The federal government's role in protecting U.S. citizens and critical infrastructure from cyber attacks has been the subject of recent congressional interest. Critical infrastructure commonly refers to those entities that are so vital that their incapacitation or destruction would have a debilitating impact on national security, economic security, or the public health and safety. This report discusses selected legal issues that frequently arise in the context of recent legislation to address vulnerabilities of critical infrastructure to cyber threats, efforts to protect government networks from cyber threats, and proposals to facilitate and encourage sharing of cyber threat information among private sector and government entities. This report also discusses the degree to which federal law may preempt state law.

Legislative oversight is most commonly conducted through congressional budget, authorization, appropriations, confirmation, and investigative processes, and, in rare instances, through impeachment. But the adversarial, often confrontational, and sometimes high profile nature of congressional investigations sets it apart from the more routine, accommodative facets of the oversight process experienced in authorization, appropriations, or confirmation exercises. While all aspects of legislative oversight share the common goals of informing Congress so as to best accomplish its tasks of developing legislation, monitoring the implementation of public policy, and disclosing to the public how its government is performing, the inquisitorial process also sustains and vindicates Congress's role in our constitutional scheme of separated powers and checks and balances. The rich history of congressional investigations from the failed St. Clair expedition in 1792 through Teapot Dome, Watergate, Iran-Contra, Whitewater, and the current ongoing inquiries into Operation Fast and Furious, has established, in law and practice, the nature and contours of congressional prerogatives necessary to maintain the integrity of the legislative role in that constitutional scheme. A review of the historical experience pertinent to congressional access to information regarding the law enforcement activities of the Department of Justice indicates that the vast majority of requests for materials are resolved through political negotiation and accommodation, without the need for judicial resolution. Absent an executive privilege claim or a statute barring disclosure there appears to be no court precedent imposing a threshold burden on committees to demonstrate a "substantial reason to believe wrongdoing occurred" in order to obtain information. Instead, an inquiring committee need only show that the information sought is within the broad subject matter of its authorized jurisdiction, is in aid of a legitimate legislative function, and is pertinent to the area of concern. In the last 85 years, Congress has consistently sought and obtained access to information concerning prosecutorial misconduct by Department of Justice officials in closed cases; and access to pre-decisional deliberative prosecutorial memoranda-while often resisted by the Department-is usually released upon committee insistence as well. In contrast, the Department rarely releases-and committees rarely subpoena-material relevant to open criminal investigations. Typically, disputes are resolved without recourse to an executive privilege claim. Instead, negotiations produce various compromises: narrowing informational requests, delaying the release of information that could have prejudicial consequences on prosecutions, or redacting sensitive materials. However, when Presidents do claim executive privilege, courts have been reluctant to resolve the dispute. Indeed, litigation over the scope of executive privilege in direct relation to congressional oversight and investigations has been quite limited. In total, there have been four cases dealing with executive privilege in the context of information access disputes between Congress and the executive, and two of those resulted in decisions on the merits. The Supreme Court has never addressed executive privilege in the face of a congressional demand for information.

The federal government's role in protecting U.S. citizens and critical infrastructure from cyberattacks has been the subject of recent congressional interest. Critical infrastructure commonly refers to those entities that are so vital that their incapacitation or destruction would have a debilitating impact on national security, economic security, or the public health and safety. This report discusses selected legal issues that frequently arise in the context of recent legislation to address vulnerabilities of critical infrastructure to cyber threats, efforts to protect government networks from cyber threats, and proposals to facilitate and encourage sharing of cyber threat information among private sector and government entities. This report also discusses the degree to which federal law may preempt state law. It has been argued that, in order to ensure the continuity of critical infrastructure and the larger economy, a regulatory framework for selected critical infrastructure should be created to require a minimum level of security from cyber threats. On the other hand, others have argued that such regulatory schemes would not improve cybersecurity while increasing the costs to businesses, expose businesses to additional liability if they fail to meet the imposed cybersecurity standards, and increase the risk that proprietary or confidential business information may be inappropriately disclosed. In order to protect federal information networks, the Department of Homeland Security (DHS), in conjunction with the National Security Agency (NSA), uses a network intrusion system that monitors all federal agency networks for potential attacks. Known as EINSTEIN, this system raises significant privacy implications-a concern acknowledged by DHS, interest groups, academia, and the general public. DHS has developed a set of procedures to address these concerns such as minimization of information collection, training and accountability requirements, and retention rules. Notwithstanding these steps, there are concerns that the program may implicate privacy interests protected under the Fourth Amendment. Although many have argued that there is a need for federal and state governments, and owners and operators of the nation's critical infrastructures, to share information on cyber vulnerabilities and threats, obstacles to information sharing may exist in current laws protecting electronic communications or in antitrust law. Private entities that share information may also be concerned that sharing or receiving such information may lead to increased civil liability, or that shared information may contain proprietary or confidential business information that may be used by competitors or government regulators for unauthorized purposes. Several bills in the 112th Congress would seek to improve the nation's cybersecurity, and may raise some or all of the legal issues mentioned above. For example, H.R. 3523 (Rogers (Mich.)-Ruppersberger) addresses information sharing between the intelligence community and the private sector. H.R. 3674 (Lungren) includes provisions regarding the protection of critical infrastructure, as well as information sharing. H.R. 4257 (Issa-Cummings) would require all federal agencies to continuously monitor their computer networks for malicious activity and would impose additional cybersecurity requirements on all federal agencies. S. 2102 (Feinstein) seeks to facilitate information sharing. S. 2105 (Lieberman) includes the information sharing provisions of S. 2102, as well as provisions relating to the protection of critical infrastructure and federal government networks. S. 2151 (McCain) and H.R. 4263 (Bono-Mack) also addresses information sharing among the private sector and between the private sector and the government. Many of these bills also include provisions specifically addressing the preemption of state laws.