Printer Friendly

Federal laws relating to cybersecurity: overview and discussion of proposed revisions.

Racketeer Influenced and Corrupt Organizations Act (RICO)

P.L. 91-452, 84 Stat. 941.

18 U.S.C. Chapter 96, [section][section] 1961-1968.

Major Relevant Provisions

* Enlarges the civil and criminal consequences of a list of state and federal crimes when committed in a way characteristic of the conduct of organized crime (racketeering). (106)

Possible Updates

The Task Force Report recommended that Congress change RICO "to include computer fraud within the definition of racketeering." (107) The White House Proposal would have made felony violation of 18 U.S.C. [section] 1030 (see "Counterfeit Access Device and Computer Fraud and Abuse Act of 1984") a racketeering predicate offense.

Federal Advisory Committee Act (FACA)

P.L. 93-579, 86 Stat 770.

5 U.S.C. App., [section][section] 1-16.

Major Relevant Provisions

* Specifies the circumstances under which a federal advisory committee can be established, and its responsibilities and limitations.

* Requires that meetings of such committees be open to the public and that records be available for public inspection. (108)

Possible Updates

The act has been criticized as potentially impeding the full development of public/private partnerships in cybersecurity, particularly with respect to impeding private-sector communications and input on policy. (109) While Section 871 of the HSA provides the Secretary of

Homeland Security with the power to establish advisory committees that are exempt from the requirements of the act, it is possible that additional exemption authority would be helpful. Any such potential benefits might, however, need to be weighed against the impact of such authority on the public's ability to participate in and access the records of affected advisory committees. The subcommittee version of H.R. 3674 would have exempted the organization created by the bill from requirements of the act.

Privacy Act of 1974

P.L. 93-579, 88 Stat. 1896.

5 U.S.C. [section] 552a.

Major Relevant Provisions

* Limits the disclosure of personally identifiable information (PII) held by federal agencies.

* Requires agencies to provide access to persons with agency records containing information on them.

* Established a code of fair information practices for collection, management, and dissemination of records by agencies, including requirements for security and confidentiality of records.

Possible Updates

Some observers argue that the act should be revised to clarify, in the context of cybersecurity, what is considered PII and how it can be used, such as by explicitly permitting the sharing among federal agencies--or with appropriate third parties such as owners and operators of critical infrastructure--of certain information, such as a computer's Internet (IP) address, in examinations of threats, vulnerabilities, and attacks. The act contains some exemptions, such as for law enforcement activities (5 U.S.C. [section] 552a(b)(7)) and duties of the Comptroller General (5 U.S.C. [section] 552a(b)(10)), but none relating specifically to cybersecurity. However, other observers may argue that the provisions in the act are sufficient to permit necessary cybersecurity activities, and that revising the act to provide additional authorities relating to cybersecurity could compromise the protections provided by the act. (110) In the 112th Congress, H.R. 1732 would have revised the act to take changes in information technology into account, but does not specifically address information relating to cybersecurity.

Counterfeit Access Device and Computer Fraud and Abuse Act of 1984

P.L. 98-473, 98 Stat. 2190.

18 U.S.C. [section] 1030.

Major Relevant Provisions

As amended, (111)

* Provides criminal penalties, including asset forfeiture, for unauthorized access and wrongful use of computers and networks of the federal government or financial institutions, or in interstate or foreign commerce or communication;

* Specifies wrongful use as obtaining protected information, damaging or threatening to damage a computer, using the computer to commit fraud, trafficking in stolen computer passwords, and espionage;

* Criminalized electronic trespassing on and exceeding authorized access to federal government computers; and

* Created a statutory exemption for intelligence and law enforcement activities. (112)

Possible Update

The White House Proposal would add penalties for damaging certain critical infrastructure computers, increase penalties for most violations of the act, clarify certain offenses, and modify the act's conspiracy and forfeiture provisions. In the 112th Congress, S. 2111, S. 2151, and S. 3342 had similar provisions. S. 890, S. 2151, S. 3342, and the White House Proposal would have enlarged the scope of the password trafficking offense by removing the requirement that the computer affect interstate commerce or be used by the United States. S. 1151 would also have made several changes similar to but not as extensive as those in the Administration proposal. (113) The Task Force Report recommended that the act be broadened to cover critical infrastructure systems, and possibly all private-sector computers, with increased criminal penalties. It also recommended that provisions should be focused narrowly enough to avoid creating unintended liability for legitimate activities.114

Electronic Communications Privacy Act of 1986 (ECPA)

P.L. 99-508, 100 Stat. 1848.

18 U.S.C. [section][section] 2510-2522, 18 U.S.C. [section][section] 2701-2712, 18 U.S.C. [section][section] 3121-3126. (115)

Major Relevant Provisions

* Attempts to strike a balance between the fundamental privacy rights of citizens and the legitimate needs of law enforcement with respect to data shared or stored in various types of electronic and telecommunications services. (116) Since the act was passed the Internet and associated technologies have expanded exponentially. (117) The act consists of three parts:

* A revised Title III of the "Omnibus Crime Control and Safe Streets Act of 1968" (also known as "Title III" or the "Wiretap Act") (118) prohibits the interception of wire, oral, or electronic communications unless an exception to the general rule applies. Unless otherwise provided, prohibits wiretapping and electronic eavesdropping; possession of wiretapping or electronic eavesdropping equipment; use or disclosure of information obtained through illegal wiretapping or electronic eavesdropping; and disclosure of information secured through court-ordered wiretapping or electronic eavesdropping, in order to obstruct justice. (119)

* The Stored Communications Act (SCA) (120) prohibits unlawful access to stored communications. (121)

* The Pen Register and Trap and Trace statute governing the installation and use of trap and trace devices and pen registers, (122) proscribing unlawful use of a pen register or a trap and trace device. (123)

* Establishes rules that law enforcement must follow before they can access data stored by service providers. Depending on the type of customer information involved and the type of service being provided, the authorization law enforcement must obtain in order to require disclosure by a third party will range from a simple subpoena to a search warrant based on probable cause.

Possible Updates

ECPA reform efforts focus on crafting a legal structure that is up-to-date, can be effectively applied to modern technology, and that protects users' reasonable expectations of privacy. ECPA is viewed by many stakeholders as unwieldy, complex, and difficult for judges to apply. (124) Cloud computing (125) poses particular challenges to the ECPA framework. For example, when law enforcement officials seek data or files stored in the cloud, such as web-based e-mail applications or online word processing services, the privacy standard that is applied is often lower than the standard that applies when law enforcement officials seek the same data stored on an individual's personal or business hard drive. (126)

An ECPA reform advocacy coalition has advanced the following principles:

* A governmental entity may require an entity covered by ECPA (a provider of wire or electronic communication service or a provider of remote computing service) to disclose communications that are not readily accessible to the public, but only with a search warrant issued based on a showing of probable cause, regardless of the age of the communications, the means or status of their storage or the provider's access to or use of the communications in its normal business operations.

* A governmental entity may access, or may require a covered entity to provide, prospectively or retrospectively, location information regarding a mobile communications device, but only with a warrant issued based on a showing of probable cause.

* A governmental entity may access, or may require a covered entity to provide, prospectively or in real time, dialed number information, e-mail to and from information or other data currently covered by the authority for pen registers and trap and trace devices, but only after judicial review and a court finding that the governmental entity has made a showing at least as strong as the showing under

2703(d).

* Where the Stored Communications Act authorizes a subpoena to acquire information, a governmental entity may use such subpoenas only for information related to a specified account(s) or individual(s). All nonparticularized requests must be subject to judicial approval. (127)

The Task Force Report recommended changes to laws governing the protection of electronic communications to facilitate sharing of appropriate cybersecurity information, including the development of an anonymous reporting mechanism. (128)

Department of Defense Appropriations Act, 1987

P.L. 99-591, 100 Stat. 3341-82, 3341-122.

10 U.S.C. [section] 167. (129)

Major Relevant Provisions

* Provides specific authority to the U.S. Special Operations Command (USSOCOM) for the conduct of direct action, strategic reconnaissance, unconventional warfare, foreign internal defense, civil affairs, and psychological operations; also counterterrorism, humanitarian assistance, theater search and rescue, and such other activities as may be specified by the President or the Secretary of Defense.

Possible Update

In addition to the authority provided under this act, Title 10 of the U.S. Code provides inherent and specific authority to DOD to undertake the following activities:

* Section 113 provides that, subject to the direction of the President, the Secretary of Defense has authority, direction, and control over DOD;

* Section 164 provides specific authority for combatant commanders for the performance of missions assigned by the President or by the Secretary with the approval of the President.

Specific authorities for combatant commanders are provided in Title 10 to use force in self-defense and for mission accomplishment--including in the recently recognized information operations environment. In preparing for contingencies or military operations, DOD undertakes activities to lessen risks to U.S. interests, including discrete actions to prepare for and respond to a cyberwarfare-related incident. (130)

Some military activities are conducted clandestinely to conceal the nature of the operation and passively collect intelligence. Activities focused on influencing the governing of a foreign country are deemed covert actions (131) and may not be conducted by members of the military absent a presidential finding and notification of the congressional intelligence committees. (132)

Some analysts suggest that in the cyber domain distinguishing between whether an action is or should be considered covert or clandestine is problematic, as an attacking adversary's intent and location are often difficult to discern. Should this act be updated, reassessing DOD's authorities in light of its unique intelligence capabilities may assist in responding to and conducting offensive cyber attacks.

High Performance Computing Act of 1991

P.L. 102-194, 105 Stat. 1594.

15 U.S.C. Chapter 81. (133)

Major Relevant Provisions

* Establishes a federal high-performance computing program and requires that it address security needs.

* Requires that the program provide for interagency coordination and that an annual report on implementation be submitted to Congress.

* Requires NIST to establish security and privacy standards in high-performance computing for federal systems.

Possible Updates

This act established the Networking and Information Technology Research and Development (NITRD) Program, which produces the required annual report. However, concerns have been raised that the program does not yield sufficient strategic planning and does not sufficiently stress cybersecurity research and development (R&D). In the 111th Congress, H.R. 2020, which passed the House, would have addressed that concern by requiring a five-year strategic plan with three-year reviewing cycle. It would also have added a research goal of increasing understanding "of the scientific principles of cyber-physical systems" and improving methods for designing, developing, and operating such systems with high reliability, safety, and security. H.R. 967 in the 112th Con gress was similar but added provisions on cloud computing. S. 773 in the 111 Congress would have required NIST to develop cybersecurity standards and metrics for computer networks and user interfaces, as would S. 2105 and S. 3414 in the 112th Congress. S. 2151 and S. 3342 would have established cybersecurity, including security of supply chains, as one of the goals for research under the act and contained a requirement similar to that of H.R. 967 for cyberphysical systems. H.R. 967, S. 2151, and S. 3342 would also have made a number of other amendments not directly related to cybersecurity.

Communications Assistance for Law Enforcement Act of 1994 (CALEA)

P.L. 103-414, 108 Stat. 4279.

47 U.S.C. [section] 1001 et seq. (134)

Major Relevant Provisions

* Requires telecommunications carriers to assist law enforcement in performing electronic surveillance on their digital networks pursuant to court orders or other lawful authorization.

* Directs the telecommunications industry to design, develop, and deploy solutions that meet requirements for carriers to support authorized electronic surveillance, including unobtrusive isolation of communications and call-identifying information for a target and provision of that information to law enforcement, in a manner that does not compromise the privacy and security of other communications.

Possible Updates

Some government and industry observers believe that CALEA should be revised to improve its effectiveness in addressing cybersecurity concerns. Among the concerns expressed are whether the act is the best mechanism for collecting information transmitted via the Internet, whether reassessment is needed of which private-sector entities the act covers and which government entities should be involved in enforcement and oversight, and what the role of industry should be in the development of the technologies and standards used to implement the provisions of the act. The Task Force Report recommended changes to laws governing the protection of electronic communications to facilitate sharing of appropriate cybersecurity information, including the development of an anonymous reporting mechanism.135

Communications Decency Act of 1996

P.L. 104-104 (Title V), 110 Stat. 133.

47 U.S.C. [section][section] 223, 230. (136)

Major Relevant Provisions

* Intended to regulate indecency and obscenity on telecommunications systems, including the Internet. Although much of the law is targeted at lewd or pornographic material, particularly when shown to children under the age of 18, the obscenity and harassment provisions could also be interpreted as applying to graphic, violent terrorist propaganda or incendiary language.

* Section 230(c)(1) asserts that "no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information." This has been interpreted to absolve Internet service providers and certain web-based services of responsibility for third-party content residing on those networks or websites. (137)

Possible Updates

Some argue that certain Internet content, such as terrorist chat rooms or propaganda websites, presents a national security or operational threat that is not represented within the Communications Decency Act. Further, should such material be deemed as "indecent," the law does not give federal agencies the authority to require that the Internet service providers hosting the content to take it offline.

These critics maintain that the law should be revised to compel ISPs and web administrators to dismantle sites containing information that could be used to incite harm against the United States. A possible revision could be similar to the "take down and put back" provision in the Digital Millennium Copyright Act, 112 Stat. 2860, P.L. 105-304 which amended title 17 of the U.S. Code to hold a service liable for publishing material that is defamatory or infringes upon a third party copyright.

Others maintain that such a revision is counter to the spirit of free, open exchange of information that is characterized by the Internet and may be a First Amendment violation. Some have also expressed concerns that the intelligence value gained by preserving and monitoring the sites outweighs the potential threat risk.

Clinger-Cohen Act (Information Technology Management Reform Act) of 1996

P.L. 104-106 (Divisions D and E), 110 Stat. 642.

