharing of threat information by providers. The bill also included provisions for
protection from liability for entities sharing information and exemption from disclosure of that
information under the “Freedom of Information Act (FOIA).”
See also “Information Sharing.”
89 See also CRS Report R41674, Terrorist Use of the Internet: Information Operations in Cyberspace, by Catherine A.
Theohary and John Rollins.
90 S. 413 is largely identical to S. 3480. Both would provide the authority for the emergency measures through a
revision of the Homeland Security Act, not the Communications Act. In addition, they would assign the authority to
implement Section 706 to the head of a White House office to be created by the bills. The provision in S. 773 was not
presented as a revision to a specified law.
91 For example, the Task Force Report states, “There is widespread agreement that greater sharing of information is
needed within industries, among industries, and between government and industry in order to improve cybersecurity
and to prevent and respond to rapidly changing threats. For example, through intelligence collection, the federal
government has insights and capabilities that many times are classified but would be useful to help defend private
companies from cybersecurity attacks” (House Republican Cybersecurity Task Force, Recommendations, p. 10).
Congressional Research Service
26
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
U.S. Information and Educational Exchange Act of 1948
(Smith-Mundt Act)
Ch. 36, 62 Stat. 6.
22 U.S.C. §1431 et seq.92
Major Relevant Provisions
• Restricts the State Department from disseminating public diplomacy information
domestically and limits its authority to communicate with the American public in
general (22 U.S.C. §1461-1a).93 The domestic dissemination provision originally
applied to the now defunct U.S. Information Agency (USIA), which was
abolished and its functions transferred to the Secretary of State by P.L. 105-277
(22 U.S.C. §6532).94
Possible Updates
Critics maintain that the law is a Cold War relic intended only to restrict the USIA, which no
longer exists, from propagandizing Americans with public diplomacy and information materials
that were intended for a foreign audience. Those critics argue that the restrictions were created
before the advent of the Internet, and the provisions create an obsolete barrier that serves only to
prevent the State Department from communicating effectively. Some have also argued that the
law has been interpreted to prohibit the military from conducting information operations in
cyberspace, as some of those activities could be considered propaganda that could reach U.S.
citizens, since the United States does not restrict Internet access according to territorial
boundaries.
Yearly appropriations bills for both the State Department and Department of Defense include
restrictions on use of funds for “propaganda” activities, although the word “propaganda” is not
defined. In the 111th Congress, H.R. 5729 would have removed the so-called “firewall” between
domestic and foreign audiences by explicitly authorizing the Department of State to disseminate
information through the Internet and information media, stating that the resolution shall “not be
construed to prohibit the Department from engaging in any medium of information on a
presumption that a U.S. domestic audience may be exposed to program material.” However, this
provision would have applied only to the State Department; it would not have included DOD or
other federal departments or agencies.
92 Prepared by Catherine A. Theohary, Analyst in National Security Policy and Information Operations
(ctheohary@crs.loc.gov, 7-0844).
93 This restriction was added by the Foreign Relations Authorization Act, Fiscal Years 1986 and 1987 (P.L. 99-93, 99
Stat. 431) and was not part of the original act.
94 For discussion, see CRS Report R40989, U.S. Public Diplomacy: Background and Current Issues, by Kennon H.
Nakamura and Matthew C. Weed.
Congressional Research Service
27
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
State Department Basic Authorities Act of 1956
Ch. 841, 70 Stat. 890.
22 U.S.C. §2651a.
Major Relevant Provisions
• Specifies the organization of the Department of State, including the positions of
coordinator for counterterrorism and for HIV/AIDS response.
Possible Updates
As the Internet becomes increasingly international, concerns have been raised about the
development and coordination of international efforts in cybersecurity by the United States.95 In
the 111th Congress, S. 3193 would have addressed those concerns by establishing a coordinator
for cyberspace and cybersecurity issues within the Department of State. S. 1426 in the 112th
Congress contained a similar provision.
Freedom of Information Act (FOIA)
P.L. 89-487, 80 Stat. 250.
5 U.S.C. §552.96
Major Relevant Provisions
• Enables any person to access—without explanation or justification—existing,
identifiable, unpublished executive-branch agency records, unless the material
falls within any of FOIA’s nine categories of exemption from disclosure.
Possible Updates
Sharing of cybersecurity information between the federal government and nonfederal entities is
widely considered to be an essential need, especially with respect to the protection of critical
infrastructure (CI). However, attempts to encourage the private sector to share sensitive CI
information with the federal government have, at times, been met with concerns that such records
could be subject to public release under FOIA, resulting in potential economic or other harm to
the source.
Among the nine exemptions that permit agencies to withhold applicable records are three that
may particularly apply to cybersecurity information:
95 See, for example, CSIS Commission on Cybersecurity for the 44th Presidency, Securing Cyberspace for the 44th
Presidency, December 2008, http://www.csis.org/tech/cyber/; The White House, Cyberspace Policy Review, May 29,
2009, http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf; and The White House,
International Strategy for Cyberspace.
96 Prepared by Wendy R. Ginsberg, Analyst in Government Organization and Management (wginsberg@crs.loc.gov, 7-
3933).
Congressional Research Service
28
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
• Exemption 1: information properly classified for national defense or foreign
policy purposes as secret under criteria established by an executive order.
• Exemption 3: data specifically exempted from disclosure by a statute other than
FOIA if that statute meets criteria laid out in FOIA.97
• Exemption 4: trade secrets and commercial or financial information obtained
from a person that is privileged or confidential.98
An example of Exemption 3 is Section 214 of the HSA (see p. 41), which exempts information
about the security of critical infrastructure and protected systems that is voluntarily submitted to
an agency covered under the act, provided that the entity that supplies the information expressly
requests the exemption concurrently.
Despite these existing protections, some private-sector entities may still have concerns about
public release of sensitive records—that existing laws may not be specific enough to protect
particular types of records, or they may be too narrow to protect all records of concern. The White
House Proposal would have addressed such concerns by applying Exemption 3 to any lawfully
obtained information provided to DHS for cybersecurity purposes.99 The Task Force Report also
suggested that a FOIA exemption may be needed,100 and several bills, including H.R. 3523, S.
2105, S. 2151, S. 3342, and S. 3414 would have provided such a FOIA exemption, although none
of those proposals would have directly modified the statute. Adding such broad exemptions to
FOIA, however, could nevertheless prompt concerns about decreases in federal transparency.
97 The statute must require that the data be withheld from the public in such a manner as to leave no discretion on the
issue, establish particular criteria for withholding information or refer to particular types of matters to be withheld, or
specifically cite the exemption if enacted after October 28, 2009, the date of enactment of the OPEN FOIA Act of
2009, P.L. 111-83. These exemptions are also called “b(3) exemptions” because they are created pursuant to 5 U.S.C.
§552(b)(3).
98 Other exemptions may also sometimes apply to cybersecurity information. For further discussion of FOIA and its
exemptions, see CRS Report R41933, Freedom of Information Act (FOIA): Background and Policy Options for the
112th Congress, by Wendy Ginsberg, CRS Report R41406, The Freedom of Information Act and Nondisclosure
Provisions in Other Federal Laws, by Gina Stevens.
99 See “Sec. 245. Voluntary Disclosure of Cybersecurity Information,” in The White House, “Department of Homeland
Security Cybersecurity Authority and Information Sharing,” May 12, 2011, p. 8–9, http://www.whitehouse.gov/sites/
default/files/omb/legislative/letters/dhs-cybersecurity-authority.pdf.
100 Specifically, it states, “information sharing within existing structures can be improved through limited safe harbors
when private sector entities voluntarily disclose threat, vulnerability, or incident information to the federal government
or ask for advice or assistance to help increase protections on their own systems. These protections would need to
address concerns about antitrust issues, liability, an exemption from the Freedom of Information Act (FOIA),
protection from public disclosure, protection from regulatory use by government, and whether or not a private entity is
operating as an agent of the government. However, the protection of personal privacy should be at the forefront of any
limited legal protection proposal” (House Republican Cybersecurity Task Force, Recommendations, p. 11).
Congressional Research Service
29
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Omnibus Crime Control and Safe Streets Act of 1968
P.L. 90-351, 82 Stat. 197.
42 USC Chapter 46, §§3701 to 3797ee-1.
Major Relevant Provisions
• Title I established federal grant programs and other forms of assistance to state
and local law enforcement.
• Title III is a comprehensive wiretapping and electronic eavesdropping statute that
not only outlawed both activities in general terms but that also permitted federal
and state law enforcement officers to use them under strict limitations.101
Possible Updates
The incidence of cybercrime has increased dramatically over the last decade.102 State and local
law enforcement agencies play an important role in combating cybercrime, but concerns have
been raised about their abilities to invest sufficient resources in enforcement activities. In the
111th Congress, H.R. 1292 would have added a program for law enforcement grants to state and
local criminal justice agencies and relevant nonprofit organizations to combat “white collar
crime,” including cybercrime.
Racketeer Influenced and Corrupt Organizations Act (RICO)
P.L. 91-452, 84 Stat. 941.
18 U.S.C. Chapter 96, §§1961-1968.
Major Relevant Provisions
• Enlarges the civil and criminal consequences of a list of state and federal crimes
when committed in a way characteristic of the conduct of organized crime
(racketeering).103
Possible Updates
The Task Force Report recommended that Congress change RICO “to include computer fraud
within the definition of racketeering.”104 The White House Proposal would have made felony
101 These provisions, along with possible updates, are discussed under “Electronic Communications Privacy Act of
1986.”
102 There is no uniform definition of “cybercrime.” Furthermore, no definitive statistics on cybercrime appear to be
publically available. However, the public/private Internet Crime Complaint Center referred 25 times as many of the
complaints it received to law enforcement agencies in 2010 (121,710) as in 2001 (4,810) (Internet Crime Complaint
Center, 2010 Internet Crime Report, 2011, http://www.ic3.gov/media/annualreport/2010_IC3Report.pdf).
103 For details, CRS Report 96-950, RICO: A Brief Sketch, by Charles Doyle.
104 House Republican Cybersecurity Task Force, Recommendations, p. 14.
Congressional Research Service
30
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
violation of 18 U.S.C. §1030 (see “Counterfeit Access Device and Computer Fraud and Abuse
Act of 1984”) a racketeering predicate offense.
Federal Advisory Committee Act (FACA)
P.L. 93-579, 86 Stat 770.
5 U.S.C. App., §§1-16.
Major Relevant Provisions
• Specifies the circumstances under which a federal advisory committee can be
established, and its responsibilities and limitations.
