The federal government's role in protecting U.S. citizens and critical infrastructure from cyber attacks has been the subject of recent congressional interest. Critical infrastructure commonly refers to those entities that are so vital that their incapacitation or destruction would have a debilitating impact on national security, economic security, or the public health and safety. This report discusses selected legal issues that frequently arise in the context of recent legislation to address vulnerabilities of critical infrastructure to cyber threats, efforts to protect government networks from cyber threats, and proposals to facilitate and encourage sharing of cyber threat information among private sector and government entities. This report also discusses the degree to which federal law may preempt state law.

The federal government's role in protecting U.S. citizens and critical infrastructure from cyberattacks has been the subject of recent congressional interest. Critical infrastructure commonly refers to those entities that are so vital that their incapacitation or destruction would have a debilitating impact on national security, economic security, or the public health and safety. This report discusses selected legal issues that frequently arise in the context of recent legislation to address vulnerabilities of critical infrastructure to cyber threats, efforts to protect government networks from cyber threats, and proposals to facilitate and encourage sharing of cyber threat information among private sector and government entities. This report also discusses the degree to which federal law may preempt state law. It has been argued that, in order to ensure the continuity of critical infrastructure and the larger economy, a regulatory framework for selected critical infrastructure should be created to require a minimum level of security from cyber threats. On the other hand, others have argued that such regulatory schemes would not improve cybersecurity while increasing the costs to businesses, expose businesses to additional liability if they fail to meet the imposed cybersecurity standards, and increase the risk that proprietary or confidential business information may be inappropriately disclosed. In order to protect federal information networks, the Department of Homeland Security (DHS), in conjunction with the National Security Agency (NSA), uses a network intrusion system that monitors all federal agency networks for potential attacks. Known as EINSTEIN, this system raises significant privacy implications-a concern acknowledged by DHS, interest groups, academia, and the general public. DHS has developed a set of procedures to address these concerns such as minimization of information collection, training and accountability requirements, and retention rules. Notwithstanding these steps, there are concerns that the program may implicate privacy interests protected under the Fourth Amendment. Although many have argued that there is a need for federal and state governments, and owners and operators of the nation's critical infrastructures, to share information on cyber vulnerabilities and threats, obstacles to information sharing may exist in current laws protecting electronic communications or in antitrust law. Private entities that share information may also be concerned that sharing or receiving such information may lead to increased civil liability, or that shared information may contain proprietary or confidential business information that may be used by competitors or government regulators for unauthorized purposes. Several bills in the 112th Congress would seek to improve the nation's cybersecurity, and may raise some or all of the legal issues mentioned above. For example, H.R. 3523 (Rogers (Mich.)-Ruppersberger) addresses information sharing between the intelligence community and the private sector. H.R. 3674 (Lungren) includes provisions regarding the protection of critical infrastructure, as well as information sharing. H.R. 4257 (Issa-Cummings) would require all federal agencies to continuously monitor their computer networks for malicious activity and would impose additional cybersecurity requirements on all federal agencies. S. 2102 (Feinstein) seeks to facilitate information sharing. S. 2105 (Lieberman) includes the information sharing provisions of S. 2102, as well as provisions relating to the protection of critical infrastructure and federal government networks. S. 2151 (McCain) and H.R. 4263 (Bono-Mack) also addresses information sharing among the private sector and between the private sector and the government. Many of these bills also include provisions specifically addressing the preemption of state laws.

This report provides an overview of the Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA). ECPA consists of three parts. The first, often referred to as Title III, outlaws wiretapping and electronic eavesdropping, except as otherwise provided. The second, the Stored Communications Act, governs the privacy of, and government access to, the content of electronic communications and to related records. The third outlaws the use and installation of pen registers and of trap and trace devices, unless judicially approved for law enforcement or intelligence gathering purposes. FISA consists of seven parts. The first, reminiscent of Title III, authorizes electronic surveillance in foreign intelligence investigations. The second authorizes physical searches in foreign intelligence cases. The third permits the use and installation of pen registers and trap and trace devices in the context of a foreign intelligence investigation. The fourth affords intelligence officials access to business records and other tangible items. The fifth directs the Attorney General to report to Congress on the specifics of the exercise of FISA authority. The sixth, scheduled to expire on December 30, 2012, permits the acquisition of the communications of targeted overseas individuals and entities. The seventh creates a safe harbor from civil liability for those who assist or have assisted in the collection of information relating to the activities of foreign powers and their agents.