40 U.S.C. [section] 11101 et seq.138

Major Relevant Provisions

* Gave agency heads authority to acquire IT and required them to ensure the adequacy of agency information security policies.

* Established the position of agency Chief Information Officer (CIO), responsible for assisting agency heads in IT acquisition and management.

* Requires the Office of Management and Budget (OMB) to oversee major information technology (IT) acquisitions.

* Requires OMB to promulgate, in consultation with the Secretary of Homeland Security, compulsory federal computer standards based on those developed by the National Institute of Standards and Technology (NIST).139

* Exempts national security systems from most provisions.

Possible Update

With the increasing globalization of the IT hardware and software industries, concerns have been growing among cybersecurity experts about potential vulnerabilities at various points along the supply chain for IT products. H.R. 1136, introduced in the 112th Congress, would have addressed such concerns with respect to federal acquisition of IT products and services by requiring vendors to meet security requirements to be developed by OMB, and also requiring vulnerability assessments by agencies.

S. 413 (similar to S. 3480 in the 111th Congress), S. 2105, S. 2151, S. 3342, S. 3414, and the White House Proposal would have returned the authority for promulgating standards for federal systems to the Secretary of Commerce. (140) H.R. 1163, in contrast, would not have amended that provision.

Congress and the executive branch have debated the limits of the authority and jurisdiction of CIOs since their establishment. In the private sector, CIOs may often serve as the senior IT decision maker. In federal agencies, in contrast, CIOs do not have budgetary control or authority over IT resources. (141) As part of a plan to reform federal IT management, (142) the Obama Administration has indicated its intention to change the role of CIOs "away from just policymaking and infrastructure maintenance, to encompass true portfolio management for all IT," including information security. (143) The White House Proposal does not include any provisions related to that proposed change, but additional legislative authority may be required for such a change to be fully implemented.

The Obama Administration also appointed a federal chief information officer and a federal chief technology officer (CTO), positions first created in the George W. Bush Administration, where the OMB deputy director of management also served as federal CIO. In the 111th Congress, H.R. 1910 and H.R. 5136, and H.R. 1136 in the 112th Con gress, contained provisions to establish a statutory basis for the CTO position, not, however, explicitly as amendments to the Clinger-Cohen Act. (144) Some proposals in previous Congresses would also have established the federal CIO position in law. (145)

Identity Theft and Assumption Deterrence Act of 1998

P.L. 105-318, 112 Stat. 3007.

18 U.S.C. [section] 1028. (146)

Major Relevant Provisions

* Made identity theft a federal crime.

* Provided penalties for individuals who either committed or attempted to commit identity theft.

* Provided for forfeiture of property used or intended to be used in the fraud.

* Directed the Federal Trade Commission (FTC) to record complaints of identity theft, provide victims with informational materials, and refer complaints to the appropriate consumer reporting and law enforcement agencies. (147)

Possible Updates

See "Identity Theft Penalty Enhancement Act" below.

Homeland Security Act of 2002 (HSA)

P.L. 107-296 (Titles II and III), 116 Stat. 2135.

6 U.S.C. [section][section] 121-195c, 441-444, and 481-486. (148)

Major Relevant Provisions

* Transferred some functions relating to the protection of information infrastructure from other agencies to the Department of Homeland Security (DHS). (149)

* Requires DHS to provide state and local governments and private entities with threat and vulnerability information, crisis-management support, and technical assistance relating to recovery plans for critical information systems.

* Permits the Secretary of Homeland Security to designate qualified technologies as subject to certain protections from liability in claims relating to their use in response to an act of terrorism. (150)

* Established mechanisms to facilitate information sharing among federal agencies and appropriate nonfederal government and critical-infrastructure personnel. (151)

* Authorized DHS to establish a system of volunteer experts ("Net Guard") to assist local communities in responding to attacks on information and communications systems.

* Strengthened some criminal penalties relating to cybercrime.

* Created the Directorate of Science and Technology within DHS and assigned it broad R&D responsibilities, although responsibilities relating to cybersecurity R&D were not specifically described.

Possible Updates

Various concerns have been raised about the ways in which the act addressed cybersecurity, and a number of proposals have been made since its enactment to enhance the cybersecurity provisions. In the 111th Con gress, the most comprehensive legislative proposal was in S. 3480, which was reported out of the Senate Committee on Homeland Security and Governmental Affairs in the 111th Con gress, and reintroduced in the 112th Congress as S. 413 with minor modifications. It would have added provisions on cybersecurity that would have

* established a center for cybersecurity and communications within DHS;

* required coordination with the DHS Office of Infrastructure Protection and sector-specific agencies;

* established the United States Computer Emergency Readiness Team (US-CERT) within the center;

* stipulated information-sharing procedures for federal agencies and other entities;

* established a program within the center to provide assistance to the private sector;

* required the center to identify cyber vulnerabilities to critical infrastructure and establish requirements to address them;

* established procedures for response to imminent cyber threats to critical infrastructure, (152) enforcement of requirements, and protection of information; and

* required a risk-management strategy for security of the supply chain.

It would have established a cybersecurity R&D program in DHS and required coordination of those activities with other agencies and private entities. It would also have established a public/private-sector cybersecurity advisory council.

The White House Proposal would also have substantially enhanced DHS authority relating to cybersecurity. The proposal differed in several ways from the approach taken by S. 413. Among other differences, it would have provided enhanced authority to the DHS Secretary that S. 413 provided directly to a new center within the department. However, the White House Proposal would have required the Secretary to establish a center with cybersecurity responsibilities for federal and critical infrastructure systems. (153) It also did not codify the establishment of US-CERT, unlike S. 413, and did not provide the President with the authority to implement emergency actions in response to an imminent risk to critical infrastructure. It did, however, provide the DHS Secretary with authority to direct responses of federal agencies to cybersecurity threats or incidents.

S. 2105 and S. 3414 contained elements of both the White House Proposal and S. 413. They would have established a new center, with new authorities, but omitted the provision in S. 413 establishing US-CERT by law, as well as the provision on presidential emergency powers. S. 2105 and S. 3414 would have required the Science and Technology Directorate of DHS to establish a cybersecurity R&D plan. S. 1546 would also have required departmental cybersecurity research.

H.R. 3674, as reported to the House, would have provided additional responsibilities and authorities to DHS for the protection of federal information systems. It would have provided for information sharing with federal and nonfederal entities, cybersecurity research and development (R&D), and recruitment and retention of cybersecurity personnel. To facilitate information sharing and technical assistance, it would have created a center within DHS that would have included a private-sector board of advisors. Unlike the bill as introduced, it did not include a nongovernmental clearinghouse for sharing cybersecurity information between the private sector and the federal government that was recommended by the Task Force Report. H.R. 3674 would also have required DHS to perform cybersecurity R&D, to include testing, evaluation, and technology transfer.

Some other bills in the 111th Congress would also have revised the act. H.R. 6423, reintroduced as H.R. 174 in the 112th Con gress, would establish a new office to develop, oversee, and enforce cybersecurity compliance for critical infrastructure sectors. H.R. 266, reintroduced as H.R. 76, would add a cybersecurity fellowship program for nonfederal officials to familiarize them with DHS cybersecurity activities. H.R. 4507 and H.R. 4842 would have added a cybersecurity training initiative for first responders and others. H.R. 2868 and S. 3599 would have added chemical-facility security measures, including cybersecurity, to the act.

See also "Information Sharing."

Federal Information Security Management Act of 2002 (FISMA)

P.L. 107-296 (Title X), 116 Stat. 2259.

P.L. 107-347 (Title III), 116 Stat. 2946.

44 U.S.C. Chapter 35, Subchapters II and III, [40 U.S.C. 11331, 15 U.S.C. 278g-3 & 4]. (154)

Major Relevant Provisions

FISMA created a security framework for federal information systems, with an emphasis on risk management, and gave specific responsibilities to the Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST), and the heads, chief information officers (CIOs), chief information security officers (CISOs), and inspector generals (IGs) of federal agencies. (155)

* Required executive agencies to inventory major computer systems, identify and provide appropriate security protections, and develop, document, and implement agency-wide information security programs.

* Gave OMB responsibility for overseeing federal information-security policy and evaluating agency information-security programs, but exempted national security systems, except with respect to enforcement of accountability for meeting requirements and reporting to Congress.

* Revised the responsibilities of the Secretary of Commerce and NIST for information-system standards and transferred responsibility for promulgation of those standards from the Secretary of Commerce to OMB. (156)

* Required that NIST cybersecurity standards be complementary with those developed for national security systems, to the extent feasible.

* Required heads of federal agencies to provide security protections commensurate with risk and to comply with applicable security standards. Specifically required agencies using national security systems to provide security protections commensurate with risk and in compliance with standards for such systems.

* Required senior agency officials to perform risk assessments, to determine and implement necessary security controls in a cost-effective manner, and to evaluate those controls periodically.

* Designated specific information-security responsibilities for agencies' chief information security officers, including agency-wide information-security programs, policies, and procedures, and training of security and other personnel.

* Required designation of an information-security officer in each agency, security awareness training, processes for remedial action to address deficiencies, and procedures for handling security incidents and ensuring continuity of operations.

* Required annual agency reports to Congress, performance plans, and independent evaluations of information security.

* Established a central federal incident center, overseen by OMB, to analyze incidents and provide technical assistance relating to them, to inform agency operators about current and potential threats and vulnerabilities, and to consult with NIST, NSA, and other appropriate agencies about incidents.

* Gave responsibility for protection of mission-crucial systems in DOD and the CIA to the Secretary of Defense and the DCI, respectively, and required the Secretary of Defense to include compliance with the provisions above in developing program strategies for the Defense Information Assurance Program (10 U.S.C. [section] 2224).

Possible Updates

A commonly expressed concern about FISMA is that it is awkward and inefficient in providing adequate cybersecurity to government IT systems. The causes cited have varied but common themes have included inadequate resources, a focus on procedure and reporting rather than operational security, lack of widely accepted cybersecurity metrics, variations in agency interpretation of the mandates in the act, excessive focus on individual information systems as opposed to the agency's overall information architecture, and insufficient means to enforce compliance both within and across agencies. (157) Several legislative proposals in the 111th and 112th Congresses included major revisions to the act. The proposals varied in detail, with several notable provisions in some:

* Creation of a White House office with responsibility for cybersecurity;

* Transfer of responsibilities from OMB to the Secretary of Homeland Security or the Secretary of Commerce;

* Revisions to agency responsibilities under the act, including continuous monitoring, use of metrics, and emphasis on risk-based rather than minimum security measures;

* Changes in reporting requirements;

* Specification of cybersecurity requirements for acquisitions and the IT supply chain; and

* Establishment of mechanisms for interagency collaboration on cybersecurity.

In the 111th Congress, H.R. 5136 passed in the House, (158) and S. 3480 was reported out of the Senate Homeland Security and Governmental Affairs Committee.

In the 112th Con gress, the Task Force Report recommended an increased focus on monitoring, support for DHS authority, and taking new and emerging technologies, such as cloud computing, into account. (159) H.R. 1136 would have made many changes similar to those in H.R. 5136 in the 111th Con gress, transferring responsibility to a new White House Office for Cyberspace created by the bill. H.R. 1163, in contrast, retained the current role of the OMB Director. H.R. 1163 passed the House under suspension of the rules in April 2012.

S. 413 would have made changes similar to those in S. 3480 in the previous Congress, transferring responsibility for federal information security policy from the Director of OMB to the Director of a new DHS center that the bill would establish. The White House Proposal was broadly similar to congressional proposals in many details. However, it would not have created a White House cybersecurity office and would have transferred responsibilities to the DHS Secretary rather than to a new cybersecurity center within DHS. S. 2105 and S. 3414 included a similar approach. S. 2151 and S. 3342, in contrast, would have transferred responsibilities from OMB to the Secretary of Commerce.

S. 1535 would have required that agency information security programs assess the practices of contractors and third parties with respect to sensitive personally identifiable information as defined in the bill and ensure that any deficiencies are remediated.

See also "FISMA Reform."

Terrorism Risk Insurance Act of 2002

P.L. 107-297, 116 Stat. 2322.

15 U.S.C. [section] 6701 nt. (160)

Major Relevant Provisions

* Provides federal cost-sharing subsidies for insured losses resulting from acts of terrorism.

Possible Updates

The act is intended to provide incentives for the development of insurance coverage for losses from acts of terrorism. Losses from cyber attacks are not specifically included, and some observers have raised concerns about whether some modification of the act would be appropriate. (161)

Cyber Security Research and Development Act, 2002

P.L. 107-305, 116 Stat. 2367,

15 U.S.C. [[section][section] 278g,h], [section] 7401 et seq. (162)

Major Relevant Provisions

* Requires the National Science Foundation (NSF) to award grants for basic research to enhance computer security and for improving undergraduate and master's degree programs, doctoral research, and faculty development programs in computer and network security; and to establish multidisciplinary centers for research on computer and network security.

* Requires NIST to establish programs to award postdoctoral and senior research fellowships in cybersecurity and to assist institutions of higher learning that partner with for-profit entities to perform cybersecurity research; to perform intramural specified cybersecurity research; and to develop a checklist of security settings for federal computer hardware and software for voluntary use by federal agencies.

Possible Updates

A commonly expressed concern about federal research and development (R&D) relating to cybersecurity has been that it is insufficiently coordinated and prioritized, and focuses too little on understanding of fundamental principles and using them to develop transformational technologies. The George W. Bush Administration attempted to address the latter gap through the "leap-ahead" technology component of the Comprehensive Cybersecurity Initiative. (163) The Obama Administration's policy review (164) also called for expanded, transformational research.