• Requires that meetings of such committees be open to the public and that records
be available for public inspection.105
Possible Updates
The act has been criticized as potentially impeding the full development of public/private
partnerships in cybersecurity, particularly with respect to impeding private-sector
communications and input on policy.106 While Section 871 of the HSA provides the Secretary of
Homeland Security with the power to establish advisory committees that are exempt from the
requirements of the act, it is possible that additional exemption authority would be helpful. Any
such potential benefits might, however, need to be weighed against the impact of such authority
on the public’s ability to participate in and access the records of affected advisory committees.
The subcommittee version of H.R. 3674 would have exempted the organization created by the bill
from requirements of the act.
Privacy Act of 1974
P.L. 93-579, 88 Stat. 1896.
5 U.S.C. §552a.
Major Relevant Provisions
• Limits the disclosure of personally identifiable information (PII) held by federal
agencies.
• Requires agencies to provide access to persons with agency records containing
information on them.
• Established a code of fair information practices for collection, management, and
dissemination of records by agencies, including requirements for security and
confidentiality of records.
105 For more information, see CRS Report R40520, Federal Advisory Committees: An Overview, by Wendy Ginsberg.
106 Isabelle Abele-Wigert and Myriam Dunn, International CIIP Handbook 2006, Vol. I (Center for Security Studies,
ETH Zurich, 2006), p. 337, http://www.css.ethz.ch/publications/CIIP_HB_06_Vol.1.pdf; Brunner and Suter,
International CIIP Handbook 2008/2009, p. 456.
Congressional Research Service
31
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Possible Updates
Some observers argue that the act should be revised to clarify, in the context of cybersecurity,
what is considered PII and how it can be used, such as by explicitly permitting the sharing among
federal agencies—or with appropriate third parties such as owners and operators of critical
infrastructure—of certain information, such as a computer’s Internet (IP) address, in
examinations of threats, vulnerabilities, and attacks. The act contains some exemptions, such as
for law enforcement activities (5 U.S.C. §552a(b)(7)) and duties of the Comptroller General (5
U.S.C. §552a(b)(10)), but none relating specifically to cybersecurity. However, other observers
may argue that the provisions in the act are sufficient to permit necessary cybersecurity activities,
and that revising the act to provide additional authorities relating to cybersecurity could
compromise the protections provided by the act.107 In the 112th Congress, H.R. 1732 would have
revised the act to take changes in information technology into account, but does not specifically
address information relating to cybersecurity.
Counterfeit Access Device and Computer Fraud and Abuse Act
of 1984
P.L. 98-473, 98 Stat. 2190.
18 U.S.C. §1030.
Major Relevant Provisions
As amended,108
• Provides criminal penalties, including asset forfeiture, for unauthorized access
and wrongful use of computers and networks of the federal government or
financial institutions, or in interstate or foreign commerce or communication;
• Specifies wrongful use as obtaining protected information, damaging or
threatening to damage a computer, using the computer to commit fraud,
trafficking in stolen computer passwords, and espionage;
• Criminalized electronic trespassing on and exceeding authorized access to federal
government computers; and
• Created a statutory exemption for intelligence and law enforcement activities.109
107 For information on how they have been interpreted by the courts, see Department of Justice, “Overview of the
Privacy Act of 1974, 2010 Edition,” March 2, 2010, http://www.justice.gov/opcl/1974privacyact-overview.htm.
108 The Computer Fraud and Abuse Act of 1986 (P.L. 99-474, 100 Stat. 1213) expanded the scope of the original act.
For government computers, it criminalized electronic trespassing, exceeding authorized access, and destroying
information. It also criminalized trafficking in stolen computer passwords and created a statutory exemption for
intelligence and law enforcement activities.
109 For more information, see CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and
Abuse Statute and Related Federal Criminal Laws, by Charles Doyle.
Congressional Research Service
32
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Possible Update
The White House Proposal would add penalties for damaging certain critical infrastructure
computers, increase penalties for most violations of the act, clarify certain offenses, and modify
the act’s conspiracy and forfeiture provisions. In the 112th Congress, S. 2111, S. 2151, and S.
3342 had similar provisions. S. 890, S. 2151, S. 3342, and the White House Proposal would have
enlarged the scope of the password trafficking offense by removing the requirement that the
computer affect interstate commerce or be used by the United States. S. 1151 would also have
made several changes similar to but not as extensive as those in the Administration proposal.110
The Task Force Report recommended that the act be broadened to cover critical infrastructure
systems, and possibly all private-sector computers, with increased criminal penalties. It also
recommended that provisions should be focused narrowly enough to avoid creating unintended
liability for legitimate activities.111
Electronic Communications Privacy Act of 1986 (ECPA)
P.L. 99-508, 100 Stat. 1848.
18 U.S.C. §§2510-2522, 18 U.S.C. §§2701-2712, 18 U.S.C. §§3121-3126.112
Major Relevant Provisions
• Attempts to strike a balance between the fundamental privacy rights of citizens
and the legitimate needs of law enforcement with respect to data shared or stored
in various types of electronic and telecommunications services.113 Since the act
was passed the Internet and associated technologies have expanded
exponentially.114 The act consists of three parts:
• A revised Title III of the “Omnibus Crime Control and Safe Streets Act of
1968” (also known as “Title III” or the “Wiretap Act”)115 prohibits the
interception of wire, oral, or electronic communications unless an exception
110 See CRS Report R41941, The Obama Administration’s Cybersecurity Proposal: Criminal Provisions, by Gina
Stevens.
111 House Republican Cybersecurity Task Force, Recommendations, p. 14.
112 Prepared by Gina Stevens, Legislative Attorney (gstevens@crs.loc.gov, 7-2581).
113 100 Stat. 1848; see also House Committee on the Judiciary, “Electronic Communications Privacy Act of 1986,”
H.Rept. 99-647, 99th Cong. 2d Sess. 2, at 19 (1986).
114 House Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, ECPA
Reform and the Revolution in Cloud Computing, 2010, http://judiciary.house.gov/hearings/hear_100923.html
(statement of Edward W. Felton, Professor Princeton University):
In 1986, when ECPA was passed, the Internet consisted of a few thousand computers. The network
was run by the U.S. government for research and education purposes, and commercial activity was
forbidden. There were no web pages, because the web had not been invented. Google would not be
founded for another decade. Twitter would not be founded for another two decades. Mark
Zuckerberg, who would grow up to start Facebook, was two years old. In talking about advances in
computing, people often focus on the equipment. Certainly the advances in computing equipment
since 1986 have been spectacular. Compared to the high-end supercomputers of 1986, today’s
mobile phones have more memory, more computing horsepower, and a better network connection
not to mention a vastly lower price.
115 18 U.S.C. §2510-2522.
Congressional Research Service
33
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
to the general rule applies. Unless otherwise provided, prohibits wiretapping
and electronic eavesdropping; possession of wiretapping or electronic
eavesdropping equipment; use or disclosure of information obtained through
illegal wiretapping or electronic eavesdropping; and disclosure of
information secured through court-ordered wiretapping or electronic
eavesdropping, in order to obstruct justice.116
• The Stored Communications Act (SCA)117 prohibits unlawful access to stored
communications.118
• The Pen Register and Trap and Trace statute governing the installation and
use of trap and trace devices and pen registers,119 proscribing unlawful use of
a pen register or a trap and trace device.120
• Establishes rules that law enforcement must follow before they can access data
stored by service providers. Depending on the type of customer information
involved and the type of service being provided, the authorization law
enforcement must obtain in order to require disclosure by a third party will range
from a simple subpoena to a search warrant based on probable cause.
Possible Updates
ECPA reform efforts focus on crafting a legal structure that is up-to-date, can be effectively
applied to modern technology, and that protects users’ reasonable expectations of privacy. ECPA
is viewed by many stakeholders as unwieldy, complex, and difficult for judges to apply.121 Cloud
computing122 poses particular challenges to the ECPA framework. For example, when law
enforcement officials seek data or files stored in the cloud, such as web-based e-mail applications
or online word processing services, the privacy standard that is applied is often lower than the
standard that applies when law enforcement officials seek the same data stored on an individual’s
personal or business hard drive.123
An ECPA reform advocacy coalition has advanced the following principles:
116 18 U.S.C. §2511.
117 18 U.S.C. §§2701-2712.
118 18 U.S.C. §2701.
119 18 U.S.C. §§3121-3126. A trap and trace device identifies the source of incoming calls, and a pen register indicates
the numbers called from a particular phone.
120 18 U.S.C. §3121.
121 J. Beckwith Burr, “The Electronic Communications Privacy Act of 1986: Principles for Reform,” March 30, 2010,
http://www.digitaldueprocess.org/files/DDP_Burr_Memo.pdf.
122 “Cloud computing is an emerging form of computing that relies on Internet-based services and resources to provide
computing services to customers, while freeing them from the burden and costs of maintaining the underlying
infrastructure. Examples of cloud computing include web-based e-mail applications and common business applications
that are accessed online through a browser, instead of through a local computer” (Government Accountability Office,
Information Security: Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing,
GAO-10-513, May 2010, http://www.gao.gov/new.items/d10513.pdf).
123 House Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, ECPA
Reform and the Revolution in Cloud Computing (statement of Michael Hintze, Associate General Counsel, Microsoft
Corp.).
Congressional Research Service
34
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
• A governmental entity may require an entity covered by ECPA (a provider of
wire or electronic communication service or a provider of remote computing
service) to disclose communications that are not readily accessible to the public,
but only with a search warrant issued based on a showing of probable cause,
regardless of the age of the communications, the means or status of their storage
or the provider’s access to or use of the communications in its normal business
operations.
• A governmental entity may access, or may require a covered entity to provide,
prospectively or retrospectively, location information regarding a mobile
communications device, but only with a warrant issued based on a showing of
probable cause.
• A governmental entity may access, or may require a covered entity to provide,
prospectively or in real time, dialed number information, e-mail to and from
information or other data currently covered by the authority for pen registers and
trap and trace devices, but only after judicial review and a court finding that the
governmental entity has made a showing at least as strong as the showing under
2703(d).
• Where the Stored Communications Act authorizes a subpoena to acquire
information, a governmental entity may use such subpoenas only for information
related to a specified account(s) or individual(s). All nonparticularized requests
must be subject to judicial approval.124
The Task Force Report recommended changes to laws governing the protection of electronic
communications to facilitate sharing of appropriate cybersecurity information, including the
development of an anonymous reporting mechanism.125
Department of Defense Appropriations Act, 1987
P.L. 99-591, 100 Stat. 3341-82, 3341-122.
10 U.S.C. §167.126
Major Relevant Provisions
• Provides specific authority to the U.S. Special Operations Command
(USSOCOM) for the conduct of direct action, strategic reconnaissance,
unconventional warfare, foreign internal defense, civil affairs, and psychological
operations; also counterterrorism, humanitarian assistance, theater search and
rescue, and such other activities as may be specified by the President or the
Secretary of Defense.
124 Digital Due Process Coalition, “Our Principles”, 2010, http://www.digitaldueprocess.org/index.cfm?objectid=
99629E40-2551-11DF-8E02000C296BA163.
125 House Republican Cybersecurity Task Force, Recommendations, p. 14. For more information on ECPA, see CRS
Report 98-326, Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, by
Gina Stevens and Charles Doyle.
126 Prepared by John Rollins, Specialist in Terrorism and National Security (jrollins@crs.loc.gov, 7-5529).
Congressional Research Service
35
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Possible Update
In addition to the authority provided under this act, Title 10 of the U.S. Code provides inherent
and specific authority to DOD to undertake the following activities:
• Section 113 provides that, subject to the direction of the President, the Secretary
of Defense has authority, direction, and control over DOD;
• Section 164 provides specific authority for combatant commanders for the
performance of missions assigned by the President or by the Secretary with the
approval of the President.
Specific authorities for combatant commanders are provided in Title 10 to use force in self-
defense and for mission accomplishment—including in the recently recognized information
operations environment. In preparing for contingencies or military operations, DOD undertakes
activities to lessen risks to U.S. interests, including discrete actions to prepare for and respond to
a cyberwarfare-related incident.127
Some military activities are conducted clandestinely to conceal the nature of the operation and
passively collect intelligence. Activities focused on influencing the governing of a foreign
country are deemed covert actions128 and may not be conducted by members of the military
absent a presidential finding and notification of the congressional intelligence committees.129
Some analysts suggest that in the cyber domain distinguishing between whether an action is or
should be considered covert or clandestine is problematic, as an attacking adversary’s intent and
location are often difficult to discern. Should this act be updated, reassessing DOD’s authorities in
light of its unique intelligence capabilities may assist in responding to and conducting offensive
cyber attacks.
High Performance Computing Act of 1991
P.L. 102-194, 105 Stat. 1594.
15 U.S.C. Chapter 81.130
Major Relevant Provisions
• Establishes a federal high-performance computing program and requires that it
address security needs.
127 CRS Report RL31787, Information Operations, Cyberwarfare, and Cybersecurity: Capabilities and Related Policy
Issues, by Catherine A. Theohary.
128 50 U.S.C. §413b(e) defines a covert action as “an activity or activities of the United States Government to influence
political, economic, or military conditions abroad, where it is intended that the role of the United States Government
will not be apparent or acknowledged publicly, but does not include … activities the primary purpose of which is to
acquire intelligence … [or] traditional military activities or routine support to such activities.”
129 For an explanation and analysis of issues relating to covert and clandestine activities see CRS Report RL33715,
Covert Action: Legislative Background and Possible Policy Questions, by Richard F. Grimmett.
130 Parts of the chapter have also been given other popular names: the Next Generation Internet Research Act of 1998
(P.L. 105-305), and the Department of Energy High-End Computing Revitalization Act of 2004.
Congressional Research Service
36
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
• Requires that the program provide for interagency coordination and that an
annual report on implementation be submitted to Congress.
• Requires NIST to establish security and privacy standards in high-performance
computing for federal systems.
Possible Updates
This act established the Networking and Information Technology Research and Development
(NITRD) Program, which produces the required annual report. However, concerns have been
raised that the program does not yield sufficient strategic planning and does not sufficiently stress
cybersecurity research and development (R&D). In the 111th Congress, H.R. 2020, which passed
the House, would have addressed that concern by requiring a five-year strategic plan with three-
year reviewing cycle. It would also have added a research goal of increasing understanding “of
the scientific principles of cyber-physical systems” and improving methods for designing,
developing, and operating such systems with high reliability, safety, and security. H.R. 3834 in
the 112th Congress was similar but added provisions on cloud computing. S. 773 in the 111th
Congress would have required NIST to develop cybersecurity standards and metrics for computer
networks and user interfaces, as would S. 2105 and S. 3414 in the 112th Congress. S. 2151 and S.
3342 would have established cybersecurity, including security of supply chains, as one of the
goals for research under the act and contained a requirement similar to that of H.R. 3834 for
cyber-physical systems. H.R. 3834, S. 2151, and S. 3342 would also have made a number of
other amendments not directly related to cybersecurity.
Communications Assistance for Law Enforcement Act of 1994
(CALEA)
P.L. 103-414, 108 Stat. 4279.
47 U.S.C. §1001 et seq.131
Major Relevant Provisions
• Requires telecommunications carriers to assist law enforcement in performing
electronic surveillance on their digital networks pursuant to court orders or other
lawful authorization.
• Directs the telecommunications industry to design, develop, and deploy solutions
that meet requirements for carriers to support authorized electronic surveillance,
including unobtrusive isolation of communications and call-identifying
information for a target and provision of that information to law enforcement, in
a manner that does not compromise the privacy and security of other
communications.
131 Prepared by Patricia Moloney Figliola, Specialist in Internet and Telecommunications Policy
(pfigliola@crs.loc.gov, 7-2508).
Congressional Research Service
37
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Possible Updates
Some government and industry observers believe that CALEA should be revised to improve its
effectiveness in addressing cybersecurity concerns. Among the concerns expressed are whether
the act is the best mechanism for collecting information transmitted via the Internet, whether
reassessment is needed of which private-sector entities the act covers and which government
entities should be involved in enforcement and oversight, and what the role of industry should be
in the development of the technologies and standards used to implement the provisions of the act.
The Task Force Report recommended changes to laws governing the protection of electronic
communications to facilitate sharing of appropriate cybersecurity information, including the
development of an anonymous reporting mechanism.132
Communications Decency Act of 1996
P.L. 104-104 (Title V), 110 Stat. 133.
47 U.S.C. §§223, 230.133
Major Relevant Provisions
• Intended to regulate indecency and obscenity on telecommunications systems,
including the Internet. Although much of the law is targeted at lewd or
pornographic material, particularly when shown to children under the age of 18,
the obscenity and harassment provisions could also be interpreted as applying to
graphic, violent terrorist propaganda or incendiary language.
• Section 230(c)(1) asserts that “no provider or user of an interactive computer
service shall be treated as the publisher or speaker of any information.” This has
been interpreted to absolve Internet service providers and certain web-based
services of responsibility for third-party content residing on those networks or
websites.134
Possible Updates
Some argue that certain Internet content, such as terrorist chat rooms or propaganda websites,
presents a national security or operational threat that is not represented within the
Communications Decency Act. Further, should such material be deemed as “indecent,” the law
does not give federal agencies the authority to require that the Internet service providers hosting
the content to take it offline.
These critics maintain that the law should be revised to compel ISPs and web administrators to
dismantle sites containing information that could be used to incite harm against the United States.
A possible revision could be similar to the “take down and put back” provision in the Digital
132 House Republican Cybersecurity Task Force, Recommendations, p. 14.
133 Prepared by Catherine A. Theohary, Analyst in National Security Policy and Information Operations
(ctheohary@crs.loc.gov, 7-0844). These provisions are codified to Chapter 5 of Title 47, the “Communications Act of
1934.” Codification of the various provisions of this act is complex. See 47 U.S.C. §609 nt. for details.
134 See CRS Report R41499, The Communications Decency Act: Section 230(c)(1) and Online Intermediary Liability,
by Kathleen Ann Ruane and Julia Tamulis.
Congressional Research Service
38
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Millennium Copyright Act, 112 Stat. 2860, P.L. 105-304 which amended title 17 of the U.S. Code
to hold a service liable for publishing material that is defamatory or infringes upon a third party
copyright.
Others maintain that such a revision is counter to the spirit of free, open exchange of information
that is characterized by the Internet and may be a First Amendment violation. Some have also
expressed concerns that the intelligence value gained by preserving and monitoring the sites
outweighs the potential threat risk.
Clinger-Cohen Act (Information Technology Management Reform
Act) of 1996
P.L. 104-106 (Divisions D and E), 110 Stat. 642.
40 U.S.C. §11101 et seq.135
Major Relevant Provisions
• Gave agency heads authority to acquire IT and required them to ensure the
adequacy of agency information security policies.
• Established the position of agency Chief Information Officer (CIO), responsible
for assisting agency heads in IT acquisition and management.
• Requires the Office of Management and Budget (OMB) to oversee major
information technology (IT) acquisitions.
• Requires OMB to promulgate, in consultation with the Secretary of Homeland
Security, compulsory federal computer standards based on those developed by
the National Institute of Standards and Technology (NIST).136
• Exempts national security systems from most provisions.
Possible Update
With the increasing globalization of the IT hardware and software industries, concerns have been
growing among cybersecurity experts about potential vulnerabilities at various points along the
supply chain for IT products. H.R. 1136, introduced in the 112th Congress, would have addressed
such concerns with respect to federal acquisition of IT products and services by requiring vendors
to meet security requirements to be developed by OMB, and also requiring vulnerability
assessments by agencies.
135 Prepared by Wendy R. Ginsberg, Analyst in Government Organization and Management (wginsberg@crs.loc.gov,
7-3933), and Eric A. Fischer. The two divisions, originally known as the Federal Acquisition Reform Act and the
Information Technology Management Reform Act, were renamed as the Clinger-Cohen Act by P.L. 104-208 and
reclassified into 40 U.S.C. Subtitle III by P.L. 107-217 (see 40 U.S.C. §101 nt.).
136 The Clinger-Cohen Act originally gave this promulgation authority to the Secretary of Commerce, while providing
the President authority to disapprove or modify such standards, and gave the Secretary authority to waive the standards
in specific cases to avoid adverse financial or mission-related impacts. The “Federal Information Security Management
Act of 2002 (FISMA),” enacted as part of the Homeland Security Act, transferred that authority to OMB.
Congressional Research Service
39
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
S. 413 (similar to S. 3480 in the 111th Congress), S. 2105, S. 2151, S. 3342, S. 3414, and the
White House Proposal would have returned the authority for promulgating standards for federal
systems to the Secretary of Commerce.137 H.R. 4257, in contrast, would not have amended that
provision.
Congress and the executive branch have debated the limits of the authority and jurisdiction of
CIOs since their establishment. In the private sector, CIOs may often serve as the senior IT
decision maker. In federal agencies, in contrast, CIOs do not have budgetary control or authority
over IT resources.138 As part of a plan to reform federal IT management,139 the Obama
Administration has indicated its intention to change the role of CIOs “away from just
policymaking and infrastructure maintenance, to encompass true portfolio management for all
IT,” including information security.140 The White House Proposal does not include any provisions
related to that proposed change, but additional legislative authority may be required for such a
change to be fully implemented.
The Obama Administration also appointed a federal chief information officer and a federal chief
technology officer (CTO), positions first created in the George W. Bush Administration, where
the OMB deputy director of management also served as federal CIO. In the 111th Congress, H.R.
1910 and H.R. 5136, and H.R. 1136 in the 112th Congress, contained provisions to establish a
statutory basis for the CTO position, not, however, explicitly as amendments to the Clinger-
Cohen Act.141 Some proposals in previous Congresses would also have established the federal
CIO position in law.142
Identity Theft and Assumption Deterrence Act of 1998
P.L. 105-318, 112 Stat. 3007.
18 U.S.C. §1028.143
Major Relevant Provisions
• Made identity theft a federal crime.
137 See the discussion of FISMA, p. 43.
138 They do have authority under FISMA to ensure compliance with that law’s information security requirements (44
U.S.C. §3544). Some agency CIOs also have statutory authority in addition to that provided by Clinger-Cohen and
FISMA. For example, the CIO of the intelligence community has procurement approval authority for IT (50 U.S.C.
§403-3g), and CIOs within DOD have budgetary review authority (10 U.S.C. §2223).
139 Vivek Kundra, 25-Point Implementation Plan to Reform Federal Information Technology Management (The White
House, December 9, 2010), http://www.cio.gov/documents/25-Point-Implementation-Plan-to-Reform-
Federal%20IT.pdf.
140 Jacob J. Lew, “Chief Information Officer Authorities,” Memorandum for the Heads of Executive Departments and
Agencies, M-11-29, August 8, 2011, pp. 1–2, http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/
m11-29.pdf.
141 See CRS Report R40150, A Federal Chief Technology Officer in the Obama Administration: Options and Issues for
Consideration, by John F. Sargent Jr.
142 See, for example, CRS Report RL30914, Federal Chief Information Officer (CIO): Opportunities and Challenges,
by Jeffrey W. Seifert.
143 Prepared by Kristin M. Finklea, Coordinator, Analyst in Domestic Security (kfinklea@crs.loc.gov, 7-6259). See 18
U.S.C. §1001 nt. for classification details.
Congressional Research Service
40
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
• Provided penalties for individuals who either committed or attempted to commit
identity theft.
• Provided for forfeiture of property used or intended to be used in the fraud.
• Directed the Federal Trade Commission (FTC) to record complaints of identity
theft, provide victims with informational materials, and refer complaints to the
appropriate consumer reporting and law enforcement agencies.144
Possible Updates
See “Identity Theft Penalty Enhancement Act” below.
Homeland Security Act of 2002 (HSA)
P.L. 107-296 (Titles II and III), 116 Stat. 2135.
6 U.S.C. §§121-195c, 441-444, and 481-486.145
Major Relevant Provisions
• Transferred some functions relating to the protection of information
infrastructure from other agencies to the Department of Homeland Security
(DHS).146
• Requires DHS to provide state and local governments and private entities with
threat and vulnerability information, crisis-management support, and technical
assistance relating to recovery plans for critical information systems.
• Permits the Secretary of Homeland Security to designate qualified technologies
as subject to certain protections from liability in claims relating to their use in
response to an act of terrorism.147
• Established mechanisms to facilitate information sharing among federal agencies
and appropriate nonfederal government and critical-infrastructure personnel.148
• Authorized DHS to establish a system of volunteer experts (“Net Guard”) to
assist local communities in responding to attacks on information and
communications systems.
144 The FTC now records consumer complaint data and reports it in the Identity Theft Data Clearinghouse (Federal
Trade Commission, “Reference Desk,” Fighting Back Against Identity Theft, December 22, 2010, http://www.ftc.gov/
bcp/edu/microsites/idtheft/reference-desk/index.html); identity theft complaint data are available for 2000 and forward.
145 For classification details, see 6 U.S.C. §101 nt.
146 In particular, the act transferred to DHS the Federal Computer Incident Response Center, which had resided in the
General Services Administration (GSA). In 2006, P.L. 109-295, The Department of Homeland Security Appropriations
Act, 2007, established the position of Assistant Secretary for Cybersecurity and Communications (6 U.S.C. §321)
within DHS but did not specify duties or responsibilities.
147 This set of provisions (Subtitle G of Title VIII, 6 U.S.C. §441-444) is called the SAFETY Act.
148 This set of provisions (Subtitle I of Title VIII, 6 U.S.C. §481-486) is called the Homeland Security Information
Sharing Act. Section 486 was added by P.L. 109-90 and provides some liability protections relating to actions
involving information sharing and analysis centers.
Congressional Research Service
41
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
• Strengthened some criminal penalties relating to cybercrime.
• Created the Directorate of Science and Technology within DHS and assigned it
broad R&D responsibilities, although responsibilities relating to cybersecurity
R&D were not specifically described.
Possible Updates
Various concerns have been raised about the ways in which the act addressed cybersecurity, and a
number of proposals have been made since its enactment to enhance the cybersecurity provisions.
In the 111th Congress, the most comprehensive legislative proposal was in S. 3480, which was
reported out of the Senate Committee on Homeland Security and Governmental Affairs in the
111th Congress, and reintroduced in the 112th Congress as S. 413 with minor modifications. It
would have added provisions on cybersecurity that would have
• established a center for cybersecurity and communications within DHS;
• required coordination with the DHS Office of Infrastructure Protection and
sector-specific agencies;
• established the United States Computer Emergency Readiness Team (US-CERT)
within the center;
• stipulated information-sharing procedures for federal agencies and other entities;
• established a program within the center to provide assistance to the private
sector;
• required the center to identify cyber vulnerabilities to critical infrastructure and
establish requirements to address them;
• established procedures for response to imminent cyber threats to critical
infrastructure,149 enforcement of requirements, and protection of information; and
• required a risk-management strategy for security of the supply chain.
It would have established a cybersecurity R&D program in DHS and required coordination of
those activities with other agencies and private entities. It would also have established a
public/private-sector cybersecurity advisory council.
The White House Proposal would also have substantially enhanced DHS authority relating to
cybersecurity. The proposal differed in several ways from the approach taken by S. 413. Among
other differences, it would have provided enhanced authority to the DHS Secretary that S. 413
provided directly to a new center within the department. However, the White House Proposal
would have required the Secretary to establish a center with cybersecurity responsibilities for
federal and critical infrastructure systems.150 It also did not codify the establishment of US-CERT,
unlike S. 413, and did not provide the President with the authority to implement emergency
actions in response to an imminent risk to critical infrastructure. It did, however, provide the DHS
149 See also “Communications Act of 1934” above.
150 This center would presumably replace the federal incident center currently required under 44 U.S.C. 3546. The
revision of the Federal Information Security Management Act of 2002 (FISMA) in the White House Proposal does not
include the latter center.
Congressional Research Service
42
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Secretary with authority to direct responses of federal agencies to cybersecurity threats or
incidents.
S. 2105 and S. 3414 contained elements of both the White House Proposal and S. 413. They
would have established a new center, with new authorities, but omitted the provision in S. 413
establishing US-CERT by law, as well as the provision on presidential emergency powers. S.
2105 and S. 3414 would have required the Science and Technology Directorate of DHS to
establish a cybersecurity R&D plan. S. 1546 would also have required departmental cybersecurity
research.
H.R. 3674, as reported to the House, would have provided additional responsibilities and
authorities to DHS for the protection of federal information systems. It would have provided for
information sharing with federal and nonfederal entities, cybersecurity research and development
(R&D), and recruitment and retention of cybersecurity personnel. To facilitate information
sharing and technical assistance, it would have created a center within DHS that would have
included a private-sector board of advisors. Unlike the bill as introduced, it did not include a
nongovernmental clearinghouse for sharing cybersecurity information between the private sector
and the federal government that was recommended by the Task Force Report. H.R. 3674 would
also have required DHS to perform cybersecurity R&D, to include testing, evaluation, and
technology transfer.
Some other bills in the 111th Congress would also have revised the act. H.R. 6423, reintroduced as
H.R. 174 in the 112th Congress, would establish a new office to develop, oversee, and enforce
cybersecurity compliance for critical infrastructure sectors. H.R. 266, reintroduced as H.R. 76,
would add a cybersecurity fellowship program for nonfederal officials to familiarize them with
DHS cybersecurity activities. H.R. 4507 and H.R. 4842 would have added a cybersecurity
training initiative for first responders and others. H.R. 2868 and S. 3599 would have added
chemical-facility security measures, including cybersecurity, to the act.
See also “Information Sharing.”
Federal Information Security Management Act of 2002 (FISMA)
P.L. 107-296 (Title X), 116 Stat. 2259.
P.L. 107-347 (Title III), 116 Stat. 2946.
44 U.S.C. Chapter 35, Subchapters II and III, [40 U.S.C. 11331, 15 U.S.C. 278g-3 & 4].151
Major Relevant Provisions
FISMA created a security framework for federal information systems, with an emphasis on risk
management, and gave specific responsibilities to the Office of Management and Budget (OMB),
the National Institute of Standards and Technology (NIST), and the heads, chief information
151 FISMA was originally enacted as part of the Homeland Security Act of 2002, replacing provisions enacted by the
Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001 (P.L. 106-398, Title X, Subtitle G), enacted
in 2000 but with a 2002 sunset. FISMA was reenacted in the same Congress by the E-government Act. Subchapter II is
not in effect. The title 40 provision was originally enacted as part of the Clinger-Cohen Act (see p. 39), and the title 15
provisions are part of the NIST Act (see p. 23). See footnote 153 for more detail.
Congressional Research Service
43
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
officers (CIOs), chief information security officers (CISOs), and inspector generals (IGs) of
federal agencies.152
• Required executive agencies to inventory major computer systems, identify and
provide appropriate security protections, and develop, document, and implement
agency-wide information security programs.
• Gave OMB responsibility for overseeing federal information-security policy and
evaluating agency information-security programs, but exempted national security
systems, except with respect to enforcement of accountability for meeting
requirements and reporting to Congress.
• Revised the responsibilities of the Secretary of Commerce and NIST for
information-system standards and transferred responsibility for promulgation of
those standards from the Secretary of Commerce to OMB.153
• Required that NIST cybersecurity standards be complementary with those
developed for national security systems, to the extent feasible.
• Required heads of federal agencies to provide security protections commensurate
with risk and to comply with applicable security standards. Specifically required
agencies using national security systems to provide security protections
commensurate with risk and in compliance with standards for such systems.
• Required senior agency officials to perform risk assessments, to determine and
implement necessary security controls in a cost-effective manner, and to evaluate
those controls periodically.
• Designated specific information-security responsibilities for agencies’ chief
information security officers, including agency-wide information-security
programs, policies, and procedures, and training of security and other personnel.
• Required designation of an information-security officer in each agency, security
awareness training, processes for remedial action to address deficiencies, and
procedures for handling security incidents and ensuring continuity of operations.
152 For a more detailed description, see, for example, Government Accountability Office, Information Security:
Weaknesses Continue Amid New Federal Efforts to Implement Requirements, GAO-12-137, October 2011,
http://www.gao.gov/new.items/d12137.pdf.
153 The standards-promulgation authority had been granted to the Secretary of Commerce under the Clinger-Cohen Act
of 1996 (P.L. 104-106) but was transferred to the Director of OMB by the FISMA title in the HSA in 2002 (P.L. 107-
296, Section 1002, 40 U.S.C. 11331). The version currently in effect (44 U.S.C. Chapter 35, Subchapter III) was
enacted by the FISMA title in the E-Government Act of 2002 (P.L. 107-347, Title III), which suspended Subchapter II,
which had been revised by the HSA. That is not the case for 40 U.S.C. 11331, for which the P.L. 107-347 version
would have retained the authority of the Secretary of Commerce to promulgate those standards as established in the
Clinger-Cohen Act of 1996 (see p. 39), even though the E-Government Act was enacted after the HSA. Similarly, the
revision to the NIST Act at 15 U.S.C. 278g-3 & 4 is that made by the HSA. The reason for this potentially confusing
difference appears to be that (1) the effective date of HSA was later than that of the E-Government Act, and (2) HSA
amended the existing subchapter II of 44 U.S.C. Chapter 35; the E-Government Act explicitly suspended that
subchapter. In contrast, the revisions both laws made to the Paperwork Reduction Act, adding a subsection (c) to 44
U.S.C. §3505 (requiring inventories of federal information systems) were codified. However, in a signing statement for
the E-Government Act, President George W. Bush stated that the Administration would interpret the act as permanently
superseding HSA “in those instances where both Acts prescribe different amendments to the same provisions of the
United States Code” (President George W. Bush, “About E-Gov: Presidential Statement,” December 17, 2002,
http://georgewbush-whitehouse.archives.gov/omb/egov/g-3-statement.html). Such ambiguities in interpretation would
presumably be resolved if FISMA is revised.
Congressional Research Service
44
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
• Required annual agency reports to Congress, performance plans, and independent
evaluations of information security.
• Established a central federal incident center, overseen by OMB, to analyze
incidents and provide technical assistance relating to them, to inform agency
operators about current and potential threats and vulnerabilities, and to consult
with NIST, NSA, and other appropriate agencies about incidents.
• Gave responsibility for protection of mission-crucial systems in DOD and the
CIA to the Secretary of Defense and the DCI, respectively, and required the
Secretary of Defense to include compliance with the provisions above in
developing program strategies for the Defense Information Assurance Program
(10 U.S.C. §2224).
Possible Updates
A commonly expressed concern about FISMA is that it is awkward and inefficient in providing
adequate cybersecurity to government IT systems. The causes cited have varied but common
themes have included inadequate resources, a focus on procedure and reporting rather than
operational security, lack of widely accepted cybersecurity metrics, variations in agency
interpretation of the mandates in the act, excessive focus on individual information systems as
opposed to the agency’s overall information architecture, and insufficient means to enforce
compliance both within and across agencies.154 Several legislative proposals in the 111th and 112th
Congresses included major revisions to the act. The proposals varied in detail, with several
notable provisions in some:
• Creation of a White House office with responsibility for cybersecurity;
• Transfer of responsibilities from OMB to the Secretary of Homeland Security or
the Secretary of Commerce;
• Revisions to agency responsibilities under the act, including continuous
monitoring, use of metrics, and emphasis on risk-based rather than minimum
security measures;
• Changes in reporting requirements;
• Specification of cybersecurity requirements for acquisitions and the IT supply
chain; and
• Establishment of mechanisms for interagency collaboration on cybersecurity.
154 See, for example, S.Rept. 111-368, and House Subcommittee on Government Management, Organization, and
Procurement, The State of Federal Information Security, Committee on Oversight and Government Reform
(Washington, DC: U.S. Government Printing Office, 2009), http://www.gpo.gov/fdsys/pkg/CHRG-111hhrg57125/pdf/
CHRG-111hhrg57125.pdf. OMB has recently attempted to address some of the operational issues administratively by
delegating some responsibilities to DHS (Orszag and Schmidt, “Clarifying Cybersecurity Responsibilities and
Activities of the Executive Office of the President and the Department of Homeland Security (DHS)”). Weaknesses in
FISMA implementation have been cited repeatedly by GAO in reports required by the act (see, for example,
Government Accountability Office, Information Security: Weaknesses Continue Amid New Federal Efforts to
Implement Requirements).
Congressional Research Service
45
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
In the 111th Congress, H.R. 5136 passed in the House,155 and S. 3480 was reported out of the
Senate Homeland Security and Governmental Affairs Committee.
In the 112th Congress, the Task Force Report recommended an increased focus on monitoring,
support for DHS authority, and taking new and emerging technologies, such as cloud computing,
into account.156 H.R. 1136 would have made many changes similar to those in H.R. 5136 in the
111th Congress, transferring responsibility to a new White House Office for Cyberspace created
by the bill. H.R. 4257, in contrast, retained the current role of the OMB Director. H.R. 4257
passed the House under suspension of the rules in April 2012.
S. 413 would have made changes similar to those in S. 3480 in the previous Congress,
transferring responsibility for federal information security policy from the Director of OMB to
the Director of a new DHS center that the bill would establish. The White House Proposal was
broadly similar to congressional proposals in many details. However, it would not have created a
White House cybersecurity office and would have transferred responsibilities to the DHS
Secretary rather than to a new cybersecurity center within DHS. S. 2105 and S. 3414 included a
similar approach. S. 2151 and S. 3342, in contrast, would have transferred responsibilities from
OMB to the Secretary of Commerce.
S. 1535 would have required that agency information security programs assess the practices of
contractors and third parties with respect to sensitive personally identifiable information as
defined in the bill and ensure that any deficiencies are remediated.
See also “FISMA Reform.”
Terrorism Risk Insurance Act of 2002
P.L. 107-297, 116 Stat. 2322.
15 U.S.C. §6701 nt.157
Major Relevant Provisions
• Provides federal cost-sharing subsidies for insured losses resulting from acts of
terrorism.
Possible Updates
The act is intended to provide incentives for the development of insurance coverage for losses
from acts of terrorism. Losses from cyber attacks are not specifically included, and some
observers have raised concerns about whether some modification of the act would be
appropriate.158
155 The bill included provisions from H.R. 4900, which was ordered reported by the House Oversight and Government
Reform Committee.
156 House Republican Cybersecurity Task Force, Recommendations, p. 13.
157 The original act was amended by P.L. 109-144, the Terrorism Risk Extension Act of 1995, and P.L. 110-160, the
Terrorism Risk Insurance Program Reauthorization Act of 2007. For classification details, see 15 U.S.C. 6701 nt.
158 See, for example, Karen C. Yotis, “TRIA and the Perils of Terrorism Insurance,” Viewpoint, Summer 2007,
(continued...)
Congressional Research Service
46
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Cyber Security Research and Development Act, 2002
P.L. 107-305, 116 Stat. 2367,
15 U.S.C. [§§278g,h], §7401 et seq.159
Major Relevant Provisions
• Requires the National Science Foundation (NSF) to award grants for basic
research to enhance computer security and for improving undergraduate and
master’s degree programs, doctoral research, and faculty development programs
in computer and network security; and to establish multidisciplinary centers for
research on computer and network security.
• Requires NIST to establish programs to award postdoctoral and senior research
fellowships in cybersecurity and to assist institutions of higher learning that
partner with for-profit entities to perform cybersecurity research; to perform
intramural specified cybersecurity research; and to develop a checklist of security
settings for federal computer hardware and software for voluntary use by federal
agencies.
Possible Updates
A commonly expressed concern about federal research and development (R&D) relating to
cybersecurity has been that it is insufficiently coordinated and prioritized, and focuses too little
on understanding of fundamental principles and using them to develop transformational
technologies. The George W. Bush Administration attempted to address the latter gap through the
“leap-ahead” technology component of the Comprehensive Cybersecurity Initiative.160 The
Obama Administration’s policy review161 also called for expanded, transformational research.
Concerns have also been raised about the need to improve the process by which NIST creates
checklists and other guidance and technical standards for federal IT systems.162
H.R. 4061 in the 111th Congress would have addressed those concerns by revising the act. A
similar bill in the 112th Congress, H.R. 2096, would, as amended, have expanded NSF R&D
programs in cybersecurity, and required NIST to develop automated security specifications for its
cybersecurity standards, checklists, and associated data. S. 2105, S. 2151, S. 3342, and S. 3414
would also have expanded cybersecurity topics addressed by NSF.
(...continued)
http://www.aaisonline.com/viewpoint/07sum6.html.
159 15 U.S.C. §§278g,h are part of the NIST Act (see p. 23).
160 See, for example, NITRD, “About the NITRD Program: National Cyber Leap Year”, July 22, 2009,
http://www.nitrd.gov/leapyear/index.aspx.
161 The White House, Cyberspace Policy Review.
162 See, for example, H.Rept. 111-405, CSIS Commission on Cybersecurity for the 44th Presidency, A Human Capital
Crisis in Cybersecurity, July 2010, http://csis.org/files/publication/
100720_Lewis_HumanCapital_WEB_BlkWhteVersion.pdf.
Congressional Research Service
47
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
E-Government Act of 2002
P.L. 107-347, 116 Stat. 2899.
5 U.S.C. Chapter 37, 44 U.S.C. 3501 nt., 44 U.S.C. Chapter 35, Subchapter 2, and Chapter 36.
Major Relevant Provisions
Serves as the primary legislative vehicle to guide federal IT management and initiatives to make
information and services available online. Significant provisions include the following:
• Established the Office of Electronic Government within OMB, to be headed by
an administrator with a range of IT management responsibilities, including
cybersecurity.
• Established the interagency CIO (Chief Information Officer) Council and
specified working with the National Institute of Standards and Technology
(NIST) on security standards as one of its functions.
• Assigned agency CIOs responsibility for monitoring implementation of federal
cybersecurity standards in their agencies.
• Contains various other requirements for security and protection of confidential
information, including electronic authentication and privacy guidelines.
• Established a five-year personnel exchange program between federal agencies
and private sector organizations to help agencies fill IT management training
needs.
• Also included the “Federal Information Security Management Act of 2002
(FISMA).”
Possible Update
The White House Proposal would have renewed the personnel exchange program, which
terminated at the end of 2007, and remove the current restriction in eligibility to management
personnel. While this program would be applicable to any subdiscipline of IT, a widely held
belief at present is that gaps in cybersecurity expertise are of particular concern. S. 1732 would
have revised the privacy provisions to account for the increased commercial availability of
personally identifiable information, which the bill defined broadly.163 It would also have required
agencies to designate chief privacy officers and created a council of them, and broadened OMB’s
privacy responsibilities.
163 It would include “any information about an individual maintained by an agency.”
Congressional Research Service
48
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Identity Theft Penalty Enhancement Act
P.L. 108-275, 118 Stat. 831.
18 U.S.C. §§1028, 1028A.164
Major Relevant Provisions
• Established penalties for aggravated identity theft, in which a convicted
perpetrator could receive additional penalties (two to five years’ imprisonment)
for identity theft committed in relation to other federal crimes.165
Possible Updates
While the number of reported incidents of identity theft fell in 2010, identity theft has generally
been the fastest growing type of fraud in the United States over the past decade.166 FTC complaint
data indicate that the most common fraud complaint received (19% of all consumer fraud
complaints in 2010) has remained that of identity theft.167 In 2010, for instance, about 8.1 million
Americans were reportedly victims of identity theft. This is a decrease of about 28% from the
approximately 11.1 million who were victimized in 2009.168 Javelin Strategy and Research
estimates that identity theft cost consumers about $37 billion in 2010.
The most recent congressional action taken to enhance the identity theft laws was through the
Identity Theft Enforcement and Restitution Act of 2008 (Title II of P.L. 110-326). Among other
elements, several of which were recommended by a presidential task force in 2007,169 the act
authorized restitution to identity theft victims for their time spent recovering from the harm
caused by the actual or intended identity theft. Legislation has not yet, however, adopted
recommendations of the task force to
• amend the identity theft and aggravated identity theft statutes so that thieves who
misappropriate the identities of corporations and organizations—and not just the
identities of individuals—can be prosecuted,170 and
• amend the aggravated identity theft statute by adding new crimes as predicate
offenses171 for aggravated identity theft violations.172
164 Prepared by Kristin M. Finklea, Analyst in Domestic Security (kfinklea@crs.loc.gov, 7-6259). For classification
details, see 18 U.S.C. §1028 nt.
165 Examples of such federal crimes include theft of public property, theft by a bank officer or employee, theft from
employee benefit plans, false statements regarding Social Security and Medicare benefits, several fraud and
immigration offenses, and specified felony violations pertaining to terrorist acts.
166 For more information on identity theft, see CRS Report R40599, Identity Theft: Trends and Issues, by Kristin M.
Finklea.
167 Federal Trade Commission, Consumer Sentinel Network Data Book for January–December, 2010, March 2010,
http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2010.pdf.
168 Javelin Strategy & Research, 2011 Identity Fraud Survey Report: Consumer Version, February 2011, p. 5 (available
at https://www.javelinstrategy.com/brochure/207).
169 The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, April 2007,
http://www.identitytheft.gov/reports/StrategicPlan.pdf.
170 This would involve revision of 18 U.S.C. §§1028 and 1028A.
171 A predicate offense can be described as a crime that is a component of a more serious offense. For example, in the
(continued...)
Congressional Research Service
49
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
The task force recommended that Congress clarify the identity theft and aggravated identity theft
statutes to cover both individuals and organizations targeted by identity thieves because the range
of potential victims includes not only individuals but organizations as well. The task force cites
“phishing” as a means by which identity thieves assume the identity of a corporation or
organization in order to solicit personally identifiable information from individuals.173
In part because identity theft is a facilitating crime, and the criminal act of stealing someone’s
identity often does not end there, investigating and prosecuting identity theft often involves
investigating and prosecuting a number of related crimes. In light of this interconnectivity, the
task force recommended expanding the list of predicate offenses for aggravated identity theft. The
task force specifically suggested adding identity theft-related crimes such as mail theft,174
counterfeit securities,175 and tax fraud.176
The Task Force Report also recommended requiring restitution for victims of identity theft and
computer fraud.177 At present, the statute authorizes restitution but does not require it.
Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA)
P.L. 108-458, 118 Stat. 3638.
42 U.S.C. §2000ee, 50 U.S.C. §403-1 et seq., §403-3 et seq., §404o et. seq.178
Major Relevant Provisions
• Established the position of the Director of National Intelligence.
• Establishes mission responsibilities for some entities in the intelligence,
homeland security, and national security communities.
• Discusses issues related to the collection, analysis, and sharing of security-related
information.
• Establishes a Privacy and Civil Liberties Board within the Executive Office of
the President.
Possible Updates
The act does not contain a single reference to cyber, cybersecurity, or related activities. Its stated
purpose is to “reform the intelligence community and the intelligence and intelligence-related
(...continued)
case of money laundering, the crime that produces the funds that are to be laundered is the predicate offense.
172 This would involve revision of 18 U.S.C. §1028A.
173 The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, pp. 91 – 92.
174 18 U.S.C. §1708.
175 18 U.S.C. §513.
176 26 U.S.C. §7201, 7206-7207.
177 House Republican Cybersecurity Task Force, Recommendations, p. 14.
178 Prepared by John Rollins, Specialist in Terrorism and National Security (jrollins@crs.loc.gov, 7-5529).
Classification of this act is complex. For details, see 50 U.S.C. §401 nt.
Congressional Research Service
50
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
activities of the United States Government, and for other purposes.” The act contains findings and
recommendations offered in the 9/11 Commission Report179 and other assessments that address
national and homeland security shortcomings associated with the terrorist attacks of September
11, 2001.
Numerous organizations, programs, and activities in the act currently address cybersecurity-
related issues. IRPTA addresses many types of risks to the nation and threats emanating from
man-made and naturally occurring events. The broad themes of the act could be categorized as
how the federal government identifies, assesses, defeats, responds to, and recovers from current
and emerging threats. The act might be updated to incorporate cybersecurity-related issues.
However, any such update could affect numerous organizations and activities.180
179 National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission Report, July 22, 2004,
http://www.9-11commission.gov/report/911Report.pdf.
180 For more information on threats, responses, and issues associated with cyberterrorism, see CRS Report R41674,
Terrorist Use of the Internet: Information Operations in Cyberspace, by Catherine A. Theohary and John Rollins.
Congressional Research Service
51
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
Table 2. Laws Identified as Having Relevant Cybersecurity Provisions
CRS
Year
Popular Name
Law
Stat.
U.S.C.
Applicability and Notes
Reports
6/18/1878
Posse Comitatus Act
Ch.
20 Stat. 18 U.S.C.
Restricts the use of military
RS20590
(p. 21)
263
152
§1385
forces in civilian law
enforcement within the United
States. May prevent assistance
to civil agencies that lack DOD
expertise and capabilities.
7/2/1890
Antitrust Laws:
and later
(p. 22)
Sherman Antitrust
Ch.
26 Stat. 15 U.S.C.
“Antitrust laws” generally
Act,
647
209
§§1-7
means the three laws listed in
Wilson Tariff Act
Ch.
28 Stat. 15 U.S.C.
15 U.S.C. §12(a) and §5 of the
349,
570
§§8-11
FTC Act, which forbid
Clayton Act
§73
combinations or agreements
§5 of the Federal
P.L.
38 Stat. 15 U.S.C.
that unreasonably restrain
Trade Commission
63-
730
§§12-27
trade. May create barriers to
(FTC) Act
212
38 Stat. 15 U.S.C.
sharing of information or
Ch,
719
§45(a)
col aboration to enhance
311,
cybersecurity among private
§5
sector entities.
3/3/1901
National Institute of
Ch.
31 Stat. 15 U.S.C.
The original act gave the
Standards and
872
1449
§271 et seq.
agency responsibilities relating
Technology (NIST) Act
to technical standards. Later
(p. 24)
amendments established a
computer standards program
and specified research topics,
among them computer and
telecommunication systems,
including information security
and control systems.
8/13/1912
Radio Act of 1912
Ch.
37 Stat.
Established a radio licensing
287
302
regime and regulated private
radio communications, creating
a precedent for wireless
regulation.
Repealed by the Radio Act of
1927.
6/10/1920
Federal Power Act
Ch.
41 Stat. 16 U.S.C.
Established the Federal Energy
R41886
(p. 24)
285
1063
§791a et
Regulatory Commission
seq., §824
(FERC) and gave it regulatory
et seq.
authority over interstate sale
and transmission of electric
power. The move toward a
national smart grid is raising
concerns about vulnerability to
cyber attack.
Congressional Research Service
52
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
CRS
Year
Popular Name
Law
Stat.
U.S.C.
Applicability and Notes
Reports
2/23/1927
Radio Act of 1927
Ch.
44 Stat.
Created the Federal Radio
169
1162
Commission as an independent
agency (predecessor of the
FCC) and outlawed
interception and divulging
private radio messages.
Repealed by the
Communications Act of 1934
(see p. 25).
6/19/1934
Communications Act
Ch.
48 Stat. 47 U.S.C.
Established the Federal
RL32589
of 1934 (p.25 )
652
1064
§151 et seq.
Communications Commission
RL34693
(FCC) and gave it regulatory
authority over both domestic
and international commercial
wired and wireless
communications. Provides the
President with emergency
powers over communications
stations and devices. Governs
protection by cable operators
of information about
subscribers.
7/26/1947
National Security Act
Ch.
61 Stat. 50 U.S.C.
Provided the basis for the
of 1947 (p. 26)
343
495
§401 et seq.
modern organization of U.S.
defense and national security
by reorganizing military and
intelligence functions in the
federal government. Created
the National Security Council,
the Central Intelligence
Agency, and the position of
Secretary of Defense.
Established procedures for
access to classified information.
1/27/1948
US Information and
Ch.
62 Stat. 22 U.S.C.
Restricts the State Department R41674
Educational Exchange
36
6
§1431 et
from disseminating public
Act of 1948
seq.
diplomacy information
(Smith-Mundt Act)
domestically and limits its
(p. 26)
authority to communicate with
the American public in general.
Has been interpreted by some
to prohibit the military from
conducting cyberspace
information operations, some
of which could be considered
propaganda that could reach
U.S. citizens, since the
government does not restrict
Internet access according to
territorial boundaries.
Congressional Research Service
53
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
CRS
Year
Popular Name
Law
Stat.
U.S.C.
Applicability and Notes
Reports
9/8/1950 Defense
Production
Ch.
64 Stat. 50 U.S.C.
Codifies a robust legal
RS20587
Act of 1950
932
798
App. §2061
authority given the President
RL31133
et seq.
to force industry to give
priority to national security
production and ensure the
survival of security-critical
domestic production capacities.
It is also the statutory
underpinning of governmental
review of foreign investment in
U.S. companies.
8/1/1956
State Department
P.L.
70 Stat. 22 U.S.C.
Specifies the organization of
R40989
Basic Authorities Act
84-
890
§2651a
the Department of State,
of 1956 (p. 28)
885
including the positions of
coordinator for
counterterrorism. As the
Internet becomes increasingly
international, concerns have
been raised about the
development and coordination
of international efforts in
cybersecurity by the United
States.
10/30/1965 Brooks
Automatic P.L.
79 Stat.
Gave GSA authority over
Data Processing Act 89-
1127
acquisition of automatic data
306
processing equipment by
federal agencies, and gave NIST
responsibilities for developing
standards and guidelines
relating to automatic data
processing and federal
computer systems.
Repealed by the Clinger-Cohen
Act of 1996 (see p. 39).
7/4/1966
Freedom of
P.L.
80 Stat. 5 U.S.C.
Enables anyone to access
R41406
Information Act
89-
250
§552
agency records except those
R41933
(FOIA) (p. 28)
487
falling into nine categories of
exemption, among them
classified documents, those
exempted by specific statutes,
and trade secrets or other
confidential commercial or
financial information.
6/19/1968
Omnibus Crime
P.L.
82 Stat. 42 U.S.C.
Title I established federal grant
Control and Safe
90-
197
Chapter 46,
programs and other forms of
Streets Act of 1968
351
§§3701 to
assistance to state and local law
(p. 30)
3797ee-1
enforcement.
Title III is a comprehensive
wiretapping and electronic
eavesdropping statute that not
only outlawed both activities in
general terms but that also
permitted federal and state law
enforcement officers to use
them under strict limitations.
Congressional Research Service
54
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
CRS
Year
Popular Name
Law
Stat.
U.S.C.
Applicability and Notes
Reports
10/15/1970 Racketeer Influenced
P.L.
84 Stat. 18 U.S.C.
Enlarges the civil and criminal
96-950
and Corrupt
91-
941
Chapter 96,
consequences of a list of state
Organizations Act
452
§§1961-
and federal crimes when
(RICO) (p. 30)
1968
committed in a way
characteristic of the conduct of
organized crime (racketeering).
10/6/1972
Federal Advisory
P.L.
86 Stat
5 U.S.C.
Specifies conditions for
R40520
Committee Act
92-
770
App., §§1-
establishing a federal advisory
(p. 31)
463
16
committee and its
responsibilities and limitations.
Requires open, public meetings
and that records be available
for public inspection. Has been
criticized as potentially
impeding the development of
public/private partnerships in
cybersecurity, particularly
private-sector communications
and input on policy.
11/7/1973 War
Powers
P.L.
87 Stat. 50 U.S.C.
Establishes procedures to
R41199
Resolution
93-
555
Chapter 33,
circumscribe presidential
R41989
148
§§1541-
authority to use armed forces
1548.
in potential or actual hostilities
without congressional
authorization.
12/31/1974 Privacy Act of 1974
P.L.
88 Stat. 5 U.S.C.
Limits the disclosure of
(p. 31)
93-
1896
§552a
personally identifiable
579
information (PII) held by
federal agencies. Established a
code of fair information
practices for col ection,
management, and dissemination
of records by agencies,
including requirements for
security and confidentiality of
records.
10/25/1978 Foreign
Intelligence P.L.
92 Stat. 18 U.S.C.
In foreign intelligence
98-326
Surveillance Act of
95-
1783
§§2511,
investigations, provides a
R40138
1978 (FISA)
511
2518-9,
statutory framework for
50 U.S.C.
federal agencies to obtain
Chapter 36,
authorization to conduct
§§1801-
electronic surveillance, utilize
1885c
pen registers and trap and
trace devices, or access
specified records.
10/13/1980 Privacy
Protection P.L.
94 Stat. 42 U.S.C.
Protects journalists from being
Act of 1980
96-
1879
Chapter
required to turn over to law
440
21A,
enforcement any work product
§§2000aa-5
and documentary materials,
to 2000aa-
including sources, before
12
dissemination to the public.
Congressional Research Service
55
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
CRS
Year
Popular Name
Law
Stat.
U.S.C.
Applicability and Notes
Reports
10/12/1984 Counterfeit Access
P.L.
98 Stat. 18 U.S.C.
Provided criminal penalties for
97-1025
Device and Computer
98-
2190
§1030
unauthorized access and use of
Fraud and Abuse Act
473
computers and networks. Part
of 1984 (p. 32)
of the Comprehensive Crime
Control Act of 1984.
10/16/1986 Computer
Fraud
P.L.
100
18 U.S.C.
Expanded the scope of the
and Abuse Act of
99-
Stat.
§1030
Counterfeit Access Device and
1986
474
1213
Computer Fraud and Abuse
Act of 1984. For government
computers, criminalized
electronic trespassing,
exceeding authorized access,
and destroying information;
also criminalized trafficking in
stolen computer passwords.
Created a statutory exemption
for intelligence and law
enforcement activities.
10/21/1986 Electronic
P.L.
100
18 U.S.C.
Attempts to strike a balance
R41733
Communications
99-
Stat.
§§2510-
between privacy rights and the
R41756
Privacy Act of 1986
508
1848
2522, 2701-
needs of law enforcement with
RL34693
(ECPA) (p. 33)
2712, 3121-
respect to data shared or
3126
stored by electronic and
telecommunications services.
Unless otherwise provided,
prohibits the interception of or
access to stored oral or
electronic communications, use
or disclosure of information so
obtained, or possession of
electronic eavesdropping
equipment.
10/30/1986 Department of
P.L.
100
10 U.S.C.
Established unified combatant
Defense
99-
Stat.
§167
command for special
Appropriations Act,
591
3341-
operations forces, including the
1987 (p. 35)
82,
U.S. Strategic Command, under
3341-
which the U.S. Cyber
122
Command was organized.
1/8/1988 Computer
Security P.L.
101
15 U.S.C.
Required NIST to develop and
Act of 1987
100-
Stat.
§§272,
the Secretary of Commerce to
235
1724
278g-3,
promulgate security standards
278g-4,
and guidelines for federal
278h
computer systems except
national security systems. Also
required agency planning and
training in computer security
(this provision was superseded
by FISMA—see p. 43).
10/18/1988 Computer
Matching P.L.
102
5 U.S.C.
Amended the Privacy Act (see
and Privacy
100-
Stat.
§552a
p. 31), establishing procedural
Protection Act of
503
2507
safeguards for use of computer
1988
matching on records covered
by the act.
Congressional Research Service
56
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
CRS
Year
Popular Name
Law
Stat.
U.S.C.
Applicability and Notes
Reports
12/9/1991
High Performance
P.L.
105
15 U.S.C.
Established a federal high-
RL33586
Computing Act of
102-
Stat.
Chapter 81
performance computing
1991 (p. 35)
194
1594
program and requires that it
address security needs and
provide for interagency
coordination.
10/25/1994 Communications
P.L.
108
47 U.S.C.
Requires telecommunications
RL30677
Assistance for Law
103-
Stat.
§1001 et
carriers to assist law
Enforcement Act
414
4279
seq.
enforcement in performing
(CALEA) of 1994
electronic surveillance and
(p. 37)
directs the telecommunications
industry to design, develop, and
deploy solutions that meet
requirements for carriers to
support authorized electronic
surveillance.
5/25/1995 Paperwork
P.L.
109
44 U.S.C.
Gave the Office of
Reduction Act of
104-
Stat.
Chapter 35,
Management and Budget
1995
13
163
§§3501-
(OMB) authority to develop
3549
information-resource
management polices and
standards, required
consultation with NIST and
GSA on information
technology (IT), and required
agencies to implement
processes relating to
information security and
privacy.
2/8/1996 Telecommunications
P.L.
110
See 47
Overhauled
Act of 1996
104-
Stat. 56 U.S.C. §609
telecommunications law,
104
nt. for
including significant
affected
deregulation of U.S.
provisions.
telecommunications markets,
eliminating regulatory barriers
to competition.
2/8/1996
Communications
P.L.
110
See 47
Intended to regulate indecency
R41499
Decency Act of 1996
104-
Stat.
U.S.C.
and obscenity on
(p. 38)
104
133
§§223, 230
telecommunications systems,
(Title
including the Internet. Has
V)
been interpreted to absolve
Internet service providers and
certain web-based services of
responsibility for third-party
content residing on those
networks or websites.
Congressional Research Service
57
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
CRS
Year
Popular Name
Law
Stat.
U.S.C.
Applicability and Notes
Reports
2/10/1996
Clinger-Cohen Act
P.L.
110
40 U.S.C.
Required agencies to ensure
(Information
104-
Stat.
§11001 et
adequacy of information-
Technology
106,
642
seq.
security policies, OMB to
Management Reform
(Div.
oversee major IT acquisitions,
Act) of 1996) (p. 39)
D and
and the Secretary of
E)
Commerce to promulgate
compulsory federal computer
standards based on those
developed by NIST. Exempted
national security systems from
most provisions.
8/21/1996 Health
Insurance P.L.
110
42 U.S.C.
Required the Secretary of
RL34120
Portability and
104-
Stat.
§1320d et
Health and Human Services to
Accountability Act
191
1936
seq.
establish security standards and
of 1996 (HIPAA)
regulations for protecting the
privacy of individually
identifiable health information,
and required covered health-
care entities to protect the
security of such information.
10/11/1996 Economic
Espionage P.L.
110
18 U.S.C.
Outlaws theft of trade secret
Act of 1996
104-
Stat.
§1030,
information, including
294
3488
Chapter 90,
electronically stored
§§1831-
information, if “reasonable
1839
measures" have been taken to
keep it secret. Also contains
the National Information
Infrastructure Protection Act
of 1996, amending 18 U.S.C.
§1030 (see the Counterfeit
Access Device and Computer
Fraud and Abuse Act of 1984,
p. 32), broadening prohibited
activities relating to
unauthorized access to
computers.
10/30/1998 Identity Theft and
P.L.
112
18 U.S.C.
Made identity theft a federal
R40599
Assumption
105-
Stat.
§1028
crime, provides penalties, and
Deterrence Act of
318
3007
directed the FTC to record
1998 (p. 40)
and refer complaints.
10/5/1999 National
Defense P.L.
113
10 U.S.C.
Established the Defense
Authorization Act
106-
Stat.
§2224
Information Assurance
for Fiscal Year 2000
65
512
Program and required
development of a testbed and
coordination with other federal
agencies.
11/12/1999 Gramm-Leach-Bliley P.L.
113
15 U.S.C.
Requires financial institutions
RL34120
Act of 1999
106-
Stat.
Chapter 94,
to protect the security and
RS20185
102
1338
§§6801-
confidentiality of customers’
(Title
6827
personal information;
V)
authorized regulations for that
purpose.
Congressional Research Service
58
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
CRS
Year
Popular Name
Law
Stat.
U.S.C.
Applicability and Notes
Reports
10/30/2000 Floyd D. Spence
P.L.
114
10 U.S.C.
Established the DOD
National Defense
106-
STAT.
Chapter
information assurance
Authorization Act
398
1654A–
112,
scholarship program; set
for Fiscal Year 2001
(Titles 233;
§§2200-
cybersecurity requirements for
IX &
1654A–
2200f
federal systems superseded by
X)
266
FISMA in 2002
10/26/2001 USA PATRIOT Act
P.L.
115
see 18
Authorized various law-
R40980
of 2001
107-
Stat.
U.S.C. §1
enforcement activities relating
56
272
nt. and
to computer fraud and abuse.
classification
tables.a
7/30/2002 Sarbanes-Oxley
Act P.L.
116
15 U.S.C.
Requires annual reporting on
of 2002
107-
Stat.
§7262
internal financial controls of
204
745
covered firms to the Securities
and Exchange Commission
(SEC). Such controls typical y
include information security.
11/25/2002 Homeland Security
P.L.
116
6 U.S.C.
Created the Department of
Act of 2002 (HSA)
107-
Stat.
§§121-195c,
Homeland Security (DHS) and
(p. 41)
296
2135
441-444,
gave it functions relating to the
(Titles
and 481-
protection of information
II and
486
infrastructure, including
III)
providing state and local
governments and private
entities with threat and
vulnerability information, crisis-
management support, and
technical assistance.
Strengthened some criminal
penalties relating to
cybercrime.
11/25/2002 Federal Information
P.L.
116
44 U.S.C.
Created a cybersecurity
Security Management
107-
Stat.
Chapter 35,
framework for federal
Act of 2002 (FISMA)
296
2259
Subchapters information systems, with an
(p. 43)
(Title
II and III,
emphasis on risk management,
X)
116
40 U.S.C.
and required implementation of
P.L.
Stat.
11331,
agency-wide information
107-
2946
15 U.S.C.
security programs. Gave
347
278g-3 & 4
oversight responsibility to
(Title
OMB, revised the
III)
responsibilities of the Secretary
of Commerce and NIST for
information-system standards,
and transferred responsibility
for promulgation of those
standards from the Secretary
of Commerce to OMB.
11/26/2002 Terrorism Risk
P.L.
116
15 U.S.C.
Provides federal cost-sharing
Insurance Act of
107-
Stat.
§6701 nt.
subsidies for insured losses
2002 (p. 46)
297
2322
resulting from acts of
terrorism.
Congressional Research Service
59
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
CRS
Year
Popular Name
Law
Stat.
U.S.C.
Applicability and Notes
Reports
11/27/2002 Cyber Security
P.L.
116
15 U.S.C.
Requires the National Science
Research and
107-
Stat.
§§278g, h,
Foundation (NSF) to award
Development Act,
305
2367
7401 et seq. grants for basic research and
2002 (p. 46)
education to enhance
computer security. Required
NIST to establish cybersecurity
research programs.
12/17/2002 E-Government Act of
P.L.
116
5 U.S.C.
Serves as the primary legislative
2002 (p. 48)
107-
Stat.
Chapter 37,
vehicle to guide federal IT
347
2899
44 U.S.C.
management and initiatives to
§3501 nt.,
make information and services
Chapter 35,
available online. Established the
Subchapter
Office of Electronic
2, and
Government within OMB, the
Chapter 36
Chief Information Officers
(CIO) Council, and a
government/private-sector
personnel exchange program;
includes FISMA; established and
contains various other
requirements for security and
protection of confidential
information.
12/4/2003
Fair and Accurate
P.L.
117
See 15
Required the FTC and other
RS20185
Credit Transactions
108-
Stat.
U.S.C.
agencies to develop guidelines
Act of 2003
159
1952
§1601 nt.
for identity theft prevention
for affected
programs in financial
provisions.
institutions, including “red
flags" indicating possible
identity theft.
12/16/2003 Controlling
the
P.L.
117
15 U.S.C.
Imposed regulations on the
Assault of Non-
108-
Stat.
Chapter
transmission of unsolicited
Solicited
187
2699
103,
commercial email, including
Pornography and
§§7701-
prohibitions against predatory
Marketing (CAN-
7713, 18
and abusive email, and false or
SPAM) Act of 2003
U.S.C. 1037
misleading transmission of
information.
7/15/2004
Identity Theft Penalty
P.L.
118
18 U.S.C.
Established penalties for
R40599
Enhancement Act
108-
Stat.
§§1028,
aggravated identity theft.
2004 (p. 49)
275
831
1028A
12/17/2004 Intelligence Reform
P.L.
118
42 U.S. C.
Created the position of
and Terrorism
108-
Stat.
§2000ee, 50 Director of National
Prevention Act of
458
3638
U.S.C.
Intelligence (DNI). Established
2004 (IRPTA) (p. 50)
§403-1 et
mission responsibilities for
seq., §403-3
some entities in the
et seq.,
intelligence, homeland security,
§404o et.
and national security
seq.
communities, and established a
Privacy and Civil Liberties
Board within the Executive
Office of the President.
Congressional Research Service
60
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
CRS
Year
Popular Name
Law
Stat.
U.S.C.
Applicability and Notes
Reports
8/8/2005
Energy Policy Act of
P.L.
119
16 U.S.C.
Requires FERC to certify an
R41886
2005 (EPACT)
109-
Stat.
824o
Electric Reliability Organization
58
594
(ERO) to establish and enforce
reliability standards for bulk
electric-power system facilities.
10/4/2006 Department
of
P.L.
120
6 U.S.C.
§550 required the Secretary of
Homeland Security
109-
Stat.
§121 nt.
Homeland Security to issue
Appropriations Act,
295
1355
regulations (6 C.F.R. Part 27)
2007
establishing risk-based
performance standards for
security of chemical facilities;
regulations include
cybersecurity standards
requirement (6 C.F.R.
§27.230(a)(8)).
8/5/2007 Protect
America P.L.
121
50 U.S.C.
Provided authority for the
Act of 2007
110-
Stat.
§1801 nt.
Attorney General and the DNI
55
552
to gather foreign intelligence
information on persons
believed to be overseas.
The act expired in 2008.
12/19/2007 Energy
P.L.
121
42 U.S.C.
Gave NIST primary
R41886
Independence and
110-
Stat.
§§17381-
responsibility for developing
Security Act of 2007 140
1492
17385
interoperability standards for
(EISA)
the electric-power “smart
grid."
7/10/2008 Foreign
Intelligence P.L.
122
See 50
Added additional procedures
98-326
Surveillance Act of
110-
Stat.
U.S.C.
to FISA (see p. 55) for
1978 [FISA]
261
2436
§1801 nt.
acquisition of communications
Amendments Act of
for affected
of persons outside the United
2008
provisions.
States.
9/26/2008 Identity
Theft
P.L.
122
18 U.S.C.
Authorized restitution to
R40599
Enforcement and
110-
Stat.
§1030
identity theft victims and
97-1025
Restitution Act of
326
356
modified some of the activities
2008
and penalties covered by 18
U.S.C. 1030.
2/17/2009 Health
Information P.L.
123
42 U.S.C.
Expanded privacy and security
R40546
Technology for
111-5
Stat.
§17901 et
requirements for protected
Economic and
(Title
226
seq.
health information by
Clinical Health Act
XIII of
broadening HIPAA breach
Div.
disclosure notification and
A and
privacy requirements to
Title
include business associates of
IV of
covered entities.
Div.
B)
Source: Various sources (see text), including National Research Council, Toward a Safer and More Secure
Cyberspace (Washington, DC: National Academy Press, 2007); The White House, Cyberspace Policy Review, May
29, 2009, http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf; and CRS.
Note: Prepared by Rita Tehan, Information Research Specialist (rtehan@crs.loc.gov, 7-6739) and Eric A. Fischer.
Laws in italics are discussed in the text.
Congressional Research Service
61
.
Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions
a. Office of the Law Revision Counsel, “United States Code Table of Classifications for Public Laws, 107th
Congress, 1st Session (Covering Public Laws 107-1 through 107-136),” http://uscode.house.gov/classification/
tbl107pl_1st.htm.
Author Contact Information
Eric A. Fischer
Senior Specialist in Science and Technology
efischer@crs.loc.gov, 7-7071
Acknowledgments
Contributing CRS staff include
• Patricia Moloney Figliola (“Communications Assistance for Law Enforcement Act of 1994”),
• Kristin M. Finklea (“Identity Theft and Assumption Deterrence Act of 1998,” “Identity Theft
Penalty Enhancement Act”),
• Wendy R. Ginsberg (“Freedom of Information Act (FOIA),” “Clinger-Cohen Act (Information
Technology Management Reform Act) of 1996”),
• John Rollins (“Department of Defense Appropriations Act, 1987,” “Intelligence Reform and
Terrorism Prevention Act of 2004 (IRTPA)”),
• Kathleen Ann Ruane (“Antitrust Laws and Section 5 of the Federal Trade Commission Act”),
• Gina Stevens (“Electronic Communications Privacy Act of 1986”),
• Rita Tehan (Table 2), and
• Catherine A. Theohary (“Posse Comitatus Act of 1879,” “U.S. Information and Educational
Exchange Act of 1948 (Smith-Mundt Act),” and “Communications Decency Act of 1996”).
Congressional Research Service
62