Cyber Judo
Cyber Judo
🏛️

The History and Current State of Cyber Legislation Within the United States of America

Legal History of The Right to Privacy

  • Since the beginning of our national history, we, as Americans, have sought the safeguarding of our personal liberties and protection from unjust government encroachment in the private sphere
  • The development of the right to privacy in the United States is relatively new, legally speaking.
  • It was first articulated in 1890 by Samuel Warren and Louis Brandeis in the Harvard Law Review article titled “The Right to Privacy”, which articulates that the right to privacy is an extension of a more fundamental right to freedom of expression
  • The right to privacy was first found in case law in Olmstead v. United States (1928) when federal agents wiretapped a suspected bootlegger without a warrant. Is this a violation of the Fourth and Fifth Amendment rights against illegal search and seizure?
The makers of our Constitution… sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the Government, the right to be let alone -- the most comprehensive of rights, and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the Government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment.

  • In Lawrence v. Texas (2003), the right to privacy expanded beyond the physical boundaries of a home
Liberty protects the person from unwarranted government intrusions into a dwelling or other private places. In our tradition the State is not omnipresent in the home. And there are other spheres of our lives and existence, outside the home where the State should not be a dominant presence. Freedom extends beyond spatial bounds. Liberty presumes an autonomy of self that includes freedom of thought, belief, expression, and certain intimate conduct…. The petitioners are entitled to respect for their private lives… Their right to liberty under the Due Process Clause gives them the full right to engage in their conduct without intervention of the government.

Source: Brandeis and Warren, "The Right to Privacy" (1890) (harvard.edu)

Legal Foundations of Government Surveillance

  • The Foreign Intelligence Surveillance Act (FISA) was enacted in 1978 to establish procedures for requesting and obtaining intelligence information in a manner that protects the privacy of individuals.
  • FISA created the Foreign Intelligence Surveillance Court (FISC), which is responsible for reviewing and approving requests for surveillance warrants.
  • The USA PATRIOT Act was enacted in 2001 in response to the 9/11 attacks and expanded the federal government's surveillance powers.
  • The USA PATRIOT Act allowed for the collection of information related to national security investigations without a warrant.
  • In 2015, the USA PATRIOT Act was amended by the USA FREEDOM Act, which limits the government's ability to collect and retain certain types of information.

Source: National Security Agency/Central Security Service > Signals Intelligence > FISA (nsa.gov)

PLAW-107publ56.pdf (congress.gov)

The Checks and Balances Between Government Surveillance and Individuals’ Right to Privacy

  • The USA FREEDOM Act act required greater transparency and accountability in government surveillance programs. Specifically, it required the publication of reports on the number of individuals targeted for surveillance and the impact on privacy and civil liberties.
  • The USA FREEDOM Act prohibited the bulk collection of phone records by the National Security Agency (NSA). Instead, it required the agency to obtain a court order to access phone records from telecommunications companies.
  • The act also created a panel of experts to provide input on privacy and civil liberties concerns related to government surveillance. This panel, known as the Privacy and Civil Liberties Oversight Board (PCLOB), was given the authority to review government surveillance programs and make recommendations for improvements.
  • The USA FREEDOM Act was a response to the disclosures made by Edward Snowden regarding the NSA's surveillance programs. It was intended to balance the need for national security with protecting individual privacy and civil liberties.

Source: INTEL - FACT SHEET: Implementation of the USA FREEDOM Act of 2015 (intelligence.gov)

Congress passes NSA surveillance reform in vindication for Snowden | NSA | The Guardian

Early Legislation - CFAA

  • The earliest federal cyber legislation was the Computer Fraud and Abuse Act (CFAA) of 1986
  • The CFAA imposes both civil and criminal penalties for violations
  • The CFAA has been amended several times since its enactment to address new forms of cybercrime and to increase penalties for violations
  • In 1994, the CFAA was amended to include punishment for the transmission of viruses, worms, and other malicious software
  • In 1996, the CFAA was amended to include punishment for online harassment and stalking
  • In 2001, the CFAA was amended to include punishment for cyberterrorism
  • In 2008, the CFAA was amended to include punishment for trafficking in passwords and hacking tools
  • In 2013, the CFAA was amended to include punishment for conspiracy to commit cybercrime
  • In 2020, the CFAA was amended to increase penalties for computer crimes and to clarify the definition of "exceeding authorized access"