Concerns have also been raised about the need to improve the process by which NIST creates checklists and other guidance and technical standards for federal IT systems. (165)

H.R. 4061 in the 111th Con gress would have addressed those concerns by revising the act. A similar bill in the 112th Congress, H.R. 756, would, as amended, have expanded NSF R&D programs in cybersecurity, and required NIST to develop automated security specifications for its cybersecurity standards, checklists, and associated data. S. 2105, S. 2151, S. 3342, and S. 3414 would also have expanded cybersecurity topics addressed by NSF.

E-Government Act of 2002

P.L. 107-347, 116 Stat. 2899.

5 U.S.C. Chapter 37, 44 U.S.C. 3501 nt., 44 U.S.C. Chapter 35, Subchapter 2, and Chapter 36.

Major Relevant Provisions

Serves as the primary legislative vehicle to guide federal IT management and initiatives to make information and services available online. Significant provisions include the following:

* Established the Office of Electronic Government within OMB, to be headed by an administrator with a range of IT management responsibilities, including cybersecurity.

* Established the interagency CIO (Chief Information Officer) Council and specified working with the National Institute of Standards and Technology (NIST) on security standards as one of its functions.

* Assigned agency CIOs responsibility for monitoring implementation of federal cybersecurity standards in their agencies.

* Contains various other requirements for security and protection of confidential information, including electronic authentication and privacy guidelines.

* Established a five-year personnel exchange program between federal agencies and private sector organizations to help agencies fill IT management training needs.

* Also included the "Federal Information Security Management Act of 2002 (FISMA)."

Possible Update

The White House Proposal would have renewed the personnel exchange program, which terminated at the end of 2007, and remove the current restriction in eligibility to management personnel. While this program would be applicable to any subdiscipline of IT, a widely held belief at present is that gaps in cybersecurity expertise are of particular concern. S. 1732 would have revised the privacy provisions to account for the increased commercial availability of personally identifiable information, which the bill defined broadly. (166) It would also have required agencies to designate chief privacy officers and created a council of them, and broadened OMB's privacy responsibilities.

Identity Theft Penalty Enhancement Act

P.L. 108-275, 118 Stat. 831.

18 U.S.C. [section][section] 1028, 1028A. (167)

Major Relevant Provisions

* Established penalties for aggravated identity theft, in which a convicted perpetrator could receive additional penalties (two to five years' imprisonment) for identity theft committed in relation to other federal crimes. (168)

Possible Updates

While the number of reported incidents of identity theft fell in 2010, identity theft has generally been the fastest growing type of fraud in the United States over the past decade. (169) FTC complaint data indicate that the most common fraud complaint received (19% of all consumer fraud complaints in 2010) has remained that of identity theft. (170) In 2010, for instance, about 8.1 million Americans were reportedly victims of identity theft. This is a decrease of about 28% from the approximately 11.1 million who were victimized in 2009.171 Javelin Strategy and Research estimates that identity theft cost consumers about $37 billion in 2010.

The most recent congressional action taken to enhance the identity theft laws was through the Identity Theft Enforcement and Restitution Act of 2008 (Title II of P.L. 110-326). Among other elements, several of which were recommended by a presidential task force in 2007, (172) the act authorized restitution to identity theft victims for their time spent recovering from the harm caused by the actual or intended identity theft. Legislation has not yet, however, adopted recommendations of the task force to

* amend the identity theft and aggravated identity theft statutes so that thieves who misappropriate the identities of corporations and organizations--and not just the identities of individuals--can be prosecuted, (173) and

* amend the aggravated identity theft statute by adding new crimes as predicate offenses (174) for aggravated identity theft violations. (175)

The task force recommended that Congress clarify the identity theft and aggravated identity theft statutes to cover both individuals and organizations targeted by identity thieves because the range of potential victims includes not only individuals but organizations as well. The task force cites "phishing" as a means by which identity thieves assume the identity of a corporation or organization in order to solicit personally identifiable information from individuals.176

In part because identity theft is a facilitating crime, and the criminal act of stealing someone's identity often does not end there, investigating and prosecuting identity theft often involves investigating and prosecuting a number of related crimes. In light of this interconnectivity, the task force recommended expanding the list of predicate offenses for aggravated identity theft. The task force specifically suggested adding identity theft-related crimes such as mail theft, (177) counterfeit securities, (178) and tax fraud. (179)

The Task Force Report also recommended requiring restitution for victims of identity theft and computer fraud. (180) At present, the statute authorizes restitution but does not require it.

Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA)

P.L. 108-458, 118 Stat. 3638.

42 U.S.C. [section] 2000ee, 50 U.S.C. [section] 403-1 et seq., [section] 403-3 et seq., [section] 404o et. seq. (181)

Major Relevant Provisions

* Established the position of the Director of National Intelligence.

* Establishes mission responsibilities for some entities in the intelligence, homeland security, and national security communities.

* Discusses issues related to the collection, analysis, and sharing of security-related information.

* Establishes a Privacy and Civil Liberties Board within the Executive Office of the President.

Possible Updates

The act does not contain a single reference to cyber, cybersecurity, or related activities. Its stated purpose is to "reform the intelligence community and the intelligence and intelligence-related activities of the United States Government, and for other purposes." The act contains findings and recommendations offered in the 9/11 Commission Report (182) and other assessments that address national and homeland security shortcomings associated with the terrorist attacks of September 11, 2001.

Numerous organizations, programs, and activities in the act currently address cybersecurity-related issues. IRPTA addresses many types of risks to the nation and threats emanating from man-made and naturally occurring events. The broad themes of the act could be categorized as how the federal government identifies, assesses, defeats, responds to, and recovers from current and emerging threats. The act might be updated to incorporate cybersecurity-related issues. However, any such update could affect numerous organizations and activities. (183)

Acknowledgments

Contributing CRS staff include

* Patricia Moloney Figliola ("Communications Assistance for Law Enforcement Act of 1994"),

* Kristin M. Finklea ("Identity Theft and Assumption Deterrence Act of 1998," "Identity Theft Penalty Enhancement Act"),

* Wendy R. Ginsberg ("Freedom of Information Act (FOIA)," "Clinger-Cohen Act (Information Technology Management Reform Act) of 1996"),

* John Rollins ("Department of Defense Appropriations Act, 1987," "Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA)"),

* Kathleen Ann Ruane ("Antitrust Laws and Section 5 of the Federal Trade Commission Act"),

* Gina Stevens ("Electronic Communications Privacy Act of 1986"),

* Rita Tehan (Table 2), and

* Catherine A. Theohary ("Posse Comitatus Act of 1879," "U.S. Information and Educational Exchange Act of 1948 (Smith-Mundt Act)," and "Communications Decency Act of 1996").

Author Contact Information

Eric A. Fischer

Senior Specialist in Science and Technology

efischer@crs.loc.gov, 7-7071

(1) The term information systems is defined in 44 U.S.C. [section] 3502 as "a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information," where information resources is "information and related resources, such as personnel, equipment, funds, and information technology." Thus cybersecurity, a broad and arguably somewhat fuzzy concept for which there is no consensus definition, might best be described as measures intended to protect information systems--including technology (such as devices, networks, and software), information, and associated personnel--from various forms of attack. The concept has, however, been characterized in various ways. For example, the interagency Committee on National Security Systems has defined it as "the ability to protect or defend the use of cyberspace from cyber attacks," where cyberspace is defined as "a global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers" (Committee on National Security Systems, National Information Assurance (IA) Glossary, April 2010, http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf). In contrast, cybersecurity has also been defined as synonymous with information security (see, for example, S. 773, the Cybersecurity Act of 2010, in the 111th Congress), which is defined in current law (44 U.S.C. [section] 3532(b)(1)) as

protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide--

(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;

(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information;

(C) availability, which means ensuring timely and reliable access to and use of information; and

(D) authentication, which means utilizing digital credentials to assure the identity of users and validate their access.

(2) See, for example, IBM, IBM X-Force[R] 2011 Mid-year Trend and Risk Report, September 2011, http://public.dhe.ibm.com/common/ssi/ecm/en/wg103009usen/WGL03009USEN.PDF; Barbara Kay and Paula Greve, Mapping the Mal Web IV(McAfee, September 28, 2010), http://us.mcafee.com/en-us/local/docs/MTMW_Report.pdf; Office of the National Counterintelligence Executive, Foreign Spies Stealing U.S. Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011, http://www.ncix.gov/publications/reports/fecie_all/Foreign_Economic_Collection_2011.pdf; Symantec, Symantec Internet Security Threat Report: Trends for 2010, Volume 16, April 2011, https://www4.symantec.com/mktginfo/ downloads/21182883_GA_REPORT_ISTR_Main-Report_04-11_HI-RES.pdf.

(3) This term is defined in 44 U.S.C. [section] 3542(b)(2).

(4) Those bills were identified through a two-step process--candidates were found through searches of the Legislative Information System (LIS, http://www.congress.gov) using "cybersecurity," "information systems," and other relevant terms in the text of the bills, followed by examination of that text in the candidates to determine relevance for cybersecurity. Use of other criteria may lead to somewhat different results. For example, using the LIS "cybersecurity" topic search yields about 30 bills in the 112th Congress and 40 in the 111th, with about a 50% overlap in the bills included. While that difference is higher than might be expected, none of the bills identified uniquely by the LIS topic search are relevant to the discussion in this report.

(5) Among the broader proposals in the 111th Congress, S. 773 (S.Rept. 111-384) and S. 3480 (S.Rept. 111-368) were reported by the originating committees. H.R. 4061 (H.Rept. 111-405) and H.R. 5136 (Title XVII, mostly similar to H.R. 4900) both passed the House. A bill combining provisions of the two Senate bills was drafted (Tony Romm, "Lack of Direction Slows Cybersecurity," Politico, November 4, 2010, http://www.politico.com/news/stories/1110/ 44662.html). In the 112th Congress, S. 413 is similar to S. 3480 in the previous Congress, H.R. 756 (H.Rept. 112-264) is similar to H.R. 4061, and the Senate combined bill, S. 2105, includes elements of S. 773, S. 413, S. 2102, and a proposal put forward by the White House in April 2011 (see below).

(6) This update does not include executive branch actions taken since December 2011.

(7) The White House, "The Comprehensive National Cybersecurity Initiative," March 5, 2010, http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative. For additional information about this initiative and associated policy considerations, see CRS Report R40427, Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations, by John Rollins and Anna C. Henning.

(8) The position has been popularly called the "cyber czar."

(9) Jeffrey Zients, Vivek Kundra, and Howard A. Schmidt, "FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management," Office of Management and Budget, Memorandum for Heads of Executive Departments and Agencies M-10-15, April 21, 2010, http://www.whitehouse.gov/omb/assets/ memoranda_2010/m10-15.pdf.

(10) See, for example, Seymour M. Hersh, "Judging the cyber war terrorist threat," The New Yorker, November 1, 2010, http://www.newyorker.com/reporting/2010/11/01/101101fa_fact_hersh?currentPage=all.

(11) Among them are White House strategies to improve the security of Internet transactions (The White House, National Strategy for Trusted Identities in Cyberspace, April 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/ NSTICstrategy_041511.pdf) and to coordinate international efforts (The White House, International Strategy for Cyberspace, May 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/ international_strategy_for_cyberspace.pdf), and an executive order on sharing and security for classified information (Executive Order 13587, "Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information," Federal Register 76, no. 198 (October 13, 2011): 63811-63815, http://www.gpo.gov/fdsys/pkg/FR-2011-10-13/pdf/2011-26729.pdf).

(12) Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," Federal Register 78, no. 33 (February 19, 2013): 11737-11744.

(13) For more information, see CRS Report R42984, The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress, by Eric A. Fischer et al.

(14) The White House, "Critical Infrastructure Security and Resilience," Presidential Policy Directive 21, February 12, 2013, http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical- infrastructuresecurity-and-resil.

(15) This responsibility is shared to some extent with other agencies such as the U.S. Secret Service.

(16) For specific analysis of legal issues associated with several of the bills being debated in the 112th Congress, see CRS Report R42409, Cybersecurity: Selected Legal Issues, by Edward C. Liu et al.

(17) The title on information sharing is similar to S. 2102.

(18) SECURE IT is an acronym for Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology.

(19) A very similar but not identical bill, H.R. 4263, was introduced in the House April 9. It is not discussed separately in this update.

(20) The White House, Complete Cybersecurity Proposal, 2011, http://www.whitehouse.gov/sites/default/files/omb/ legislative/letters/law-enforcement-provisions-related-to-computer-security-full-bill.pdf. One part does not appear to be directly related to cybersecurity. It would restrict the authority of state and local jurisdictions with respect to the location of commercial data centers.

(21) Josh Smith, "GOP Senators Assail White House for Pushing Executive Order on Cybersecurity," Nextgov, September 14, 2012, http://www.nextgov.com/cybersecurity/2012/09/gop-senators-assail-white-house-pushing-executive- order-cybersecurity/58123/; Jaikumar Vijayan, "Obama to Issue Cybersecurity Executive Order This Month," Computerworld: Cyberwarfare, February 1, 2013, http://www.computerworld.com/s/article/9236438/ Obama_to_issue_cybersecurity_executive_order_this_month?source=CTWNLE_nlt_pm_2013-02-01.

(22) The Honorable Fred Upton et al. to President Barack Obama, October 11, 2012, http://energycommerce.house.gov/ sites/republicans.energycommerce.house.gov/files/letters/20121011Cybersecurity.pdf; Senate Committee on Homeland Security and Government Affairs, "Senators Collins, Snowe, and Lugar to White House: Refrain from Executive Order on Cybersecurity," Press Release, October 10, 2012, http://www.hsgac.senate.gov/media/minority-media/senatorscollins- snowe-and-lugar-to-white-house-refrain-from-executive-order-on-cybersecurity.

