Cybersecurity Legislation *

Cybersecurity, a broad and arguably somewhat fuzzy concept for which there is no consensus definition, might best be described as measures intended to protect information systems—including technology (e.g., devices, networks, and software), information, and associated personnel—from various forms of attack. The protection of information sent through cyberspace has implications for personal privacy, business, and national security. In addition, law enforcement and national security agencies need to be able to effectively utilize cyber capabilities in order to gather evidence, identify and surveil potential threats, and take appropriate enforcement action. Ever since the earliest days of the telegraph and telephone communication, the U.S. Congress and state legislatures have sought to balance the competing interests of security and privacy.

The issue of legislating cybersecurity has proven to be a difficult area for actual improvement. This is in part due to the rapid change in technology, in part due to increasing polarization within the U.S. Congress, and in part due to competing fears of wrongful use of cyberspace by criminal and terrorist elements on the one hand and the scope of government surveillance efforts made public as a result of disclosures made by Edward Snowden, WikiLeaks founder Julian Assange, and others on the other. As of December 2016, the cybersecurity legislation that exists in the United States is generally considered outdated, while efforts to reform these laws or enact new ones remain unsuccessful.

Several enacted statutes address various aspects of cybersecurity. Some notable provisions are in the following acts:

A number of cybersecurity-related bills were introduced in the 111th, 112th, 113th, and 114th Congresses, but few passed. Those that did tended to focus on education, workforce development, and other related aspects of the discipline, as opposed to laws regarding cybersecurity measures and authorities specifically. The early months of the 115th Congress did not include any cybersecurity proposals.

One of the most significant pieces of proposed legislation debated was the Cyber Intelligence Sharing and Protection Act (CISPA), a bill introduced and debated in 2012 and 2013 but never passed, which was intended to amend the National Security Act of 1947 in order to add provisions concerning cyber threat intelligence and information sharing.

CISPA was introduced and passed in the House of Representatives in 2012, but it was not passed by the Senate, in large part because the Obama administration believed that the bill lacked adequate confidentiality and civil liberties safeguards and that the president would veto the bill. In February 2013, the bill was reintroduced and again passed in the House but stalled and was not voted on by the Senate.

On July 10, 2014, a similar bill, the Cybersecurity Information Sharing Act of 2014 (CISA), was introduced in the Senate. Although CISA was generally regarded by many to have addressed the flaws perceived in CISPA, it was opposed by civil liberty advocacy groups and was not voted on by either the House or Senate in 2014.

During 2013 and 2014, cybersecurity-related legislation was prompted by the disclosures by government contractor Edward Snowden of widespread National Security Agency and other intelligence community surveillance. The USA FREEDOM Act would have amended the Foreign Intelligence Surveillance Act of 1978 (FISA) in a number of ways intended to promote protection of privacy and greater transparency of the intelligence surveillance programs of the federal government. As with both CISPA and CISA, however, these efforts generated significant public discussion but failed to pass the Congress.

In the waning days of the 113th Congress, Congress approved a package of four cybersecurity bills after a series of votes in the House and Senate, which was thought to increase the likelihood that some cybersecurity-related legislation could be enacted by the end of the year. None of the bills addressed any of the larger, more contentious cybersecurity issues, such as immunity for private companies that share cybersecurity threat information with the federal government. Instead, the bills focused on narrower cybersecurity issues and the structures and procedures of the federal agencies that oversee cybersecurity.

However, none of these pieces of legislation was ultimately enacted into law. It remains uncertain whether the future political climate will allow Congress and the president to enact any meaningful cybersecurity legislation, despite almost universal agreement that reforms are needed both to improve security and protect civil liberties.

Another piece of cybersecurity legislation that was successfully enacted was the Cybersecurity Act of 2015, which was signed into law by President Barack Obama on December 18, 2015. This legislation aims to help government and businesses better defend against cyberattacks by creating a framework for the voluntary sharing of cyber threat information between private entities and the federal government, as well as improving the sharing of cyber threat information within agencies of the federal government. It also provides for immunity from lawsuits for businesses that share cybersecurity information with the government.

While this legislation was hailed by many in the national security and law enforcement community as an important measure to improve cybersecurity and enhance effective and legitimate surveillance efforts, the measure was criticized by many in the civil liberties community as further encroachment on the privacy rights of individuals.

R. James Orr

See also Information Security ; Law and Digital Technology ; National Security

Further Readings

Committee on National Security Systems. National Information Assurance (IA) Glossary. Ft Meade, MD: Author, 2010. https://www.ecs.csus.edu/csc/iac/cnssi_4009.pdf (Accessed October 2017).

Donohue, Laura K. The Future of Foreign Surveillance: Privacy and Surveillance in a Digital Age. New York, NY: Oxford University Press, 2016.

Hayes, Carol M. “Chilling Effects: Code Speech and the Cybersecurity Information Sharing Act of 2015.” SSRN (March 31, 2017). https://ssrn.com/abstract=2944411 (Accessed October 2017).

Margulies, Peter. “Global Cybersecurity, Surveillance, and Privacy: The Obama Administration’s Conflicted Legacy.” Indiana Journal of Global Legal Studies (in press).

Tehan, Rita. “Cybersecurity: Legislation, Hearings, and Executive Branch Documents.” Congressional Research Service Report, R43317 (June 23, 2017). https://fas.org/sgp/crs/misc/R43317.pdf (Accessed October 2017).

* The views expressed in this entry are those of the author and are not an official policy or position of the National Defense University, the Department of Defense or the U.S. Government.