Justice, NSC lead review of cyber laws

The Justice Department and the National Security Council are leading a review of all laws that apply or could apply to cyberspace.

James Baker, associate deputy attorney general, tells the Senate Judiciary Subcommittee on Terrorism and Homeland Security Tuesday that the current legal structure is not adequate to investigate and prosecute cyber criminals.

"This is a complex set of legal authorities that governs in this area," Baker says. "The Constitution, federal statues, state law, foreign law and international law all have an impact in this area. The legal regime currently enables law enforcement and intelligence officials to obtain authorizations to obtain vital information through electronic surveillance and other collection means. However the evolution of technology, of our dependence on technology and our adversaries' exploitation of vulnerabilities in that technology raises question of whether are statutes are adequate to address the cyber threats of today and at the same time protect privacy and civil liberties."

Baker adds the administration is looking to collaborate with Congress on updates of many of these statutes.

Senator Sheldon Whitehouse (D-R.I.) asks Baker what the administration exactly means when it says it wants to partner with Congress.

Baker says they are eager to work with Congress to address all legal aspects of cyberspace. But Baker was clear to say no legislative proposal is in the offing.

"We are definitely debating these kinds of issues inside the administration," he says. "With a view toward deciding whether they should propose changes and if so how because we don't want to mess up the existing authorities we have that provide a huge amount of capability to collect both law enforcement information and foreign intelligence information and importantly protect civil liberties and privacy."

In fact, none of the witnesses on the panel thought the current legal structure is adequate. Baker says there is an interagency process reviewing the current statutes and deciding how to move forward.

The White House's 60-day cyberspace policy review identified several legal issues that should be addressed, including updating the Federal Information Security Privacy Act (FISMA).

Greg Nojeim, a senior counsel and director of the Project on Freedom, Security and Technology at the Center for Democracy and Technology, says there are several laws that need to be at least tweaked.

He says CDT is leading a group of non-profit organizations looking at how the Privacy Act of 1974 could be updated.

"If anything, it needs to be tightened up, not loosened up," he says. "There are other statutes that may be put into play. The Electronic Communications Privacy Act and the Wiretap Act, both of which already allow providers to protect themselves, but they may need some tweaks to work with other providers to protect each other."

Nojeim adds this move by the administration to work with Congress comes from an increased understanding of the risk. But there needs to be a lot more educating of both lawmakers and the public as well.

"A lot of work is being done across agencies to deal with cybersecurity," he says. "The Department of Justice may be developing some proposals to adjust electronic surveillance laws. We'll be looking at them closely to ensure they protect privacy and it sounds like DoJ will be looking at them with at least some attention to privacy."

Subcommittee members also asked whether the legal structure affected the Homeland Security Department's implementation of its intrusion detection and monitoring system, known as Einstein. Phil Reitinger, the deputy undersecretary in the department's national protection and programs directorate, says most agencies have installed or are implementing versions 1 or 2. In the meantime, DHS is testing Einstein Version 3.

Reitinger didn't offer any details about what Einstein 3 will do. But former DHS secretary Michael Chertoff said during a speech last December that it will include an anti-malware defense that will let agencies stop an attempt to put a virus or Trojan software on their system. Baker says DoJ has completed a legal review of the program, but would not offer any details in an unclassified setting.

Reitinger says DHS has taken several steps to ensure Einstein version 1 and 2 meet all privacy and civil liberty requirements.

"There are there levels of training in DHS, general privacy training, specific training for those who conduct Einstein system and specific training going forward on Einstein 3," he says. "Within Office of Cybersecurity and Communications there is an identified oversight officer whose job it is to ensure compliance with the rules."

Nojeim says CDT offered about 20 questions that DHS should consider when developing Einstein 3. "The question is what is being done to protect privacy of those communications [under Einstein] ," he asks. "Einstein 2 requires making a copy of all those communications. Who's auditing to make sure those communications are not being retained forever when there is no malicious code identified? Who's in charge limits on collection and use are being observed? We are looking for more attention paid to principles of fair information practice and to enforcing them."

Reitinger also discussed the forthcoming nationwide cyber incident response plan that DHS is developing with other agencies and the private sector.

He says a draft should be done by late December or early January, and tested initially in 2010.

"It will be more affirmatively exercised with the Cyber Storm 3 exercise that will take place in September of next year," he says. "We need in the event of significant incident to be able to respond as one nation. The plan [will provide] a highly actionable set of policies and procedures that will enable all of different government agencies to work effectively with the private sector in the event of a significant incident."

-----
On the Web:

DHS - National Incident Response Plan fact sheet

White House - 60-day cyberspace policy review (pdf)

Center for Democracy and Technology - Questions about Einstein system (pdf)

FederalNewsRadio - DHS to test Einstein version 3

FederalNewsRadio - Groups express concern about Privacy and Civil Liberties Oversight Board

FederalNewsRadio - Hathaway opens up about her decision to leave White House, cyber coordinator future role

(Copyright 2009 by FederalNewsRadio.com. All Rights Reserved.)