(23) House Republican Cybersecurity Task Force, Recommendations of the House Republican Cybersecurity Task Force, October 5, 2011, http://thornberry.house.gov/UploadedFiles/CSTF_Final_Recommendations.pdf.

(24) The Obama Administration has objected to this bill, claiming that it does not address cybersecurity needs for critical infrastructure, and contains overly broad liability protections for private-sector entities and insufficient protections for individual privacy, confidentiality, and civil liberties (The White House, "H.R. 3523--Cyber Intelligence Sharing and Protection Act," Statement of Administration Policy, April 25, 2012, http://www.whitehouse.gov/sites/default/files/omb/legislative/sap/112/saphr3523r_20120425.pdf). The Administration has not released statements of administration policy for any of the other bills discussed in this report.

(25) For discussion of this bill and H.R. 756, see also CRS Report RL33586, The Federal Networking and Information Technology Research and Development Program: Background, Funding, and Activities, by Patricia Moloney Figliola.

(26) H.R. 3674 was marked up by the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security on February 1 and forwarded to the full committee, which substantially amended the bill in its April 18 markup and was reported by the committee on July 11 (see H.Rept. 112-592). The committee may consider cybersecurity legislation again in the 113th Con gress.

(27) See also "Federal Information Security Management Act of 2002 (FISMA)."

(28) See CRS Report R42409, Cybersecurity: Selected Legal Issues for more detail.

(29) As used here, civil systems means federal information systems other than national security systems (defined in 44 U.S.C. [section] 3542) and mission-critical Department of Defense and Intelligence Community systems (i.e., compromise of those systems "would have a debilitating impact on the mission" of the agencies [see 44 U.S.C. 3543(c)]).

(30) See, for example, CSIS Commission on Cybersecurity for the 44th Presidency, Securing Cyberspace for the 44th Presidency, December 2008, http://www.csis.org/tech/cyber/; Partnership for Public Service and Booz Allen Hamilton, Cyber IN-Security: Strengthening the Federal Cybersecurity Workforce, July 2009, http://ourpublicservice.org/OPS/publications/download.php?id=135; CSIS Commission on Cybersecurity for the 44th Presidency, A Human Capital Crisis in Cybersecurity, July 2010, http://csis.org/ffiles/publication/100720_Lewis_HumanCapital_WEB_BlkWhteVersion.pdf.

(31) This includes providing requirements or statutory authority for existing programs, such as the joint NSF/DHS Scholarship-for Service Program (see Office of Personnel Management, "Federal Cyber Service: Scholarship For Service," n.d., https://www.sfs.opm.gov/; National Science Foundation, Federal Cyber Service: Scholarship for Service (SFS), NSF 08-600, Program Solicitation, December 2, 2008, http://www.nsf.gov/pubs/2008/nsf08600/nsf08600.htm), the NSA/DHS National Centers of Academic Excellence and National Security Agency ("National Centers of Academic Excellence," January 10, 2012, http://www.nsa.gov/ia/academic_outreach/nat_cae/index.shtml), and the U.S. Cyber Challenge (National Board of Information Security Examiners, "US Cyber Challenge," 2012, https://www.nbise.org/uscc).

(32) See, for example, National Research Council, Trust in Cyberspace (Washington, DC: National Academies Press, 1999), http://www.nap.edu/catalog/6161.html.

(33) The percentages were calculated from data in Subcommittee on Networking and Information Technology Research and Development, Committee on Technology, Supplement to the President's Budget for Fiscal Year 2013: The Networking and Information Technology Research and Development Program, February 2012, http://www.nitrd.gov/ PUBS%5C2013supplement%5CFY13NITRDSupplement.pdf. The total investment for FY2011 was $445 million. However, agencies may perform additional research not reported as cybersecurity R&D (e.g., some research on software design or high-confidence systems).

(34) For example, through the Director of the Office of Science and Technology Policy (OSTP).

(35) This authority had been granted to the Secretary of Commerce under the Clinger-Cohen Act of 1996 (P.L. 104-106) but was transferred to the Director of OMB by the FISMA title in the HSA in 2002 (P.L. 107-296, Section 1002, 40 U.S.C. [section] 11331). Note that the version of the Chapter 35 provisions that is currently in effect (Subchapter III) was enacted by the FISMA title in the E-Government Act of 2002 (P.L. 107-347, Title III), but that is not the case for 40 U.S.C. [section] 11331, for which the version in the E-Government Act would have retained the authority of the Secretary of Commerce to promulgate those standards, even though it was enacted after the HSA. The reason for this potentially confusing difference appears to be that (1) the effective date of HSA was later than that of the E-Government Act, and (2) HSA changed 44 U.S.C. Chapter 35 by amending the existing subchapter II, which the E- Government Act explicitly suspended (see also "Federal Information Security Management Act of 2002 (FISMA)").

(36) See Jeffrey Zients, Vivek Kundra, and Howard A. Schmidt, "FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management," Office of Management and Budget, Memorandum for Heads of Executive Departments and Agencies M-10-15, April 21, 2010, http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-15.pdf; and Peter R. Orszag and Howard A. Schmidt, "Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS)," Office of Management and Budget, Memorandum for Heads of Executive Departments and Agencies M-10-28, July 6, 2010, http://www.whitehouse.gov/sites/default/ffiles/omb/assets/memoranda_2010/m1028.pdf.

(37) See Department of Homeland Security, "Critical Infrastructure", May 4, 2012, http://www.dhs.gov/ffiles/programs/gc_1189168948944.shtm; and CRS Report RL30153, Critical Infrastructures: Background, Policy, and Implementation, by John D. Moteff.

(38) See, for example, House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Examining the Cyber Threat to Critical Infrastructure and the American Economy, 2011, http://homeland.house.gov/hearing/subcommittee-hearing-examining-cyber-threat-criticalinfrastructure- and-american-economy; Stewart Baker, Natalia Filipiak, and Katrina Timlin, In the Dark: Crucial Industries Confront Cyberattacks (McAfee and CSIS, April 21, 2011), http://www.mcafee.com/us/resources/reports/rpcritical-infrastructure-protection.pdf; and R. E. Kahn et al., America's Cyber Future: America's Cyber Future: Security andProsperity in the Information Age (Center for a New American Security, May 31, 2011), http://www.cnas.org/files/documents/publications/CNAS_Cyber_Volume%20I_0.pdf.

(39) S. 2105 would largely exempt information technology products and services from designation as covered CI and the cybersecurity regulations the bill would authorize.

(40) An entity would be exempted if the Secretary of Homeland Security determined that it was already sufficiently secure or that additional requirements would not substantially improve its security (Section 105(c)(4)). The President would also be permitted to exempt an entity from the requirements upon determining that current regulations sufficiently mitigate the risks to the entity (Section 104(f)).

(41) This exemption (Section 9(c) in the part of the proposal on CI protection) is similar to the Presidential exemption in S. 2105 (footnote 40) except that the White House Proposal would give the authority to the Secretary of Homeland Security.

(42) Among the possibilities discussed are tying adoption of standards to incentives such as grants and streamlined regulation, using tax credits, and facilitating the development of a cybersecurity insurance market.

(43) This is the version approved by voice vote by the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Committee on Homeland Security on February 1, 2012, and forwarded to the full committee.

(44) See Department of Homeland Security, National Infrastructure Protection Plan, 2009, http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf.

(45) The criteria in the subcommittee version of H.R. 3674 are generally similar to those in S. 2105 and the White House Proposal in that they focus on entities for which successful cyberattack could have major negative impacts. The definitions in the three legislative proposals differ somewhat in emphasis and specificity.

(46) This is the version ordered reported by the Committee on Homeland Security on April 18, 2012.

(47) See, for example, The Markle Foundation Task Force on National Security in the Information Age, Nation At Risk Policy Makers Need Better Information to Protect the Country, March 2009, http://www.markle.org/downloadable_assets/20090304_mtf_report.pdf; CSIS Commission on Cybersecurity for the 44th Presidency, Cybersecurity Two Years Later, January 2011, http://csis.org/files/publication/110128_Lewis_CybersecurityTwoYearsLater_Web.pdf.

(48) See, for example, Greg Nojeim, "WH Cybersecurity Proposal: Questioning the DHS Collection Center," Center for Democracy & Technology, May 24, 2011, http://cdt.org/blogs/greg-nojeim/wh-cybersecurity-proposal-questioning- dhscollection-center; and Adriane Lapointe, Oversight for Cybersecurity Activities (Center for Strategic and International Studies, December 7, 2010), http://csis.org/ffiles/publication/101202_Oversight_for_Cybersecurity_Activities.pdf. See also comments received by a Department of Commerce task force (available at http://www.nist.gov/itl/cybersecnoi.cfm) in conjunction with development of this report: Internet Policy Task Force, Cybersecurity, Innovation, and the Internet Economy (Department of Commerce, June 2011), http://www.nist.gov/itl/upload/Cybersecurity_Green-Paper_FinalVersion.pdf. See also footnote 24.

(49) H.R. 3674 would address the issue by amending the HSA and H.R. 3523 by amending the National Security Act of 1947. The other proposals do not couch their provisions as amendments to current law.

(50) House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, "Hearing on Draft Legislative Proposal on Cybersecurity," 2011, http://homeland.house.gov/hearing/subcommittee-hearing-hearing-draft-legislative-proposal-cybersecurity.

(51) Department of Homeland Security, "National Cybersecurity and Communications Integration Center", December 6, 2011, http://www.dhs.gov/files/programs/nccic.shtm.

(52) Department of Homeland Security Office of Inspector General, "Secretary Napolitano Opens New National Cybersecurity and Communications Integration Center," Press Release, October 30, 2009, http://www.dhs.gov/ynews/ releases/pr_1256914923094.shtm. The subcommittee version of H.R. 3476 would also have provided statutory authority for NCCIC, but would have given it somewhat different responsibilities.

(53) The committee version of H.R. 3674 includes a FOIA exemption by reference to the amendments to Title XI of the "National Security Act of 1947" that would be made by H.R. 3523.

(54) A similar provision was deleted by amendment from H.R. 624.

(55) Section 2(c) of the bill. These provisions were added as a floor amendment. The original bill would have given primary responsibility for privacy and civil liberties to the DNI.

(56) The board was established by the "Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA)."

(57) Section 245(a)(1) as added to the HSA by the proposal.

(58) For discussion of federal cybercrime laws, see CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, by Charles Doyle; and CRS Report R40599, Identity Theft: Trends and Issues, by Kristin Finklea. See also the discussions of criminal statutes in this report.

(59) There are 27 entries, but the one on antitrust laws consists of four different statutes. Neither of the two lists is intended to be definitive or exhaustive. For example, some analysts may argue that more agency authorization statutes should be included, or, alternatively, that some of the statutes that are included are not of significant relevance.

(60) This is the name by which the statute is commonly known.

(61) The public law (P.L.) and United States Statutes at Large (Stat.) citations refer to the original law to which the popular name currently applies. Laws enacted before 1957 generally do not have public law numbers but chapter numbers (Ch.) instead. U.S. Code (U.S.C.) citations refer to the codified law, including any amendments, of those provisions deemed most relevant for cybersecurity as discussed in the text under that law (see also footnote 62). For more information about citation forms, see Law Library of Congress, "Federal Statutes," April 4, 2011, http://www.loc.gov/law/help/statutes.php. More complete cross-references of public laws to corresponding provisions of U.S. Code can be found in classification tables (see, for example, U.S. House of Representatives, Office of the Law Revision Counsel, "U.S. Code Classification Tables," 2011, http://uscode.house.gov/classification/tables.shtml).

(62) In some cases, such as the Cybersecurity Research and Development Act, P.L. 107-305, the entire statute is relevant to cybersecurity. In others, such as the Omnibus Crime Control and Safe Streets Act of 1968, P.L. 90-351, the statute has a broader focus and only the provisions relevant to the text are cited and described. However, given that cybersecurity is not a precise concept, there may in some cases be legitimate disagreements among experts about which provisions are relevant. Therefore, the descriptions and U.S. Code citations cannot be considered definitive.

(63) The discussion is provided for purposes of information only. CRS does not propose legislation or take positions or make recommendations on legislative proposals or issues. Contributing CRS staff include Patricia Moloney Figliola, Kristin M. Finklea, Eric A. Fischer, Wendy R. Ginsberg, John Rollins, Kathleen Ann Ruane, Gina Stevens, Rita Tehan, and Catherine A. Theohary. Entries for which no contributor is indicated were written by Eric A. Fischer.

(64) The order is by date of enactment of the earliest relevant statute, as assessed by CRS. This organization, rather than alternatives such as by topic or U.S. Code title, was chosen because it provides the best view of the evolution of legislation in this area.

(65) Sources are cited where they could be specifically identified.

(66) Data-breach notification is also covered by H.R. 1528, H.R. 1707, H.R. 1841, H.R. 2577, S. 1151, S. 1207, S. 1480, and S. 1535.

(67) This act was classified to 15 titles.

(68) Prepared by Catherine A. Theohary, Analyst in National Security Policy and Information Operations (ctheohary@crs.loc.gov, 7-0844).

(69) For further discussion, see CRS Report RS22266, The Use of Federal Troops for Disaster Assistance: Legal Issues, by Jennifer K. Elsea and R. Chuck Mason.

(70) For example, see Jeffrey K. Toomer, "A Strategic View of Homeland Security: Relooking the Posse Comitatus Act and DOD's Role in Homeland Security" (monograph, School of Advanced Military Studies, United States Army Command and General Staff College, Fort Leavenworth, Kansas, July 11, 2002), http://www.dtic.mil/cgi-bin/ GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA403866.

(71) Department of Homeland Security and Department of Defense, "Regarding Cybersecurity." The MOA provides terms for sharing of personnel, equipment, and facilities by the two agencies to improve planning, capabilities, and mission activities in national cybersecurity efforts.

(72) Prepared by Kathleen Ann Ruane, Legislative Attorney (kruane@crs.loc.gov, 7-9135).

(73) See, e.g., United States v. American Airlines Inc., 743 F.2d 1114 (5th Cir. 1984); FTC v. Motion Picture Advertising Serv. Co., 344 U.S. 392, 394-95 (1953); FTC v. Cement Institute, 333 U.S. 683, 694 (1948); Fashion Originators' Guild v. FTC, 312 U.S. 457, 463-64 (1941).

(74) See Standard Oil Co. v. U.S., 221 U.S. 1 (1911).

(75) See Federal Trade Commission and Department of Justice, Antitrust Guidelines for Collaborations among Competitors, April 2000, http://www.ftc.gov/os/2000/04/ftcdojguidelines.pdf.

(76) Ibid.

(77) Ibid. (noting that many collaborations among competitors are "not only benign, but procompetitive").

(78) House Republican Cybersecurity Task Force, Recommendations, p. 11.

(79) See Amitai Aviram, "Network Responses to Network Threats," in The Law and Economics of Cybersecurity, ed. Mark Grady and Francesco Parisi (New York: Cambridge University Press, 2006), 157-158.

(80) See Federal Trade Commission and Department of Justice, Antitrust Guidelines.

(81) Ibid.

(82) 28 C.F.R. [section] 50.6.

(83) Federal Trade Commission and Department of Justice, Antitrust Guidelines.

(84) Joel I. Klein, Assistant Attorney General, to Barbara Greenspan, Associate General Counsel, Electric Power Institute, Inc., October 2, 2000, http://www.justice.gov/atr/public/busreview/6614.htm.

(85) 15 U.S.C. [section] 272, as amended by the Technology Competitiveness Act, Subtitle B of Title V of P.L. 100-418, the Omnibus Trade and Competitiveness Act of 1988, which also changed the name of the agency from the National Bureau of Standards to the National Institute of Standards and Technology, and changed the name of the act to the National Institute of Standards and Technology Act.

(86) 15 U.S.C. [section][section] 278g-3 and -4, as added by the Computer Security Act of 1987. See also "Federal Information Security Management Act of 2002 (FISMA)."

(87) The law was originally enacted in 1920 as the Federal Water Power Act but was renamed the Federal Power Act in 1935 (49 Stat. 863, 16 U.S.C. [section] 791a).

(88) See, for example, H.Rept. 111-493, S.Rept. 111-331.

(89) CRS Report R41886, The Smart Grid and Cybersecurity---Regulatory Policy and Issues, by Richard J. Campbell.

(90) See also "Communications Decency Act of 1996."

(91) See, for example, Elgin M. Brunner and Manuel Suter, International CIIP Handbook 2008/2009 (Center for Security Studies, ETH Zurich, 2008), http://www.css.ethz.ch/publications/CIIP_HB_08.

(92) See also CRS Report R41674, Terrorist Use of the Internet: Information Operations in Cyberspace, by Catherine A. Theohary and John Rollins.

(93) S. 413 is largely identical to S. 3480. Both would provide the authority for the emergency measures through a revision of the Homeland Security Act, not the Communications Act. In addition, they would assign the authority to implement Section 706 to the head of a White House office to be created by the bills. The provision in S. 773 was not presented as a revision to a specified law.

(94) For example, the Task Force Report states, "There is widespread agreement that greater sharing of information is needed within industries, among industries, and between government and industry in order to improve cybersecurity and to prevent and respond to rapidly changing threats. For example, through intelligence collection, the federal government has insights and capabilities that many times are classified but would be useful to help defend private companies from cybersecurity attacks" (House Republican Cybersecurity Task Force, Recommendations, p. 10).

(95) Prepared by Catherine A. Theohary, Analyst in National Security Policy and Information Operations (ctheohary@crs.loc.gov, 7-0844).

(96) This restriction was added by the Foreign Relations Authorization Act, Fiscal Years 1986 and 1987 (P.L. 99-93, 99 Stat. 431) and was not part of the original act.

(97) For discussion, see CRS Report R40989, U.S. Public Diplomacy: Background and Current Issues, by Kennon H. Nakamura and Matthew C. Weed.

(98) See, for example, CSIS Commission on Cybersecurity for the 44th Presidency, Securing Cyberspace for the 44th Presidency, December 2008, http://www.csis.org/tech/cyber/; The White House, Cyberspace Policy Review, May 29, 2009, http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf; and The White House, International Strategy for Cyberspace.

(99) Prepared by Wendy R. Ginsberg, Analyst in Government Organization and Management (wginsberg@crs.loc.gov, 73-933).

(100) The statute must require that the data be withheld from the public in such a manner as to leave no discretion on the issue, establish particular criteria for withholding information or refer to particular types of matters to be withheld, or specifically cite the exemption if enacted after October 28, 2009, the date of enactment of the OPEN FOIA Act of 2009, P.L. 111-83. These exemptions are also called "b(3) exemptions" because they are created pursuant to 5 U.S.C. [section] 552(b)(3).

(101) Other exemptions may also sometimes apply to cybersecurity information. For further discussion of FOIA and its exemptions, see CRS Report R41933, The Freedom of Information Act (FOIA): Background and Policy Options for the 113th Congress, by Wendy Ginsberg, CRS Report R41406, The Freedom of Information Act and Nondisclosure Provisions in Other Federal Laws, by Gina Stevens.

(102) See "Sec. 245. Voluntary Disclosure of Cybersecurity Information," in The White House, "Department of Homeland Security Cybersecurity Authority and Information Sharing," May 12, 2011, p. 8-9, http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/dhs-cybersecurity-authority.pdf.

(103) Specifically, it states, "information sharing within existing structures can be improved through limited safe harbors when private sector entities voluntarily disclose threat, vulnerability, or incident information to the federal government or ask for advice or assistance to help increase protections on their own systems. These protections would need to address concerns about antitrust issues, liability, an exemption from the Freedom of Information Act (FOIA), protection from public disclosure, protection from regulatory use by government, and whether or not a private entity is operating as an agent of the government. However, the protection of personal privacy should be at the forefront of any limited legal protection proposal" (House Republican Cybersecurity Task Force, Recommendations, p. 11).

(104) These provisions, along with possible updates, are discussed under "Electronic Communications Privacy Act of 1986."

(105) There is no uniform definition of "cybercrime." Furthermore, no definitive statistics on cybercrime appear to be publically available. However, the public/private Internet Crime Complaint Center referred 25 times as many of the complaints it received to law enforcement agencies in 2010 (121,710) as in 2001 (4,810) (Internet Crime Complaint Center, 2010 Internet Crime Report, 2011, http://www.ic3.gov/media/annualreport/2010_IC3Report.pdf).

(106) For details, CRS Report 96-950, RICO: A Brief Sketch, by Charles Doyle.

(107) House Republican Cybersecurity Task Force, Recommendations, p. 14.

(108) For more information, see CRS Report R40520, Federal Advisory Committees: An Overview, by Wendy Ginsberg.

(109) Isabelle Abele-Wigert and Myriam Dunn, International CIIP Handbook 2006, Vol. I (Center for Security Studies, ETH Zurich, 2006), p. 337, http://www.css.ethz.ch/publications/CIIP_HB_06_Vol. 1 .pdf; Brunner and Suter, International CIIP Handbook 2008/2009, p. 456.

(110) For information on how they have been interpreted by the courts, see Department of Justice, "Overview of the Privacy Act of 1974, 2010 Edition," March 2, 2010, http://www.justice.gov/opcl/1974privacyact-overview.htm.

(111) The Computer Fraud and Abuse Act of 1986 (P.L. 99-474, 100 Stat. 1213) expanded the scope of the original act. For government computers, it criminalized electronic trespassing, exceeding authorized access, and destroying information. It also criminalized trafficking in stolen computer passwords and created a statutory exemption for intelligence and law enforcement activities.

(112) For more information, see CRS Report 97-1025, Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, by Charles Doyle.

(113) See CRS Report R41941, The Obama Administration's Cybersecurity Proposal: Criminal Provisions, by Gina Stevens.

(114) House Republican Cybersecurity Task Force, Recommendations, p. 14.

(115) Prepared by Gina Stevens, Legislative Attorney (gstevens@crs.loc.gov, 7-2581).

(116) 100 Stat. 1848; see also House Committee on the Judiciary, "Electronic Communications Privacy Act of 1986," H.Rept. 99-647, 99th Cong. 2d Sess. 2, at 19 (1986).

(117) House Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, ECPA Reform and the Revolution in Cloud Computing, 2010, http://judiciary.house.gov/hearings/hear_100923.html (statement of Edward W. Felton, Professor Princeton University):

   In 1986, when ECPA was passed, the Internet consisted of a few
   thousand computers. The network was run by the U.S. government for
   research and education purposes, and commercial activity was
   forbidden. There were no web pages, because the web had not been
   invented. Google would not be founded for another decade. Twitter
   would not be founded for another two decades. Mark Zuckerberg, who
   would grow up to start Facebook, was two years old. In talking
   about advances in computing, people often focus on the equipment.
   Certainly the advances in computing equipment since 1986 have been
   spectacular. Compared to the high-end supercomputers of 1986,
   today's mobile phones have more memory, more computing horsepower,
   and a better network connection not to mention a vastly lower
   price.


(118) 18 U.S.C. [section] 2510-2522.

(119) 18 U.S.C. [section] 2511.

(120) 18 U.S.C. [section][section] 2701-2712.

(121) 18 U.S.C. [section] 2701.

(122) 18 U.S.C. [section][section] 3121-3126. A trap and trace device identifies the source of incoming calls, and a pen register indicates the numbers called from a particular phone.

(123) 18 U.S.C. [section] 3121.

(124) J. Beckwith Burr, "The Electronic Communications Privacy Act of 1986: Principles for Reform," March 30, 2010, http://www.digitaldueprocess. org/files/DDP_Burr_Memo.pdf.

(125) "Cloud computing is an emerging form of computing that relies on Internet-based services and resources to provide computing services to customers, while freeing them from the burden and costs of maintaining the underlying infrastructure. Examples of cloud computing include web-based e-mail applications and common business applications that are accessed online through a browser, instead of through a local computer" (Government Accountability Office, Information Security: Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing, GAO-10-513, May 2010, http://www.gao.gov/new.items/d10513.pdf).

(126) House Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, ECPA Reform and the Revolution in Cloud Computing (statement of Michael Hintze, Associate General Counsel, Microsoft Corp.).

(127) Digital Due Process Coalition, "Our Principles", 2010, http://www.digitaldueprocess.org/index.cfm?objectid=99629E40-2551-11DF-8E02000C296BA163.

(128) House Republican Cybersecurity Task Force, Recommendations, p. 14. For more information on ECPA, see CRS Report 98-326, Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping, by Gina Stevens and Charles Doyle.

(129) Prepared by John Rollins, Specialist in Terrorism and National Security (jrollins@crs.loc.gov, 7-5529).

(130) CRS Report RL31787, Information Operations, Cyberwarfare, and Cybersecurity: Capabilities and Related Policy Issues, by Catherine A. Theohary.

(131) 50 U.S.C. [section] 413b(e) defines a covert action as "an activity or activities of the United States Government to influence political, economic, or military conditions abroad, where it is intended that the role of the United States Government will not be apparent or acknowledged publicly, but does not include ... activities the primary purpose of which is to acquire intelligence ... [or] traditional military activities or routine support to such activities."

(132) For an explanation and analysis of issues relating to covert and clandestine activities see CRS Report RL33715, Covert Action: Legislative Background and Possible Policy Questions, by Marshall Curtis Erwin.

(133) Parts of the chapter have also been given other popular names: the Next Generation Internet Research Act of 1998 (P.L. 105-305), and the Department of Energy High-End Computing Revitalization Act of 2004.

(134) Prepared by Patricia Moloney Figliola, Specialist in Internet and Telecommunications Policy (pfigliola@crs.loc.gov, 7-2508).

(135) House Republican Cybersecurity Task Force, Recommendations, p. 14.

(136) Prepared by Catherine A. Theohary, Analyst in National Security Policy and Information Operations (ctheohary@crs.loc.gov, 7-0844). These provisions are codified to Chapter 5 of Title 47, the "Communications Act of 1934." Codification of the various provisions of this act is complex. See 47 U.S.C. [section] 609 nt. for details.

(137) See CRS Report R41499, The Communications Decency Act: Section 230(c)(1) and Online Intermediary Liability, by Kathleen Ann Ruane and Julia Tamulis.

(138) Prepared by Wendy R. Ginsberg, Analyst in Government Organization and Management (wginsberg@crs.loc.gov, 7-3933), and Eric A. Fischer. The two divisions, originally known as the Federal Acquisition Reform Act and the Information Technology Management Reform Act, were renamed as the Clinger-Cohen Act by P.L. 104-208 and reclassified into 40 U.S.C. Subtitle III by P.L. 107-217 (see 40 U.S.C. [section] 101 nt.).

(139) The Clinger-Cohen Act originally gave this promulgation authority to the Secretary of Commerce, while providing the President authority to disapprove or modify such standards, and gave the Secretary authority to waive the standards in specific cases to avoid adverse financial or mission-related impacts. The "Federal Information Security Management Act of 2002 (FISMA)," enacted as part of the Homeland Security Act, transferred that authority to OMB.

(140) See the discussion of FISMA, p. 44.

(141) They do have authority under FISMA to ensure compliance with that law's information security requirements (44 U.S.C. [section] 3544). Some agency CIOs also have statutory authority in addition to that provided by Clinger-Cohen and FISMA. For example, the CIO of the intelligence community has procurement approval authority for IT (50 U.S.C. [section] 403-3g), and CIOs within DOD have budgetary review authority (10 U.S.C. [section] 2223).

(142) Vivek Kundra, 25-Point Implementation Plan to Reform Federal Information Technology Management (The White House, December 9, 2010), http://www.cio.gov/documents/25-Point-Implementation-Plan-to-ReformFederal%20IT.pdf.

(143) Jacob J. Lew, "Chief Information Officer Authorities," Memorandum for the Heads of Executive Departments and Agencies, M-11-29, August 8, 2011, pp. 1-2, http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/ m11-29.pdf.

(144) See CRS Report R40150, A Federal Chief Technology Officer in the Obama Administration: Options and Issues for Consideration, by John F. Sargent Jr.

(145) See, for example, CRS Report RL30914, Federal Chief Information Officer (CIO): Opportunities and Challenges, by Jeffrey W. Seifert.

(146) Prepared by Kristin M. Finklea, Coordinator, Analyst in Domestic Security (kfinklea@crs.loc.gov, 7-6259). See 18 U.S.C. [section] 1001 nt. for classification details.

(147) The FTC now records consumer complaint data and reports it in the Identity Theft Data Clearinghouse (Federal Trade Commission, "Reference Desk," Fighting Back Against Identity Theft, December 22, 2010, http://www.ftc.gov/bcp/edu/microsites/idtheft/reference-desk/index.html); identity theft complaint data are available for 2000 and forward.

(148) For classification details, see 6 U.S.C. [section] 101 nt.

(149) In particular, the act transferred to DHS the Federal Computer Incident Response Center, which had resided in the General Services Administration (GSA). In 2006, P.L. 109-295, The Department of Homeland Security Appropriations Act, 2007, established the position of Assistant Secretary for Cybersecurity and Communications (6 U.S.C. [section] 321) within DHS but did not specify duties or responsibilities.

(150) This set of provisions (Subtitle G of Title VIII, 6 U.S.C. [section] 441-444) is called the SAFETY Act.

(151) This set of provisions (Subtitle I of Title VIII, 6 U.S.C. [section] 481-486) is called the Homeland Security Information Sharing Act. Section 486 was added by P.L. 109-90 and provides some liability protections relating to actions involving information sharing and analysis centers.

(152) See also "Communications Act of 1934" above.

(153) This center would presumably replace the federal incident center currently required under 44 U.S.C. 3546. The revision of the Federal Information Security Management Act of 2002 (FISMA) in the White House Proposal does not include the latter center.

(154) FISMA was originally enacted as part of the Homeland Security Act of 2002, replacing provisions enacted by the Floyd D. Spence National Defense Authorization Act for Fiscal Year 2001 (P.L. 106-398, Title X, Subtitle G), enacted in 2000 but with a 2002 sunset. FISMA was reenacted in the same Congress by the E-government Act. Subchapter II is not in effect. The title 40 provision was originally enacted as part of the Clinger-Cohen Act (see p. 39), and the title 15 provisions are part of the NIST Act (see p. 24). See footnote 156 for more detail.

(155) For a more detailed description, see, for example, Government Accountability Office, Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements, GAO-12-137, October 2011, http://www.gao.gov/new.items/d12137.pdf.

(156) The standards-promulgation authority had been granted to the Secretary of Commerce under the Clinger-Cohen Act of 1996 (P.L. 104-106) but was transferred to the Director of OMB by the FISMA title in the HSA in 2002 (P.L. 107296, Section 1002, 40 U.S.C. 11331). The version currently in effect (44 U.S.C. Chapter 35, Subchapter III) was enacted by the FISMA title in the E-Government Act of 2002 (P.L. 107-347, Title III), which suspended Subchapter II, which had been revised by the HSA. That is not the case for 40 U.S.C. 11331, for which the P.L. 107-347 version would have retained the authority of the Secretary of Commerce to promulgate those standards as established in the Clinger-Cohen Act of 1996 (see p. 39), even though the E-Government Act was enacted after the HSA. Similarly, the revision to the NIST Act at 15 U.S.C. 278g-3 & 4 is that made by the HSA. The reason for this potentially confusing difference appears to be that (1) the effective date of HSA was later than that of the E-Government Act, and (2) HSA amended the existing subchapter II of 44 U.S.C. Chapter 35; the E-Government Act explicitly suspended that subchapter. In contrast, the revisions both laws made to the Paperwork Reduction Act, adding a subsection (c) to 44 U.S.C. [section] 3505 (requiring inventories of federal information systems) were codified. However, in a signing statement for the E-Government Act, President George W. Bush stated that the Administration would interpret the act as permanently superseding HSA "in those instances where both Acts prescribe different amendments to the same provisions of the United States Code" (President George W. Bush, "About E-Gov: Presidential Statement," December 17, 2002, http://georgewbush-whitehouse.archives.gov/omb/egov/g-3-statement.html). Such ambiguities in interpretation would presumably be resolved if FISMA is revised.

(157) See, for example, S.Rept. 111-368, and House Subcommittee on Government Management, Organization, and Procurement, The State of Federal Information Security, Committee on Oversight and Government Reform (Washington, DC: U.S. Government Printing Office, 2009), http://www.gpo.gov/fdsys/pkg/CHRG-111hhrg57125/pdf/CHRG-111hhrg57125.pdf. OMB has recently attempted to address some of the operational issues administratively by delegating some responsibilities to DHS (Orszag and Schmidt, "Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS)"). Weaknesses in FISMA implementation have been cited repeatedly by GAO in reports required by the act (see, for example, Government Accountability Office, Information Security: Weaknesses Continue Amid New Federal Efforts to Implement Requirements).

(158) The bill included provisions from H.R. 4900, which was ordered reported by the House Oversight and Government Reform Committee.

(159) House Republican Cybersecurity Task Force, Recommendations, p. 13.

(160) The original act was amended by P.L. 109-144, the Terrorism Risk Extension Act of 1995, and P.L. 110-160, the Terrorism Risk Insurance Program Reauthorization Act of 2007. For classification details, see 15 U.S.C. 6701 nt.

(161) See, for example, Karen C. Yotis, "TRIA and the Perils of Terrorism Insurance," Viewpoint, Summer 2007, http://www.aaisonline.com/viewpoint/07sum6.html.

(162) 15 U.S.C. [section][section] 278g,h are part of the NIST Act (see p. 24).

(163) See, for example, NITRD, "About the NITRD Program: National Cyber Leap Year", July 22, 2009, http://www.nitrd.gov/leapyear/index.aspx.

(164) The White House, Cyberspace Policy Review.

(165) See, for example, H.Rept. 111-405, CSIS Commission on Cybersecurity for the 44th Presidency, A Human Capital Crisis in Cybersecurity, July 2010, http://csis.org/ffiles/publication/100720_Lewis_HumanCapital_WEB_BlkWhteVersion.pdf.

(166) It would include "any information about an individual maintained by an agency."

(167) Prepared by Kristin M. Finklea, Analyst in Domestic Security (kfinklea@crs.loc.gov, 7-6259). For classification details, see 18 U.S.C. [section] 1028 nt.

(168) Examples of such federal crimes include theft of public property, theft by a bank officer or employee, theft from employee benefit plans, false statements regarding Social Security and Medicare benefits, several fraud and immigration offenses, and specified felony violations pertaining to terrorist acts.

(169) For more information on identity theft, see CRS Report R40599, Identity Theft: Trends and Issues, by Kristin Finklea.

(170) Federal Trade Commission, Consumer Sentinel Network Data Book for January-December, 2010, March 2010, http://www.ftc.gov/sentinel/reports/sentinel-annual-reports/sentinel-cy2010.pdf.

(171) Javelin Strategy & Research, 2011 Identity Fraud Survey Report: Consumer Version, February 2011, p. 5 (available at https://www.javelinstrategy.com/brochure/207).

(172) The President's Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, April 2007, http://www.identitytheft.gov/reports/StrategicPlan.pdf.

(173) This would involve revision of 18 U.S.C. [section][section] 1028 and 1028A.

(174) A predicate offense can be described as a crime that is a component of a more serious offense. For example, in the case of money laundering, the crime that produces the funds that are to be laundered is the predicate offense.

(175) This would involve revision of 18 U.S.C. [section] 1028A.

(176) The President's Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, pp. 9-92.

(177) 18 U.S.C. [section] 1708.

(178) 18 U.S.C. [section] 513.

(179) 26 U.S.C. [section] 7201, 7206-7207.

(180) House Republican Cybersecurity Task Force, Recommendations, p. 14.

(181) Prepared by John Rollins, Specialist in Terrorism and National Security (jrollins@crs.loc.gov, 7-5529). Classification of this act is complex. For details, see 50 U.S.C. [section] 401 nt.

(182) National Commission on Terrorist Attacks upon the United States, The 9/11 Commission Report, July 22, 2004, http://www.9-11commission.gov/report/911Report.pdf.

(183) For more information on threats, responses, and issues associated with cyberterrorism, see CRS Report R41674, Terrorist Use of the Internet: Information Operations in Cyberspace, by Catherine A. Theohary and John Rollins.

Table 1. Comparison of Topics Addressed by Selected Legislative
Proposals on Cybersecurity in the 112th and 1 13th Congress

                                               Task
                                 Selected      Force
Topic                            House Bills   Report   S. 2105

DHS authorities for protection   H.R.          X        X
of federal systems               3674 (a)

New DHS office/center            H.R. 3674              X

Cybersecurity workforce          H.R. 756      X        X
authorities and programs         H.R. 967
                                 H.R. 3674

Supply-chain vulnerabilities     H.R. 3674     X        X

Cybersecurity R&D                H.R. 756      X        X
                                 H.R. 967
                                 H.R. 3674

FISMA reform                     H.R. 1163     X        X
Protection of privately held     H.R. 3674     X        X (b)
critical infrastructure (CI)

Government/private-sector        H.R. 3674     X        X
collaboration on CI protection

Additional regulation of                       X        X
privately held critical
infrastructure

Information sharing              H.R. 624      X        X
                                 H.R. 3674

FOIA exemption for               H.R. 624      X        X
cybersecurity information

New information-sharing          (H.R.         X        X
entities                         3674) (c)

Public awareness                 H.R. 756      X        X

Cybercrime law                                 X

Data breach notification                       X

Internet security provider                     X
code of conduct

National security/defense and                  X
federal civil sector
coordination

                                                       White
                                           S. 3342     House
Topic                            S. 3414   (S. 2151)   Proposal

DHS authorities for protection   X                     X
of federal systems

New DHS office/center            X                     X

Cybersecurity workforce          X         X           X
authorities and programs

Supply-chain vulnerabilities     X                     X

Cybersecurity R&D                X         X           X

FISMA reform                     X         X           X
Protection of privately held     X (b)                 X
critical infrastructure (CI)

Government/private-sector        X                     X
collaboration on CI protection

Additional regulation of         X                     X
privately held critical
infrastructure

Information sharing              X         X           X

FOIA exemption for               X         X           X
cybersecurity information

New information-sharing          X
entities

Public awareness                 X                     X

Cybercrime law                             X           X

Data breach notification                               X

Internet security provider
code of conduct

National security/defense and
federal civil sector
coordination

Source: CRS.

Note: S. 3342 was a revised version of S. 2151, and S. 3414 was a
revised version of S. 2105.

(a.) Bills listed in italics are from the 1 12th Congress and are
included in the absence of similar or corresponding bills in the 1
13th Congress.

(b.) S. 3414 would have permitted regulatory agencies to adopt
certain cybersecurity practices as mandatory requirements, but did
not provide regulatory authority beyond that in other law. S. 2105
would have provided the Secretary of Homeland Security with new
regulatory authority for cybersecurity.

(c.) The subcommittee version of this bill would have created a new
nonprofit quasi-governmental information- sharing entity, but the
committee version omitted those provisions (see "Information Sharing"
below).

Table 2. Laws Identified as Having Relevant Cybersecurity Provisions

Year          Popular Name                 Law             Stat.

6/18/1878     Posse Comitatus Act          Ch.             20 Stat.
              (p. 21)                      263             152

7/2/1890      Antitrust Laws:
and later     (p. 22)

              Sherman Antitrust            Ch.             26 Stat.
              Act,                         647             209
              Wilson Tariff Act            Ch.             28 Stat.
                                           349,            570
              Clayton Act                  [section] 73
              [section] 5 of the Federal   P.L.            38 Stat.
              Trade Commission             63-212          730
              (FTC) Act                    Ch,             38 Stat.
                                           311,            719
                                           [section] 5
                                           Ch.

