Présentation de l'éditeur
It has been argued that, in order to ensure the continuity of critical infrastructure and the larger economy, a regulatory framework for selected critical infrastructure should be created to require a minimum level of security from cyber threats. On the other hand, others have argued that such regulatory schemes would not improve cybersecurity while increasing the costs to businesses, expose businesses to additional liability if they fail to meet the imposed cybersecurity standards, and increase the risk that proprietary or confidential business information may be inappropriately disclosed.
In order to protect federal information networks, the Department of Homeland Security (DHS), in conjunction with the National Security Agency (NSA), uses a network intrusion system that monitors all federal agency networks for potential attacks. Known as EINSTEIN, this system raises significant privacy implications—a concern acknowledged by DHS, interest groups, academia, and the general public. DHS has developed a set of procedures to address these concerns, such as minimization of information collection, training and accountability requirements, and retention rules. Notwithstanding these steps, there are concerns that the program may implicate privacy interests protected under the Fourth Amendment.
Although many have argued that there is a need for federal and state governments and owners and operators of the nation’s critical infrastructures, to share information on cyber vulnerabilities and threats, obstacles to information sharing may exist in current laws protecting electronic communications or in antitrust law. Private entities that share information may also be concerned that sharing or receiving such information may lead to increased civil liability, or that shared information may contain proprietary or confidential business information that may be used by competitors or government regulators for unauthorized purposes.
Recent legislative proposals, such as H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), would seek to improve the nation’s cybersecurity, and may raise some or all of the legal issues mentioned above. This report provides a general discussion of the legal issues raised by these proposals; however, a detailed description and comparison of these legislative proposals is beyond the scope of this report.
Additionally, see CRS Report R42619, Cybersecurity: CRS Experts, by Eric A. Fischer.