Building on Executive Order 13,636 to encourage information sharing for cybersecurity purposes.

• Author: Broggi, Jeremy J.

Over the past several decades, cybersecurity has emerged as an issue of increasing national concern. (1) Both government and private entities rely heavily on computer networks for functions related to defense, routine economic activity, and operation of critical infrastructure such as the electrical grid and the water supply. (2) At the same time, attacks on and exploitations of both commercial and government networks are increasing in number and sophistication. (3) Growing awareness of the threat and of U.S. vulnerability led a recent Secretary of Defense to conclude that the "collective result of these kinds of attacks could be a cyber Pearl Harbor; an attack that would cause physical destruction and the loss of life." (4) Perhaps the highest profile recognition of the issue to date is President Obama's warning in last year's State of the Union Address that cyber adversaries pose "real threats to our security and our economy." (5) The President coupled his warning with an announcement of increased executive action to combat these threats and a call for legislation to "give our Government a greater capacity to secure our networks and deter attacks." (6) Though recent disclosures regarding unrelated security programs may have lessened the political appetite for cybersecurity legislation, the threat has not abated. (7) This Note explores the call for legislation in light of Executive Order 13,636, "Improving Critical Infrastructure Cybersecurity." (8)

Part I briefly sets Executive Order 13,636 in the context of the federal government's expanding cybersecurity efforts. Part II turns to the Order itself, focusing on the Enhanced Cybersecurity Services (ECS) information-sharing program, its statutory authority, and its potential for further expansion. Significantly, unlike some programs that have recently been the cause of public concern, (9) ECS does not involve bulk collection of communications or associated metadata by the government. Parts III and IV examine whether the Fourth Amendment, the Wiretap Act, or the Pen Register and Trap and Trace Devices statute impose any constitutional or statutory restrictions on further expansion of ECS. Part V briefly considers two potential legislative approaches that would encourage additional sharing. Part VI concludes that Congress should act to encourage voluntary sharing.

1. THE FEDERAL GOVERNMENT'S EXPANDING CYBERSECURITY PRESENCE

   Policymakers for years have recognized the threat to both federal and private networks from malicious cyber actors. (10) Because these networks are interdependent they cannot be effectively defended in isolation. As one defense official put it, "[s]ecure military networks will matter little if the power grid goes down...." (11) Nevertheless, the federal government's earliest efforts to address cybersecurity focused on protecting national security systems. (12) Over the years Congress expanded that focus by providing various authorities intended to protect military networks, (13) federal networks generally, (14) and to some extent, private commercial networks. (15) Unfortunately, the degree to which these and other authorities are scattered about the executive branch creates difficulty in bringing them to bear on the cyber threat in a comprehensive manner. (16) The Bush Administration began to address this problem with the Comprehensive National Cybersecurity Initiative, which combined various cyber functions with traditional law enforcement, intelligence, counterintelligence, and military capabilities, in order to better protect federal networks. (17) Security experts urged the incoming Obama Administration to continue and expand these efforts, emphasizing the importance of private networks in the overall cybersecurity picture. (18) President Obama responded by declaring the nation's "digital infrastructure," including private commercial networks, to be "a strategic national asset." (19) In the four years following that announcement, Congress introduced numerous bills addressing cybersecurity, all of which failed to pass. (20) In February 2013, the Administration issued Executive Order 13,636. (21)

2. EXECUTIVE ORDER 13,636

   Executive Order 13,636 primarily addresses two issues that relate to the protection of private networks: the expansion of an existing system of near real-time information sharing to privately operated critical infrastructure, and the creation of a "cybersecurity framework" which will recommend security standards for the private sector. (22) Both programs are "voluntary," (23) though that may change, especially if Congress enacts new legislation on the subject. (24) This Note examines the information sharing program. The "framework" is outside this Note's scope.

   1. The Enhanced Cybersecurity Services (ECS) Program

      The Order contemplates two types of sharing. First, it directs the Secretary of Homeland Security and the Director of National Intelligence to establish a process for disseminating reports to targeted entities. (25) Second, and more significantly, the Order directs the Secretary of Homeland Security, in coordination with the Secretary of Defense, to expand the Enhanced Cybersecurity Services (ECS) program to all critical infrastructure sectors. (26) This program originated as a Department of Defense (DoD) program to protect the Defense Industrial Base (DIB). (27)

      Most critical infrastructure entities use cybersecurity providers (CSPs) to protect their networks. (28) ECS interfaces with those commercial providers--typically internet service providers (ISPs)--to augment their services with government cyber threat information. (29) The program "provides classified signatures to [appropriately cleared] firms or their ISPs to help counter known malicious cyber activity" (30) in "near real-time" using an automated process. (31) Signatures are "machine readable patterns of network traffic" deployed to detect and mitigate malicious cyber activity. (32) They are comprised of cyber threat "indicators," which are combinations of "data related to IP addresses, domains, e-mail headers, files, and strings" that identify such activity. (33) DoD has a role in providing cyber threat indicators and signatures that it obtains and develops through its foreign intelligence mission. (34)

      Providing signatures that counter threats makes ECS much more significant than an increase in reporting. Reports require human action to interpret them and respond. ECS enables privately operated networks to benefit from confidential government information, including classified foreign intelligence, in real time through a system that makes it useable and protects it from disclosure. The difference is the difference between receiving a notice of an attack after the fact and being able to stop an attack before it succeeds. (35)

   2. Scope of Statutory Authority for ECS

      The Order explicitly grounds its authority for expanding ECS to the private sector in 6 U.S.C. [section] 143. (36) Section 143 authorizes the Department of Homeland Security (DHS) to provide "as appropriate ... and upon request ... analysis and warnings related to threats to, and vulnerabilities of, critical information systems" to private entities that own or operate such systems. (37) This language easily encompasses signature sharing by the government with the private sector. It does not, however, authorize DHS to mandate private sector participation. On the contrary, the phrase "upon request" (38) suggests any such mandate is forbidden. (39) The section is silent regarding government receipt of information. (40) Other provisions of the Homeland Security Act, however, reflect an assumption that, in general, DHS is not precluded from receiving information pertaining to critical infrastructure that is "voluntarily shared" by private entities. (41)

   3. Potential for Further Expansion of ECS

      As currently structured, ECS is primarily a mechanism for the sharing of government cybersecurity information with the private sector on a voluntary basis. Absent from the Executive Order is any mention of sharing of information from the private sector to the government. (42) Yet the government is interested in receiving cybersecurity information from the private sector. (43) In 2012, General Alexander, head of both the National Security Agency and U.S. Cyber Command, explained the kind of information the government would like to receive from private-sector critical infrastructure entities. (44) Discussing a hypothetical where people in various critical infrastructure sectors received e-mails containing malicious code, Alexander emphasized that the government would not want to receive the contents of such e-mails. (45) Rather, the government would want technical information including the signature involved, and the IP addresses and ports transited. (46) According to Alexander, this type of information would allow the government to figure out if the country were under attack, and how to respond. (47) Because only "hits" would be shared, the government would not collect communications or associated metadata in bulk. (48)

3. FOURTH AMENDMENT CONSTRAINTS ON INFORMATION SHARING

   Expansion of ECS to accommodate information sharing from the private sector to the federal government potentially implicates the Fourth Amendment. The Fourth Amendment prohibits the government from conducting "unreasonable searches and seizures." (49) In the context of electronic communications, a "search" occurs when monitoring violates a "reasonable expectation of privacy." 50 The prohibition on unreasonable searches extends to private entities when they act as agents of the government. (51) Courts have implied a number of exceptions to the general prohibition. (52) Subparts A and B consider whether actions pursuant to the ECS program are searches and whether participating providers are agents of the government. Subpart C considers the applicability of three exceptions.

   1. Electronic Searches

      In Katz v. United States, the...