3/3/1901      National Institute of        872             31 Stat.
              Standards and                                1449
              Technology (NIST) Act
              (p. 24)

8/13/1912     Radio Act of 1912            Ch.             37 Stat.
                                           287             302

6/10/1920     Federal Power Act            Ch.             41 Stat.
              (p. 25)                      285             1063

2/23/1927     Radio Act of 1927            Ch.             44 Stat.
                                           169             1162

6/19/1934     Communications Act           Ch.             48 Stat.
              of 1934 (p.26)               652             1064

7/26/1947     National Security Act        Ch.             61 Stat.
              of 1947 (p. 27)              343             495

l/27/1948     US Information and           Ch.             62 Stat.
              Educational Exchange         36              6
              Act of 1948
              (Smith-Mundt Act)
              (p. 27)

9/8/1950      Defense Production           Ch.             64 Stat.
              Act of 1950                  932             798

8/l/1956      State Department             P.L.            70 Stat.
              Basic Authorities Act        84-             890
              of 1956 (p. 28)              885

10/30/1965    Brooks Automatic             P.L.            79 Stat.
              Data Processing Act          89-             1127
                                           306

7/4/1966      Freedom of                   P.L.            80 Stat.
              Information Act              89-             250
              (FOIA) (p. 29)               487

6/19/1968     Omnibus Crime                P.L.            82 Stat.
              Control and Safe             90-             197
              Streets Act of 1968          351
              (p. 30)

10/15/1970    Racketeer Influenced         P.L.            84 Stat.
              and Corrupt                  91-             941
              Organizations Act            452
              (RICO) (p. 31)

10/6/1972     Federal Advisory             P.L.            86 Stat
              Committee Act (p.            92-             770
              31)                          463

ll/7/1973     War Powers                   P.L.            87 Stat.
              Resolution                   93-             555
                                           148

12/31/1974    Privacy Act of 1974          P.L.            88 Stat.
              (p. 32)                      93-             1896
                                           579

10/25/1978    Foreign Intelligence         P.L.            92 Stat.
              Surveillance Act of          95-             1783
              1978 (FISA)                  511

10/13/1980    Privacy Protection           P.L.            94 Stat.
              Act of 1980                  96-             1879
                                           440

10/12/1984    Counterfeit Access           P.L.            98 Stat.
              Device and Computer          98-             2190
              Fraud and Abuse Act          473
              of 1984 (p. 32)

10/16/1986    Computer Fraud               P.L.            100
              and Abuse Act of             99-             Stat.
              1986                         474             1213

10/21/1986    Electronic                   P.L.            100
              Communications               99-             Stat.
              Privacy Act of 1986          508             1848
              (ECPA) (p. 33)

10/30/1986    Department of                P.L.            100
              Defense                      99-             Stat.
              Appropriations Act,          591             3341-
              1987 (p. 36)                                 82,
                                                           3341-
                                                           122

1/8/1988      Computer Security            P.L.            101
              Act of 1987                  100-            Stat.
                                           235             1724

10/18/1988    Computer Matching            P.L.            102
              and Privacy                  100-            Stat.
              Protection Act of            503             2507
              1988

12/9/1991     High Performance             P.L.            105
              Computing Act of             102-            Stat.
              1991 (p. 36)                 194             1594

10/25/1994    Communications               P.L.            108
              Assistance for Law           103-            Stat.
              Enforcement Act              414             4279
              (CALEA) of 1994 (p.
              38)

5/25/1995     Paperwork                    P.L.            109
              Reduction Act of             104-            Stat.
              1995                         13              163

2/8/1996      Telecommunications           P.L.            110
              Act of 1996                  104-            Stat. 56
                                           104

2/8/1996      Communications               P.L.            110
              Decency Act of 1996          104-            Stat.
              (p. 38)                      104             133
                                           (Title
                                           V)

2/10/1996     Clinger-Cohen Act            P.L.            110
              (Information                 104-            Stat.
              Technology                   106,            642
              Management Reform            (Div.
              Act) of 1996) (p. 39)        D and
                                           E)

8/21/1996     Health Insurance             P.L.            110
              Portability and              104-            Stat.
              Accountability Act           191             1936
              of 1996 (HIPAA)

10/11/1996    Economic Espionage           P.L.            110
              Act of 1996                  104-            Stat.
                                           294             3488

10/30/1998    Identity Theft and           P.L.            112
              Assumption                   105-            Stat.
              Deterrence Act of            318             3007
              1998 (p. 41)

10/5/1999     National Defense             P.L.            113
              Authorization Act            106-            Stat.
              for Fiscal Year 2000         65              512

11/12/1999    Gramm-Leach-Bliley           P.L.            113
              Act of 1999                  106-            Stat.
                                           102             1338
                                           (Title
                                           V)

10/30/2000    Floyd D. Spence              P.L.            114
              National Defense             106-            STAT.
              Authorization Act            398             1654A-
              for Fiscal Year 2001         (Titles         233;
                                           IX &            1654A-
                                           X)              266

10/26/2001    USA PATRIOT Act              P.L.            115
              of 2001                      107-            Stat.
                                           56              272

7/30/2002     Sarbanes-Oxley Act           P.L.            116
              of 2002                      107-            Stat.
                                           204             745

1 1/25/2002   Homeland Security            P.L.            116
              Act of 2002 (HSA) (p.        107-            Stat.
              41)                          296             2135
                                           (Titles
                                           II and
                                           III)

1 1/25/2002   Federal Information          P.L.            116
              Security Management          107-            Stat.
              Act of 2002 (FISMA)          296             2259
              (p. 44)                      (Title
                                           X)              116
                                           P.L.            Stat.
                                           107-            2946
                                           347
                                           (Title
                                           III)

1 1/26/2002   Terrorism Risk               P.L.            116
              Insurance Act of             107-            Stat.
              2002 (p. 47)                 297             2322

11/27/2002    Cyber Security               P.L.            116
              Research and                 107-            Stat.
              Development Act,             305             2367
              2002 (p. 47)

12/17/2002    E-Government Act of          P.L.            116
              2002 (p. 48)                 107-            Stat.
                                           347             2899

12/4/2003     Fair and Accurate            P.L.            117
              Credit Transactions          108-            Stat.
              Act of 2003                  159             1952

12/16/2003    Controlling the              P.L.            117
              Assault of Non-              108-            Stat.
              Solicited                    187             2699
              Pornography and
              Marketing (CAN-
              SPAM) Act of 2003

7/15/2004     Identity Theft Penalty       P.L.            118
              Enhancement Act              108-            Stat.
              2004 (p. 49)                 275             831
12/17/2004    Intelligence Reform          P.L.            118
              and Terrorism                108-            Stat.
              Prevention Act of            458             3638
              2004 (IRPTA) (p. 51)

8/8/2005      Energy Policy Act of         P.L.            119
              2005 (EPACT)                 109-            Stat.
                                           58              594

10/4/2006     Department of                P.L.            120
              Homeland Security            109-            Stat.
              Appropriations Act,          295             1355
              2007

8/5/2007      Protect America              P.L.            121
              Act of 2007                  110-            Stat.
                                           55              552

12/19/2007    Energy                       P.L.            121
              Independence and             110-            Stat.
              Security Act of 2007         140             1492
              (EISA)

7/10/2008     Foreign Intelligence         P.L.            122
              Surveillance Act of          110-            Stat.
              1978 [FISA]                  261             2436
              Amendments Act of
              2008

9/26/2008     Identity Theft               P.L.            122
              Enforcement and              110-            Stat.
              Restitution Act of           326             356
              2008

2/17/2009     Health Information           P.L.            123
              Technology for               III-5           Stat.
              Economic and                 (Title          226
              Clinical Health Act          XIII of
                                           Div.
                                           A and
                                           Title
                                           IV of Div. B)

                                                               CRS
Year          U.S.C.               Applicability and Notes     Reports

6/18/1878     18 U.S.C.            Restricts the use of        RS20590
              [section] 1385        military forces in
                                   civilian law enforcement
                                   within the United States.
                                   May prevent assistance to
                                   civil agencies that lack
7/2/1890                           DOD expertise and
and later                          capabilities.

              15 U.S.C.            "Antitrust laws"
              [section][section]   generally means the three
              1-7 15 U.S.C.        laws listed in 15 U.S.C.
              [section][section    [section]  12(a) and
              11-Aug               [section] 5 of the FTC
              15 U.S.C.            Act, which forbid
              [section][section]   combinations or
              12-27 15 U.S.C.      agreements that
              [section] 45(a)      unreasonably restrain
                                   trade. May create
                                   barriers to sharing of
                                   information or
                                   collaboration to enhance
                                   cybersecurity among
                                   private sector entities.

3/3/1901      15 U.S.C.            The original act gave the
              [section] 271 et     agency responsibilities
              seq.                 relating to technical
                                   standards. Later
                                   amendments established a
                                   computer standards
                                   program and specified
                                   research topics, among
                                   them computer and
                                   telecommunication
                                   systems, including
                                   information security and
                                   control systems.

8/13/1912                          Established a radio
                                   licensing regime and
                                   regulated private radio
                                   communications, creating
                                   a precedent for wireless
                                   regulation. Repealed by
                                   the Radio Act of 1927.

6/10/1920     16 U.S.C.            Established the Federal     R41886
              [section] 791a et    Energy Regulatory
              seq., [section]      Commission (FERC) and
              824 et seq.          gave it regulatory
                                   authority over interstate
                                   sale and transmission of
                                   electric power. The move
                                   toward a national smart
                                   grid is raising concerns
                                   about vulnerability to
                                   cyber attack.

2/23/1927                          Created the Federal Radio
                                   Commission as an independent
                                   agency (predecessor of the
                                   FCC) and outlawed
                                   interception and divulging
                                   private radio messages.
                                   Repealed by the
                                   Communications Act of 1934
                                   (see p. 26).

6/19/1934     47 U.S.C.            Established the Federal     RL32589
              [section] 151 et     Communications Commission   RL34693
              seq.                 (FCC) and gave it
                                   regulatory authority over
                                   both domestic and
                                   international commercial
                                   wired and wireless
                                   communications. Provides
                                   the President with
                                   emergency powers over
                                   communications stations
                                   and devices. Governs
                                   protection by cable
                                   operators of information
                                   about subscribers.

7/26/1947     50 U.S.C.            Provided the basis for
              [section] 401 et      the modern organization
              seq.                 of U.S. defense and
                                   national security by
                                   reorganizing military and
                                   intelligence functions in
                                   the federal government.
                                   Created the National
                                   Security Council, the
                                   Central Intelligence
                                   Agency, and the position
                                   of Secretary of Defense.
                                   Established procedures
                                   for access to classified
                                   information.

l/27/1948     22 U.S.C.            Restricts the State         R41674
              [section] 1431 et    Department from
              seq.                 disseminating public
                                   diplomacy information
                                   domestically and limits
                                   its authority to
                                   communicate with the
                                   American public in
                                   general. Has been
                                   interpreted by some to
                                   prohibit the military
                                   from conducting
                                   cyberspace information
                                   operations, some of which
                                   could be considered
                                   propaganda that could
                                   reach U.S. citizens,
                                   since the government does
                                   not restrict Internet
                                   access according to
                                   territorial boundaries.

9/8/1950      50 U.S.C.            Codifies a robust legal     RS20587
              App. [section] 2061   authority given the         RL31133
              et seq.              President to force
                                   industry to give priority
                                   to national security
                                   production and ensure the
                                   survival of
                                   security-critical
                                   domestic production
                                   capacities. It is also
                                   the statutory
                                   underpinning of
                                   governmental review of
                                   foreign investment in
                                   U.S. companies.

8/1/1956      22 U.S.C.            Specifies the               R40989
              [section] 2651a      organization of the
                                   Department of State,
                                   including the positions
                                   of coordinator for
                                   counterterrorism. As the
                                   Internet becomes
                                   increasingly
                                   international, concerns
                                   have been raised about
                                   the development and
                                   coordination of
                                   international efforts in
                                   cybersecurity by the
                                   United States.

10/30/1965                         Gave GSA authority over
                                   acquisition of automatic
                                   data processing equipment
                                   by federal agencies, and
                                   gave NIST
                                   responsibilities for
                                   developing standards and
                                   guidelines relating to
                                   automatic data processing
                                   and federal computer
                                   systems. Repealed by the
                                   Clinger-Cohen Act of 1996
                                   (see p. 39).

7/4/1966      5 U.S.C.             Enables anyone to access    R41406
              [section] 552        agency records except       R41933
                                   those falling into nine
                                   categories of exemption,
                                   among them classified
                                   documents, those exempted
                                   by specific statutes, and
                                   trade secrets or other
                                   confidential commercial
                                   or financial information.

6/19/1968     42 U.S.C.            Title I established
              Chapter 46,          federal grant programs
              [section][section]   and other forms of
              3701 to 3797ee-1     assistance to state and
                                   local law enforcement.

                                   Title III is a
                                   comprehensive wiretapping
                                   and electronic
                                   eavesdropping statute
                                   that not only outlawed
                                   both activities in
                                   general terms but that
                                   also permitted federal
                                   and state law enforcement
                                   officers to use them
                                   under strict limitations.

10/15/1970    18 U.S.C.            Enlarges the civil and      96-950
              Chapter 96,          criminal consequences of
              [section][section]   a list of state and
              1961-1968            federal crimes when
                                   committed in a way
                                   characteristic of the
                                   conduct of organized
                                   crime (racketeering).

10/6/1972     5 U.S.C.             Specifies conditions for    R40520
              App., [section]      establishing a federal
              [section] l-16       advisory committee and
                                   its responsibilities and
                                   limitations. Requires
                                   open, public meetings and
                                   that records be available
                                   for public inspection.
                                   Has been criticized as
                                   potentially impeding the
                                   development of
                                   public/private
                                   partnerships in
                                   cybersecurity,
                                   particularly
                                   private-sector
                                   communications and input
                                   on policy.

11/7/1973     50 U.S.C.            Establishes procedures to   R41199
              Chapter 33,          circumscribe presidential   R41989
              [section][section]   authority to use armed
              1541-1548.           forces in potential or
                                   actual hostilities
                                   without congressional
                                   authorization.

