in Congressional Research Service Reports
Cybersecurity: Selected Legal Issues (R42409, April 2012) (48pp | 459kb | PDF) — “The federal government’s role in protecting U.S. citizens and critical infrastructure from cyber attacks has been the subject of recent congressional interest. Critical infrastructure commonly refers to those entities that are so vital that their incapacitation or destruction would have a debilitating impact on national security, economic security, or the public health and safety. This report discusses selected legal issues that frequently arise in the context of recent legislation to address vulnerabilities of critical infrastructure to cyber threats, efforts to protect government networks from cyber threats, and proposals to facilitate and encourage sharing of cyber threat information among private sector and government entities. This report also discusses the degree to which federal law may preempt state law.”
Cybersecurity: Authoritative Reports and Resources (R42507, April 2012) (55pp | 478kb | PDF) — “This report provides links to selected authoritative resources related to cybersecurity issues.”
Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions (R42114, December 2011) (53pp | 598kb | PDF) — "For more than a decade, various experts have expressed increasing concerns about cybersecurity, in light of the growing frequency, impact, and sophistication of attacks on information systems in the United States and abroad. Consensus has also been building that the current legislative framework for cybersecurity might need to be revised…. Three comprehensive legislative proposals on cybersecurity have been presented to the 112th Congress…."
Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations (R40427, March 2009) (21pp | 214 kb | PDF)— "The CNCI establishes a multipronged approach the federal government is to take in identifying current and emerging cyber threats, shoring up current and future telecommunications and cyber vulnerabilities, and responding to or proactively addressing entities that wish to steal or manipulate protected data on secure federal systems…. In response to the CNCI and other proposals, questions have emerged regarding: (1) the adequacy of existing legal authorities—statutory or constitutional—for responding to cyber threats; and (2) the appropriate roles for the executive and legislative branches in addressing cybersecurity…. This report discusses the legal issues and addresses policy considerations related to the CNCI."
Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress (RL32114, January 2008) (43pp | 260kb | PDF) — "This report discusses options now open to nation states, extremists, or terrorist groups for obtaining malicious technical services from cybercriminals to meet political or military objectives, and describes the possible effects of a coordinated cyberattack against the U.S. critical infrastructure."
Terrorist Capabilities for Cyberattack: Overview and Policy Issues (RL33123, January 2007) (29pp | 138kb | PDF)— "This report examines possible terrorists’ objectives and computer vulnerabilities that might lead to an attempted cyberattack against the critical infrastructure of the U.S. homeland, and also discusses the emerging computer and other technical skills of terrorists and extremists. Policy issues include exploring ways to improve technology for cybersecurity, or whether U.S. counterterrorism efforts should be linked more closely to international efforts to prevent cybercrime."
Creating a National Framework for Cybersecurity: An Analysis of Issues and Options (RL32777, February 2005) (60pp | 286kb | PDF) — "There are several options for broadly addressing weaknesses in cybersecurity. They include adopting standards and certification, promulgating best practices and guidelines, using benchmarks and checklists, use of auditing, improving training and education, building security into enterprise architecture, using risk management, and using metrics. These different approaches all have different strengths and weaknesses with respect to how they might contribute to the development of a national framework for cybersecurity. None of them are likely to be widely adopted in the absence of sufficient economic incentives for cybersecurity."