Sources: Computer Fraud and Abuse Act - Wikipedia

474.pdf (house.gov)

FISMA

  • The Federal Information Security Management Act (FISMA) of 2002 established a framework for protecting government information, operations, and assets against natural and man-made threats.
  • FISMA requires federal agencies to develop and implement risk-based information security programs to protect their information systems and data.
  • FISMA also requires federal agencies to conduct annual security assessments and report the results to the Office of Management and Budget (OMB).
  • The National Institute of Standards and Technology (NIST) provides guidelines and standards for implementing FISMA requirements.

Source: Federal Information Security Modernization Act | CISA

Protection of Critical Infrastructure

  • The Homeland Security Act (HSA) of 2002 created the Department of Homeland Security (DHS), which is responsible for protecting the United States from domestic and foreign threats, including cyber threats to critical infrastructure.
  • The DHS works with other federal agencies, state and local governments, and private sector partners to identify and mitigate cyber risks to critical infrastructure.
  • The HSA established the National Cybersecurity and Communications Integration Center (NCCIC), now known as CISA, which is responsible for coordinating the federal government's response to major cyber incidents affecting critical infrastructure.

Source: Homeland Security Act of 2002 | Homeland Security (dhs.gov)

The Cybersecurity Enhancement Act of 2014

  • The Cybersecurity Enhancement Act of 2014 is a law designed to strengthen cybersecurity research and development, workforce training, and public awareness and education.
  • The act established a National Cybersecurity Center of Excellence within the National Institute of Standards and Technology (NIST) to develop best practices and standards for cybersecurity.
  • The act also established a scholarship program to encourage students to pursue degrees in cybersecurity-related fields.
  • The act required federal agencies to conduct regular cybersecurity risk assessments and to report on their efforts to implement cybersecurity best practices.
  • The act also required the federal government to develop a cybersecurity workforce strategy to ensure that the government has the necessary personnel to address cybersecurity threats.

Source: Text of S. 1353 (113th): Cybersecurity Enhancement Act of 2014 (Passed Congress version) - GovTrack.us

The Cybersecurity Information Sharing Act

  • The Cybersecurity Information Sharing Act of 2015 (CISA) was enacted to encourage the voluntary sharing of cyber threat information between private entities and the federal government.
  • CISA provides liability protections for private entities that share cyber threat information with the federal government.
  • CISA also requires the federal government to develop procedures to protect the privacy and civil liberties of individuals whose information is shared.
  • Critics have raised concerns that CISA may lead to increased government surveillance and may not adequately protect individual privacy and civil liberties.

Source: Cybersecurity Information Sharing Act of 2015 (cisa.gov)

Recent Legislation

  • The State and Local Government Cybersecurity Act of 2021 was introduced in the United States Senate in March 2021.
  • The Federal Rotational Cyber Workforce Program Act was introduced in the United States Senate in March 2021.
  • The purpose of the act is to establish a program to develop and train federal employees in cybersecurity.
  • The act would require the establishment of a steering committee to oversee the program and to develop guidelines for the selection and training of participants.

Source: U.S. Passes New Cybersecurity Laws in June 2022 | EC-Council (eccouncil.org)

Key Measures of Effective Cyber Legislation

  • Addresses the most recent issues related to cybersecurity
  • Balances the need for security and intelligence with individual privacy and civil liberties
  • Provides clear, informed guidelines for individuals and organizations to follow
  • Establishes consequences for non-compliance
  • Provides appropriate funding for implementation and enforcement
  • Encourages collaboration between government and private sector entities
  • Addresses both proactive and reactive measures for cybersecurity
  • Provides transparency and accountability in government surveillance programs