12/31/1974    5 U.S.C.             Limits the disclosure of
              [section] 552 (a)    personally identifiable
                                   information (PII) held by
                                   federal agencies.
                                   Established a code of
                                   fair information
                                   practices for collection,
                                   management, and
                                   dissemination of records
                                   by agencies, including
                                   requirements for security
                                   and confidentiality of
                                   records.

10/25/1978    18 U.S.C.            In foreign intelligence     98-326
              [section][section]   investigations, provides    R40138
              2511, 2518-9,        a statutory framework for
              50 U.S.C.            federal agencies to
              Chapter 36,          obtain authorization to
              [section][section]   conduct electronic
              1801-1885c           surveillance, utilize pen
                                   registers and trap and
                                   trace devices, or access
                                   specified records.

10/13/1980    42 U.S.C.            Protects journalists from
              Chapter              being required to turn
              21A,                 over to law enforcement
              [section][section]   any work product and
              2000aa-5 to          documentary materials,
              2000aa-12            including sources, before
                                   dissemination to the
                                   public.

10/12/1984    18 U.S.C.            Provided criminal           97-1025
              [section] 1030       penalties for
                                   unauthorized access and
                                   use of computers and
                                   networks. Part of the
                                   Comprehensive Crime
                                   Control Act of 1984.

10/16/1986    18 U.S.C.            Expanded the scope of the
              [section] 1030       Counterfeit Access Device
                                   and Computer Fraud and
                                   Abuse Act of 1984. For
                                   government computers,
                                   criminalized electronic
                                   trespassing, exceeding
                                   authorized access, and
                                   destroying information;
                                   also criminalized
                                   trafficking in stolen
                                   computer passwords.
                                   Created a statutory
                                   exemption for
                                   intelligence and law
                                   enforcement activities.

10/21/1986    18 U.S.C.            Attempts to strike a        R41733
              [section][section]   balance between privacy     R41756
              2510-2522,           rights and the needs of     RL34693
              2701-2712,           law enforcement with
              3121-3126            respect to data shared or
                                   stored by electronic and
                                   telecommunications
                                   services. Unless
                                   otherwise provided,
                                   prohibits the
                                   interception of or access
                                   to stored oral or
                                   electronic
                                   communications, use or
                                   disclosure of information
                                   so obtained, or
                                   possession of electronic
                                   eavesdropping equipment.

10/30/1986    10 U.S.C.            Established unified
              [section] 167        combatant command for
                                   special operations
                                   forces, including the
                                   U.S. Strategic Command,
                                   under which the U.S.
                                   Cyber Command was
                                   organized.

1/8/1988      15 U.S.C.            Required NIST to develop
              [section][section]   and the Secretary of
              272, 278g-3,         Commerce to promulgate
              278g-4,              security standards and
              278h                 guidelines for federal
                                   computer systems except
                                   national security
                                   systems. Also required
                                   agency planning and
                                   training in computer
                                   security (this provision
                                   was superseded by
                                   FISMA--see p. 44).

10/18/1988    5 U.S.C.             Amended the Privacy Act
              [section] 552a       (see p. 32), establishing
                                   procedural safeguards for
                                   use of computer matching
                                   on records covered by the
                                   act.

12/9/1991     15 U.S.C.            Established a federal       RL33586
              Chapter 81           high-performance
                                   computing program and
                                   requires that it address
                                   security needs and
                                   provide for interagency
                                   coordination.

10/25/1994    47 U.S.C.            Requires                    RL30677
              [section] 1001 et    telecommunications
              seq.                 carriers to assist law
                                   enforcement in performing
                                   electronic surveillance
                                   and directs the
                                   telecommunications
                                   industry to design,
                                   develop, and deploy
                                   solutions that meet
                                   requirements for carriers
                                   to support authorized
                                   electronic surveillance.

5/25/1995     44 U.S.C.            Gave the Office of
              Chapter 35,          Management and Budget
              [section][section]   (OMB) authority to
              3501-3549            develop
                                   information-resource
                                   management polices and
                                   standards, required
                                   consultation with NIST
                                   and GSA on information
                                   technology (IT), and
                                   required agencies to
                                   implement processes
                                   relating to information
                                   security and privacy.

2/8/1996      See 47               Overhauled
              U.S.C. [section]     telecommunications law,
              609 nt. for          including significant
              affected             deregulation of U.S.
              provisions.          telecommunications
                                   markets, eliminating
                                   regulatory barriers to
                                   competition.

2/8/1996      See 47               Intended to regulate        R41499
              U.S.C.               indecency and obscenity
              [section][section]   on telecommunications
              223, 230             systems, including the
                                   Internet. Has been
                                   interpreted to absolve
                                   Internet service
                                   providers and certain
                                   web-based services of
                                   responsibility for
                                   third-party content
                                   residing on those
                                   networks or websites.

2/10/1996     40 U.S.C.            Required agencies to
              [section] 11001 et   ensure adequacy of
              seq.                 information- security
                                   policies, OMB to oversee
                                   major IT acquisitions,
                                   and the Secretary of
                                   Commerce to promulgate
                                   compulsory federal
                                   computer standards based
                                   on those developed by
                                   NIST. Exempted national
                                   security systems from
                                   most provisions.

8/21/1996     42 U.S.C.            Required the Secretary of   RL34120
              [section] 1320d et   Health and Human Services
              seq.                 to establish security
                                   standards and regulations
                                   for protecting the
                                   privacy of individually
                                   identifiable health
                                   information, and required
                                   covered health- care
                                   entities to protect the
                                   security of such
                                   information.

10/11/1996    18 U.S.C.            Outlaws theft of trade
              [section] 1030,      secret information,
              Chapter 90,          including electronically
              [section][section]   stored information, if
              1831-1839            "reasonable measures"
                                   have been taken to keep
                                   it secret. Also contains
                                   the National Information
                                   Infrastructure Protection
                                   Act of 1996, amending 18
                                   U.S.C. [section] 1030 (see
                                   the Counterfeit Access
                                   Device and Computer Fraud
                                   and Abuse Act of 1984, p.
                                   32), broadening
                                   prohibited activities
                                   relating to unauthorized
                                   access to computers.

10/30/1998    18 U.S.C.            Made identity theft a       R40599
              [section] 1028       federal crime, provides
                                   penalties, and directed
                                   the FTC to record and
                                   refer complaints.

10/5/1999     10 U.S.C.            Established the Defense
              [section] 2224       Information Assurance
                                   Program and required
                                   development of a testbed
                                   and coordination with
                                   other federal agencies.

11/12/1999    15 U.S.C.            Requires financial          RL34120
              Chapter 94,          institutions to protect     RS20185
              [section][section]   the security and
              6801-6827            confidentiality of
                                   customers' personal
                                   information; authorized
                                   regulations for that
                                   purpose.

10/30/2000    10 U.S.C.            Established the DOD
              Chapter              information assurance
              112,                 scholarship program; set
              [section][section]   cybersecurity
              2200-2200f           requirements for federal
                                   systems superseded by
                                   FISMA in 2002

10/26/2001    see 18               Authorized various law-     R40980
              U.S.C. [section] 1   enforcement activities
              nt. and              relating to computer
              classification       fraud and abuse.
              tables.a

7/30/2002     15 U.S.C.            Requires annual reporting
              [section] 7262       on internal financial
                                   controls of covered firms
                                   to the Securities and
                                   Exchange Commission
                                   (SEC). Such controls
                                   typically include
                                   information security.

1 1/25/2002   6 U.S.C.             Created the Department of
              [section][section]   Homeland Security (DHS)
              121-195c, 441-444,   and gave it functions
              and 481-486          relating to the
                                   protection of information
                                   infrastructure, including
                                   providing state and local
                                   governments and private
                                   entities with threat and
                                   vulnerability
                                   information,
                                   crisis-management
                                   support, and technical
                                   assistance. Strengthened
                                   some criminal penalties
                                   relating to cybercrime.

1 1/25/2002   44 U.S.C.            Created a cybersecurity
              Chapter 35,          framework for federal
              Subchapters          information systems, with
              II and III,          an emphasis on risk
              40 U.S.C.            management, and required
              11331,               implementation of
              15 U.S.C.            agency-wide information
              278g-3 & 4           security programs. Gave
                                   oversight responsibility
                                   to OMB, revised the
                                   responsibilities of the
                                   Secretary of Commerce and
                                   NIST for
                                   information-system
                                   standards, and
                                   transferred
                                   responsibility for
                                   promulgation of those
                                   standards from the
                                   Secretary of Commerce to
                                   OMB.

1 1/26/2002   15 U.S.C.            Provides federal
              [section] 6701 nt.   cost-sharing subsidies
                                   for insured losses
                                   resulting from acts of
                                   terrorism.

11/27/2002    15 U.S.C.            Requires the National
              [section][section]   Science Foundation (NSF)
              278g, h, 7401 et     to award grants for basic
              seq.                 research and education to
                                   enhance computer
                                   security. Required NIST
                                   to establish
                                   cybersecurity research
                                   programs.

12/17/2002    5 U.S.C.             Serves as the primary
              Chapter 37,          legislative vehicle to
              44 U.S.C.            guide federal IT
              [section] 3501       management and
              nt., Chapter 35,     initiatives to make
              Subchapter           information and services
              2, and               available online.
              Chapter 36           Established the Office of
                                   Electronic Government
                                   within OMB, the Chief
                                   Information Officers
                                   (CIO) Council, and a
                                   government/private-sector
                                   personnel exchange
                                   program; includes FISMA;
                                   established and contains
                                   various other
                                   requirements for security
                                   and protection of
                                   confidential information.

12/4/2003     See 15               Required the FTC and        RS20185
              U.S.C.               other agencies to develop
              [section] 1601 nt.   guidelines for identity
              for affected         theft prevention programs
              provisions.          in financial
                                   institutions, including
                                   "red flags" indicating
12/16/2003    15 U.S.C.            possible identity theft.
              Chapter              Imposed regulations on
              103,                 the transmission of
              [section][section]   unsolicited commercial
              7701-7713, 18        email, including
              U.S.C. 1037          prohibitions against
                                   predatory and abusive
                                   email, and false or
                                   misleading transmission
                                   of information.

7/15/2004     18 U.S.C.            Established penalties for   R40599
              [section][section]   aggravated identity
              1028, 1028A          theft. Created the
12/17/2004    42 U.S. C.           position of Director of
              [section] 2000ee,    National Intelligence
              50 U.S.C.            (DNI). Established
              [section] 403-1 et   mission responsibilities
              seq., [section]      for some entities in the
              403-3 et seq.,       intelligence, homeland
              [section] 4040 et.   security, and national
              seq.                 security communities, and
                                   established a Privacy and
                                   Civil Liberties Board
                                   within the Executive
                                   Office of the President.

8/8/2005      16 U.S.C.            Requires FERC to certify    R41886
              8240                 an Electric Reliability
                                   Organization (ERO) to
                                   establish and enforce
                                   reliability standards for
                                   bulk electric-power
                                   system facilities.

10/4/2006     6 U.S.C.             [section] 550 required the
              [section] 121 nt.    Secretary of Homeland
                                   Security to issue
                                   regulations (6 C.F.R.
                                   Part 27) establishing
                                   risk-based performance
                                   standards for security of
                                   chemical facilities;
                                   regulations include
                                   cybersecurity standards
                                   requirement (6 C.F.R.
                                   [section] 27.230(a)(8)).

8/5/2007      50 U.S.C.            Provided authority for
              [section] 1801 nt.   the Attorney General and
                                   the DNI to gather foreign
                                   intelligence information
                                   on persons believed to be
                                   overseas. The act expired
                                   in 2008.

12/19/2007    42 U.S.C.            Gave NIST primary           R41886
              [section][section]   responsibility for
              17381-17385          developing
                                   interoperability
                                   standards for the
                                   electric-power "smart
                                   grid."

7/10/2008     See 50               Added additional            98-326
              U.S.C.               procedures to FISA (see
              [section] 1801 nt.   p. 55) for acquisition of
              for affected         communications of persons
              provisions.          outside the United
                                   States.

9/26/2008     18 U.S.C.            Authorized restitution to   R40599
              [section] 1030       identity theft victims      97-1025
                                   and modified some of the
                                   activities and penalties
                                   covered by 18 U.S.C.
                                   1030.

2/17/2009     42 U.S.C.            Expanded privacy and        R40546
              [section] 17901 et   security requirements for
              seq.                 protected health
                                   information by broadening
                                   HIPAA breach disclosure
                                   notification and privacy
                                   requirements to include
                                   business associates of
                                   covered entities.

Source: Various sources (see text), including National Research
Council, Toward a Safer and More Secure Cyberspace (Washington, DC:
National Academy Press, 2007); The White House, Cyberspace Policy
Review, May 29, 2009, http://www.whitehouse.gov/assets/documents/
Cyberspace_Policy_Review_final.pdf; and CRS.

Note: Prepared by Rita Tehan, Information Research Specialist
(rtehan@crs.loc.gov, 7-6739) and Eric A.Fischer.Laws in italics are
discussed in the text.

(a.) Office of the Law Revision Counsel, "United States Code Table of
Classifications for Public Laws, 107th Congress, 1st Session
(Covering Public Laws 107-1 through 107-136),"
http://uscode.house.gov/classification/tbl107pl_1st.htm.
COPYRIGHT 2013 Congressional Research Service (CRS) Reports and Issue Briefs
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2013 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Racketeer Influenced and Corrupt Organizations Act (RICO)-Contacts
Author:Fischer, Eric A.
Publication:Congressional Research Service (CRS) Reports and Issue Briefs
Geographic Code:1USA
Date:Jun 1, 2013
Words:17981
Previous Article:Federal laws relating to cybersecurity: overview and discussion of proposed revisions.
Next Article:What is the farm bill?
Topics:

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters