Friday, March 13, 2009

U.S. Legal Issues on Cyber War

The Congressional Research Service has published a report on the legal and policy issues related to cyber warfare and defense in the United States. The paper summarizes the issues in terms of the three branches of the Federal government:
"Given that cyber threats originate from various sources, it is difficult to determine whether actions to prevent cyber attacks fit within the traditional scope of executive power to conduct war and foreign affairs. Nonetheless, under the Supreme Court jurisprudence, it appears that the President is not prevented from taking action in the cybersecurity arena, at least until Congress takes further action. Regardless, Congress has a continuing oversight and appropriations role. In addition, potential government responses could be limited by individuals’ constitutional rights or international laws of war."
One of the key problems with the Comprehensive National Cybersecurity Initiative (CNCI) is that originated in a classified Presidential Directive. This immediately causes conflict with the private sector on which the government is dependent:
"Given the secretive nature of the CNCI, one of the common concerns voiced by many security experts is the extent to which non-federal entities should have a role in understanding the threat to the nation’s telecommunications and cyber infrastructure and assist with providing advice, assistance, and coordination in preparation and response for ongoing and future intrusions and attacks."
The report provides background and discussion on the various roles and responsibilities of the three governmental branches and recommends the following Congressional actions to clarify and strengthen the legal basis for government action:
  • determine the most appropriate and effective organizational entity in which the nation’s principal cybersecurity prevention, response, and recovery responsibilities should reside;

  • require the senior U.S. government official in charge of all CNCI related activities be a Senate confirmable position to facilitate ongoing information exchange regarding Initiative plans and areas of progress and difficulty;

  • enact legislative language recognizing and defining the classified and unclassified aspects of the CNCI and the need for greater transparency and inclusiveness;

  • require the new Administration to develop and revise annually a classified and unclassified national cyber security strategy and intelligence community generated National Intelligence Estimate that provides Congress, the telecommunications industry, and the American public information related to the CNCI, the current and strategic cyber threats facing the nation, and programs being implemented to prepare for evolving technological risks;

  • define the privacy and civil liberty considerations that should accompany all aspects of the CNCI;

  • include legislative language in applicable authorizations bills to establish a programmatic foundation for CNCI related programs and suggest funding for current and future year’s activities; or

  • identify and codify relevant laws defining a national security related cyber offense against the United States, offensive versus defensive cyber activities, and the situations in which the Congress should be notified prior to the United States undertaking an offensive or counteroffensive cyber act.
The full report is available through the Washington Post:

Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations

No comments: