Much of this book focuses on the consequences that a company may face for inadequate cybersecurity, such as enforcement actions or lawsuits by the Federal Trade Commission or state attorneys general. However, the federal government's role in private-sector cybersecurity is not merely one of a regulator. The government also operates a number of programs that are designed to help companies battle the ever-evolving field of cybersecurity threats. Cyberspace is unique in that it involves both public and private infrastructure, and therefore the federal government recognizes that it has a role in securing the Internet. Moreover, the federal government can act as a central repository of cybersecurity information.
This chapter first reviews the increasingly centralized civilian cybersecurity operations, many of which are located within the Department of Homeland Security. It next examines DHS's cybersecurity information-sharing program, created by the Cybersecurity Act of 2015, and a similar program that the U.S. Energy Department operates for electric utilities. The chapter then reviews the voluntary Cybersecurity Framework developed by the National Institute of Standards and Technology. Finally, the chapter examines the U.S. military's ability to protect civilian networks and systems, and the limits placed on these activities under the Posse Comitatus Act.
The U.S. federal government does not have a single agency or department that is responsible for nationwide cybersecurity, as it does for health, education, housing, and other key policy issues. Due to the unique nature of cybersecurity, the responsibilities are scattered throughout the federal government.
Much of the federal government's proactive cybersecurity programs are centered in the U.S. Department of Homeland Security (DHS), which has primary responsibility for the civilian (nonmilitary) cybersecurity. Over the years, statutes and presidential orders have increasingly consolidated civilian cybersecurity responsibilities within DHS.
DHS's cybersecurity operations are housed in the Office of Cybersecurity and Communications, which is part of DHS's National Protection and Programs Directorate (a broad organization that also includes programs to protect federal property and critical infrastructure from terrorism and natural disasters). The Office of Cybersecurity and Communications operates EINSTEIN, a broad program that protects civilian federal government computers from cybersecurity threats, by monitoring and deterring threats in real time. The Office also operates the National Cybersecurity and Communications Integration Center (NCCIC). Within NCCIC is the U.S. Computer Emergency Readiness Team (US-CERT), which provides round-the-clock monitoring for emerging cybersecurity threats, and issues alerts about significant cybersecurity issues that it has detected.
In recent years, Congress and other officials have made clear that DHS plays a central role in coordinating civilian cybersecurity. In 2015, Congress passed the Cybersecurity Act of 2015, which, as described below, provided limited legal immunity to encourage the private sector to share information about cybersecurity threats and defensive measures with the federal government. A lesser-publicized provision in that law significantly expanded the cybersecurity authorities of NCCIC. The provision, entitled the National Cybersecurity Protection Advancement Act of 2015, centralized the responsibility for cyber-threat information sharing within NCCIC. The statute also provides NCCIC and DHS with significant responsibility for nationwide cybersecurity planning.
DHS, however, is far from the only federal agency or department that has taken some ownership of cybersecurity. For instance, in 2016, President Obama formed the White House's Commission on Enhancing National Cybersecurity, which is comprised of public and private sector representatives and is charged with advising the government on cybersecurity.1 The President also has advisers dedicated to cybersecurity, as does the President's National Security Council.
The U.S. State Department has additionally a cybersecurity coordinator who is dedicated to representing the nation on international cybersecurity issues. Among the issues that the State Department frequently discusses with other nations are export controls (discussed in Chapter 4 of this book), international cybercrime standards, and cyber-threat sharing and incident response programs.
The U.S. Department of Commerce also is quite involved in helping U.S. businesses reduce the risk of data breaches and other incidents. The Commerce Department's National Institute of Standards and Technology has developed a number of voluntary, nonbinding cybersecurity standards, including the Cybersecurity Framework discussed later in this chapter.
The U.S. Justice Department's Computer Crimes and Intellectual Property Section leads the government's efforts on prosecuting cybercrimes. Among the many responsibilities of the section is partnering with the private sector and educating the sector about emerging cybercrime issues.
Departments that focus on a particular industry often have attempted to help those industries ensure that they have adequate cybersecurity. For instance, the Food and Drug Administration has issued guidelines for the cybersecurity of medical devices, an issue that has long been seen as a serious national security concern. The U.S. Energy Department, discussed later in this chapter, has listed cybersecurity of the electric grid among its top priorities, and has started a threat-sharing information exchange for utilities. The Federal Communications Commission has offered cybersecurity resources to assist telecommunications providers in shoring up their network security. The National Highway Traffic Safety Administration, part of the U.S. Department of Transportation, has been researching the cybersecurity risks associated with connected automobiles.
DHS has long operated the NCCIC and US-CERT, but the private sector has been hesitant to provide real-time threat information to the federal government because of concerns about liability under a wide range of laws, including antitrust and privacy. Recognizing this barrier, after years of heated debate, Congress in late 2015 passed, and President Obama signed, the Cybersecurity Act of 2015. The Cybersecurity Act has a number of components, including the creation of new processes by which companies can monitor and defend their networks, provisions that are discussed in Chapter 7 of this book. The new law also creates a greatly expanded platform by which private companies and the government can exchange information about cyber-threat indicators and defensive measures.
The information sharing – and limited immunity – applies only for the sharing or receipt of cyber-threat indicators or defensive measures. The statute broadly defines “cyber-threat indicator” as information that is necessary to describe or identify:
The statute defines “defensive measure” as “an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected threat or security vulnerability.” The statute explicitly states that “defensive measure” does not include “a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information stored on, processed by, or transiting such information system” that is neither owned by the private entity that is operating the defensive measure or another entity that is “authorized to provide consent and has provided consent to that private entity for operation of the measure.”
To encourage sharing of information regarding cyber-threat indicators and defensive measures, the law provides limited immunity for companies that share information with the federal government, via specific procedures promulgated by the Attorney General and Secretary of Homeland Security. If a private entity complies with the requirements of the Cybersecurity Act of 2015 and accompanying regulations, it will not be held liable for monitoring its systems for cyber threats. Moreover, private entities are not liable for properly sharing or receiving cyber-threat indicators under the Cybersecurity Act of 2015.
The immunity only applies for sharing information for a “cybersecurity purpose,” which the statute defines as “the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.” The statute defines “cybersecurity threat” as “an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.” “Cybersecurity threat” does not include a violation of a consumer terms of service or licensing agreement. This relatively narrow definition is intended to ensure that companies cannot gather and share private information with the government for reasons entirely unrelated to cybersecurity.
The limited immunity only applies if the private companies comply with DHS procedures – required under the Cybersecurity Act of 2015 – to adequately secure the information from unauthorized access, and to review cyber-threat indicators before sharing and remove any information that is not directly related to the cybersecurity threat. For instance, imagine that a retailer has seen a specific type of attack resulting in the theft of its customers' payment card information. That retailer should not actually transmit to DHS the list of compromised customer names and payment card numbers, as it is difficult to imagine that such information would be directly related to the cybersecurity threat. Instead, the company should either describe the attack, or redact the personally identifiable information from the data that it sends to DHS.
The Cybersecurity Act of 2015 explicitly states that it does not create a duty for the private sector to share cyber threats, nor does it create a duty for the private sector to warn or act due to its receipt of cyber-threat information.2 The Cybersecurity Act of 2015 requires DHS to create an information system that:
In 2016, DHS unveiled its Automated Indicator Sharing (AIS) system, operated by NCCIC and US-CERT as required by the new cybersecurity law. Private entities voluntarily receive and share indicators through AIS, typically anonymously unless they choose to have their name associated with the cyber-threat indicator. DHS states that it does not validate the cyber-threat indicators; instead, it shares indicators based on the volume and velocity of the tips that it receives, as quickly as possible.
DHS does not require companies to go through an extensive vetting process to use AIS. Instead, they must agree to a Terms of Use and connect to DHS's managed system.
As required by the Cybersecurity Act of 2015, DHS has built in a number of functions to protect privacy in AIS. Among the protections are:
Even if companies do not participate in AIS, they may share cyber-threat indicators and defensive measures with DHS via its website or email.
Because the law was recently added to the books, as of publication of this book, we do not have any court opinions that interpret the terms “cyber-threat indicator” or “cybersecurity threat.” However, the broad language of the definitions suggest that if a service provider reasonably believes that email messages or other Internet traffic might help companies understand a cybersecurity threat, such as malware, then the service provider would be immune from lawsuits under the SCA – or any other federal or state laws, for that matter.
A frequent concern that cybersecurity experts and policy makers raise relates to an attack on the U.S. electric grid. Such an attack could not only cause widespread economic disruption, not to mention the potential for serious physical harm.
The primary challenge for cybersecurity in the power grid is that the grid is comprised of the infrastructure of a number of private companies. The grid is interconnected, so a cyberattack on one company could have a spiral attack across the grid, even if some of the other utilities had taken steps that would have prevented such an attack.
In 2013, the U.S. Department of Energy attempted to address this, in part, with the Cybersecurity Risk Information Sharing Program (CRISP), a voluntary program through which utilities could share classified and unclassified cyber-threat data, with the Energy Department as the intermediary. The Energy Department operates CRISP with the Electricity Sector Information Sharing and Analysis Center, an industry group that also exchanges cyber-threat data.
Much of the CRISP data is classified, so it is difficult to know how effective CRISP has been so far. In a 2014 letter to the North American Electric Reliability Corporation, Patricia Hoffman, the U.S. Assistant Secretary for the Energy Department's Office of Electricity Delivery and Energy Reliability, stated that the Department envisions CRISP eventually being operated by the private sector, collaborating with the government, to “serve as the primary communications channel for the Electricity Subsector and enhance the ability of the sector to prepare for and respond to cyber and physical threats, vulnerabilities, and incidents.”
The Energy Department's deep involvement in the development and roll-out of an industry-specific threat-sharing program demonstrates the grave threat that cyberattacks on the power grid could pose for the nation. Rather than simply delegating responsibility to the private sector or assuming that DHS would handle electric grid cyber threats through US-CERT, the Energy Department recognized the special need for industry-specific information sharing with government involvement.
Over the past decade, policy makers have become increasingly concerned that companies have not developed adequate procedures and policies to guard against cyber threats. This is particularly concerning because private companies operate a great deal of the power grids, communications networks, and other infrastructure that is central to the U.S. economy and national security.
In 2013, President Obama recognized this concern in an executive order regarding the cybersecurity of “critical infrastructure,” which he broadly defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”3
In the Executive Order, President Obama articulated a national policy “to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” The Executive Order calls for achieving those goals through a “partnership” with the private sector. This overall approach is noteworthy because it does not call for new regulations or laws to force companies to adopt specific safeguards. The Executive Order appears to recognize that strong cybersecurity is in companies' best interests, and that the government can help companies achieve those goals.
The Executive Order directed the Attorney General, Secretary of Homeland Security, and Director of National Intelligence to establish a process for sharing information about cyber threats – a process that was later codified and expanded upon in the Cybersecurity Act of 2015 information-sharing program (described above). The executive order also directed the Commerce Department's National Institute of Standards and Technology (NIST) to develop a voluntary cybersecurity framework for operators of critical infrastructure. The Executive Order directs NIST to incorporate industry feedback and align “policy, business and technological approaches to address cyber risks.”
In February 2014, in response to the Executive Order, NIST released the Framework for Improving Critical Infrastructure Cybersecurity. The 39-page document draws on a number of existing security standards. The NIST Framework does not proscribe specific technological solutions; rather, as its drafters state, it “provides organization and structure to today's multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today.” NIST emphasizes that its Framework is not a “one-size-fits-all” cybersecurity solution, and that companies have a wide range of risks and are best suited to “determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent.”
The NIST Framework core consists of five key principles for cybersecurity risk management. Below are the principles as stated by NIST, along with the implementation factors listed in the Framework, edited slightly. The NIST Framework is presented in multiple charts; this book consolidates those principles into a single list for clarity and brevity:
Keep in mind that the NIST Cybersecurity Framework is entirely voluntary, even for operators of the most critical infrastructure. NIST did not intend to create binding requirements, nor does it have the authority to do so.
However, companies are increasingly adopting the Framework, in the manner they see fit, to strengthen their cybersecurity processes. The Cybersecurity Framework is increasingly becoming a de facto standard of care that companies expect their business partners to follow. Accordingly, it is in a company's best interests to demonstrate that it complies, to some extent, with the general principles articulated in the Framework. Moreover, if a company experienced a breach or other cybersecurity incident, and subsequently faces a lawsuit or regulatory action, it might reduce the likelihood of liability if it could demonstrate the steps that it took to integrate the NIST Cybersecurity Framework into its operations.
Government agencies have recognized the value of the Cybersecurity Framework and have integrated it into their operations. For instance, in October 2015, the federal Office of Management and Budget, which is partly responsible for setting government-wide information technology policies, required federal agencies and departments to adopt the Framework. Similarly, in 2014, the state of Virginia began requiring its agencies to adopt the Framework. The Cybersecurity Framework is a good example of a public–private partnership that seeks to improve cybersecurity in the private sector without imposing regulations or the fear of costly litigation.
This chapter has focused on civilian government agencies, such as DHS and NIST, that assist the private sector with cybersecurity. However, some of the most skilled government cybersecurity experts are in the military. Due to centuries-old restrictions, these experts face significant limits on their ability to help companies and individuals defend their systems and networks.
The National Security Agency, which is part of the U.S. Defense Department, specializes in signals intelligence – that is, intercepting foreign intelligence information. The NSA employs some of the world's leading code-breakers, who seek to intercept and decode foreign intelligence communications. That process is known as signals intelligence, and is believed to be the largest component of NSA. NSA also operates an Information Assurance Directorate, which is charged with protecting the security of national security information.
Headquartered in the same location as NSA – and run by the same individual – is U.S. Cyber Command, which organizationally is located within U.S. Strategic Command. As of publication of this book, policy makers were discussing a proposal to separate NSA and Cyber Command. The Cyber Command is charged with leading the Defense Department's defense of its information networks, and to conduct cyber operations on behalf of the U.S. military. Each of the military services has cyber commands that are part of the U.S. Cyber Command: Army Cyber Command, Fleet Cyber Command, Air Force Cyber Command, and Marine Forces Cyber Command. The U.S. Department of Defense has three primary cyber missions:
The third mission has the most significance for the private sector. In the Department of Defense's 2015 strategic report on cyber, it stated that the department “must work with its interagency partners, the private sector, and allied and partner nations to deter and if necessary defeat a cyberattack of significant consequence on the U.S. homeland and U.S. interests.”5
Such a mission is sound, as the Defense Department has deep expertise in cyber, and protecting national security is clearly within the Department of Defense's missions. However, a long-standing legal rule known as posse comitatus presents a significant limit on such actions.
The Posse Comitatus Act, passed in 1878, prohibits the use of the U.S. military to enforce the laws. It states:
Whoever, except in cases and under circumstances expressly authorized by the Constitution or Act of Congress, willfully uses any part of the Army or the Air Force as a posse comitatus or otherwise to execute the laws shall be fined under this title or imprisoned not more than two years, or both.6
Congress passed the law after the Civil War, in response to concerns of the former confederacy that the federal government would use its military to create a police state. Although the statute only mentions the Army and Air Force, regulations also apply the prohibition to the Navy and Marines. The Posse Comitatus Act does not apply to state National Guard forces or the U.S. Coast Guard.
For the U.S. military to support domestic cyber defense, it must fall under an exception to the Posse Comitatus Act. Military cyber operations that enforce domestic laws must fall under another statute that provides an exception to the Posse Comitatus Act. For instance, the Insurrection Act, which was passed in 1807, before the Posse Comitatus Act, allows the President to use the armed forces to enforce laws or suppress rebellion if “unlawful obstructions, combinations, or assemblages, or rebellion against the authority of the United States, make it impracticable to enforce the laws of the United States in any State by the ordinary course of judicial proceedings.”7 Additionally, a group of statutes known as Defense Support of Civil Authorities allow the Defense Secretary to provide law enforcement with relevant information collected during military training or operations.8
In its September 2015 update to its manual on defense support of civil operations, the Department of Defense for the first time addressed the types of cyber incidents that might allow the U.S. military to provide domestic government agencies with support. The Defense Department wrote that “[l]arge-scale cyber incidents may overwhelm government and private-sector resources by disrupting the internet and taxing critical infrastructure information systems,” and that complications from these incidents “may threaten lives, property, the economy, and national security.”9 In such cases, the Department wrote, its services “support the remediation, restoration, and protection of critical emergency telecommunication networks and infrastructure,” and that “[c]yberspace technical assistance may be provided in response to a request from a lead federal agency.”10
The Defense Department's 2015 manual indicates the Department's willingness to help protect civilian networks in a wide range of cases that would threaten national security. The Posse Comitatus Act places some limits on these goals, but if the government can demonstrate that a significant threat to national security exists, it likely could justify the use of the military in the defense of private networks and systems.
3.137.219.117