Cyber-search and Cyber-seizure: Policy Considerations of Cyber Operations and Fourth Amendment Implications. Catherine B. Lotrionte, Ph.D., J.D.!

Transcription

1 Running head: CYBER-SEARCH AND CYBER-SEIZURE Cyber-search and Cyber-seizure: Policy Considerations of Cyber Operations and Fourth Amendment Implications Catherine B. Lotrionte, Ph.D., J.D.! Georgetown University! Catherine Lotrionte is the Associate Director of the Institute for Law, Science and Global Security at Georgetown University, where she teaches courses on International Law and U.S. National Security Law. Prior to Georgetown University, she served as General Counsel to the President s Foreign Intelligence Advisory Board at the White House. Before that she served on the Joint Inquiry Staff and previously had been an Assistant General Counsel at CIA.

2 2 Abstract This chapter discusses the nature of cyber threats against government and private computer systems, describing some steps the government has taken and the challenges involved in protecting those systems. The chapter argues that a national security approach for cyber security policy is the most promising option for preventing these cyber threats while operating within the domestic legal framework. After a review of the President s constitutional authorities to protect the nation from traditional threats, the chapter concludes that the President has some power to monitor Internet communications in transit within the United States when the communications threaten the welfare of the nation. The chapter recommends that this authority be augmented by Congressional action through legislation. The President s powers in cyber security, even given Congressional support, however, are still restrained by the protections the Fourth Amendment provides for traditional forms of communication and individual privacy. Although there is limited Fourth Amendment precedent in the area of cyber security, the well-established exceptions to the Fourth Amendment requirements, based on consent, special governmental needs and the reasonableness of the search or seizure, provide a legal basis for executive branch action to protect critical infrastructures and their computer systems. As the Courts have long held, these exceptions allow the government to conduct searches or seizures without being bound by all of the requirements of the Fourth Amendment. If the government develops its cyber security policy in line with these exceptions, this chapter argues the government can both protect critical computer systems and operate within Fourth Amendment doctrine that recognizes the legitimacy of privacy in electronic communications. Keywords: Cybersecurity, Internet, reasonableness, search, seizure

3 3 Introduction On Saturday, November 21, 2009 at approximately 4:00 pm, a radiation leak at the Three Mile Island nuclear power plant near Middletown, Pennsylvania resulted in the evacuation of over 100 employees. According to press reports, the leak occurred after a change in air pressure inside a building caused the release of irradiated particles within the piping of one of the generators (CNN, 2009). The air pressure change happened after the ventilation fans inside the building started. The immediate cause of the leak is still unknown. The spokesperson for Exelon, the private company that operates the plant, announced that the public was never at risk of exposure to radiation from the leak. In 1979, the same plant had a major accident. After that leak there was a halt in the building of any new nuclear plants in the United States. Currently, there are more than 100 nuclear power reactors in over 30 states within the United States. There are 30 different private companies that operate these plants and are responsible for their security. The recent leak at Three Mile Island was real and potentially catastrophic. Imagine that the change in air pressure that occurred at the plant building was caused by a malfunction of the computer systems at the plant that controlled air pressure throughout the plant. Then imagine that the malfunction was the result of a malicious code sent via to an employee at the plant. When the employee opened his , the malware caused a chain of events that led to the failure of the systems that control the air pressure systems throughout the plant. Imagine that malware went undetected for weeks until it was triggered to cause the failure of the air pressure systems. Next imagine that the National Security Agency is monitoring incoming Internet traffic to the nuclear power plant at Three Mile Island. The NSA now believes that the individual (s) responsible for

4 4 the recent attack on the plant s computer systems have sent another computer virus that will cause the plant safety mechanisms to fail. The NSA estimates that when the reaches its targeted destination it will trigger a cascading series of events that will lead to a complete system failure of the plant s security controls, causing a meltdown of the reactors. The exact extent of the possible damage will be unknown to those at the NSA analyzing the malicious code. In this case, though, they believe the second attack will be more dangerous because the perpetrators have learned about the plant s system vulnerabilities from their first attack. The NSA will continue to monitor incoming Internet traffic to the plant (blocking any s that they detect to have malicious code in order to disrupt a much more catastrophic second attack). The NSA s computers open the s in order to scan the contents to determine the presence of the malicious code. The NSA analysts will review some personally identifiable information (PII) in the s, such as addresses. The analysts, however, will not have access to any of the content of the s. NSA computers will automatically scan the content of the s in order to identify the presence of malicious code. If the malware is detected, the will be blocked, preventing the malware from reaching the plant s computer systems, infecting the network and causing a catastrophic second attack. While the NSA will keep a copy of the , no individual at NSA will review the content. In monitoring, scanning and blocking communications in transit to the plant, has the NSA triggered the protection of the Fourth Amendment? Has the government conducted a search or seizure? And what, if any, Fourth Amendment requirements are relevant?

5 5 The answers to these questions depend on many factors, including whether automated monitoring of Internet traffic and communications to the power plant constitutes a Fourth Amendment search (U.S. Constitution, 1791). If monitoring content amounts to a search, then the government cannot monitor the without a warrant or special circumstances. On the other hand, if it is not a search, the government can monitor without any restrictions. The Fourth Amendment prohibits reviewing or looking at the content without a warrant, but in this case, no human being reviews or looks at the . Rather, the computers will scan the and save a copy of the without anyone at the NSA seeing it. Answers to these questions will also depend upon whether the blocking of the communication constitutes a seizure of the as the Fourth Amendment uses the term seizure. If blocking the constitutes a seizure, the government cannot block the without a warrant or special circumstances. Answers to these questions are important, as they determine the legal framework that dictates how the government can protect its own government computer systems and those systems of private entities critical for U.S national security. While the answers are not necessarily easy to determine with certainty based upon limited Supreme Court precedent related to the government s ability to interfere with Internet traffic while in transit, there is significant constitutional case law that provides insight into both the President s powers to protect the nation from threats and the Fourth Amendment protections long held by the Supreme Court to be critical in balancing government action and the right to privacy. It is a mistake for those who write or think that in the area of cyber security new legal frameworks have to be developed and the country has to move

6 6 away from past Fourth Amendment precedent. To do so is both unnecessary and detrimental to the long-established traditions that the country is based upon and deviate from the principles and protections that have been established within the Fourth Amendment by the Supreme Court. These are the norms that our society holds to be fundamental to the relationship between our government and the people. And these are the principles that should guide the government as it develops cyber security policy. The Supreme Court has said that a Fourth Amendment search occurs when some governmental action intrudes upon the privacy interest of an individual who has a reasonable expectation of privacy (Katz v. United States, 1967). The Supreme Court has also determined that a Fourth Amendment seizure of property occurs when government action meaningfully interferes with an individual s possessory interests in that property (U.S. v. Jacobsen, 1984). In analyzing the actions of NSA in the hypothetical example, the first task is to establish whether and when the government s actions in monitoring traffic and content for malicious code is a search and whether and when the copying or blocking of the s containing the code is a seizure for purposes of Fourth Amendment requirements. Whether NSA s actions constitute searches or seizures will enable a determination of at what point, if any, the Fourth Amendment becomes relevant. The second task is to examine the reason for and the scope of the government s intrusion in the context of all of the circumstances of the invasion of an individual s personal privacy or security. These factors related to the government s actions will establish the reasonableness of the actions, the central requirement of the Fourth Amendment.

7 7 Part I of this chapter discusses the nature of the cyber threats against government and private computer systems, describing some of the steps the government has taken or is currently considering and the legal challenges involved in protecting those systems. Part II outlines the organizational options for the U.S. government in addressing cyber security and argues that a law enforcement approach has limited utility in countering and preventing cyber threats while a national security approach would more effectively work to protect the computer networks critical to the United States and prevent future attacks against those networks. Part III reviews the national security authorities of the President to protect the nation s security from traditional threats as prescribed by the U.S. Constitution, concluding that the President has the legal authority to monitor Internet communications that threaten the national security of the United States. Part IV examines the protections that the Fourth Amendment offers to traditional forms of communication and individual privacy in the realm of government searches and seizures. Part V reviews the existing Fourth Amendment precedent for government action in cyber security, concluding that while there is no clearly established Fourth Amendment legal regime that controls in the area of government monitoring for cyber security purposes, there is sufficient Fourth Amendment precedent that has established relevant principles that the government can follow in developing cyber policy. Part VI explores the exceptions to the Fourth Amendment requirements based on consent, special governmental needs and the reasonableness of the government operations and proposes situations in which the government has authority under these exceptions to protect computer systems that are critical to U.S. national security without having to meet all of the Fourth Amendment requirements.

8 8 In line with case law precedent, this Chapter argues that the central issue for determining the constitutionality of the government s actions is the reasonableness of the programs. Even if the government s actions do not meet the definition of a search or seizure under the U.S. Constitution, this Chapter argues that ultimately the test of whether the government s cyber security programs are constitutional will depend on the scope and method used by the government; in other words, the reasonableness of the government s actions. Factors such as the effectiveness of the program, the compelling governmental need for the program, the intrusiveness of the program and the general public availability of the technology being used by the government will determine the reasonableness of the program. This Chapter concludes that by working within the exceptions under already existing Fourth Amendment doctrine, the government can adequately protect critical computer systems while maintaining the balance between privacy interests in electronic communications and the government s ability to protect national security. Part I. Nature of Threats in Cyberspace A. Government Systems and Private Systems Vulnerable to Cyber Attacks During the last decade, U.S. federal agencies have reported increasing cyberintrusions into government computer networks (Fisler, 2009). These reports, along with the 2007 cyber attack against Estonia, have focused the U.S. government on the issue of cyber security. According to some estimates, there are thousands of attempts daily by outsiders to gain access to sensitive government information found on government networks. Some of the perpetrators are known, while others are not. Like the government systems that have become vulnerable to intrusions, so too have the private

9 9 sector computer networks become targets. Intrusions into private computer systems have already caused significant losses. In 2006, Americans lost at least $200 million to online fraud. In January 2009, Heartland Bank and Bank of America were forced to notify their customers that they would be receiving newly issued credit and debit cards from the banks because of a cyber security breach at their payment processing company, Heartland Payment Systems. In 2008, the payment processor s computer systems had been compromised, potentially implicating millions of credit and bank accounts at numerous national banks. It was weeks after being notified of suspicious behavior by credit card companies that the payment processor was able to determine that there actually had been a security breach and accounts compromised. The total amount of loss has not been publicly released, but the potential could be millions. To date, approximately $30 million has been spent by Heartland in recovery and response costs associated with this breach (Ramasastry, 2009). What is still unknown at this point is the total number and value of fraudulent transactions caused by this breach. There has been broad acknowledgement that many of the government s networks are vulnerable to cyber threats. Recently, however, it has become clearer to government officials that government networks are only a small fraction of the communication and information infrastructure system on which the U.S. depends. Many of the threats are against private networks, which are critical to the U.S., and therefore necessary to secure. The debate over cyber security has, for the most part, revolved around the question of who is responsible for securing those networks the government or private sector. Many of the private networks are part of the nation s critical information infrastructures

10 10 systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters (42 U.S.C. 5195c(e)). These information infrastructures support a wide range of security and economic assets in the public and the private sectors. In congressional testimony, Director of National Intelligence Dennis Blair stated, Growing connectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt telecommunications, electrical power, energy pipelines, refineries, financial networks, and other critical infrastructures (D. Blair, U.S. Senate Select Committee on Intelligence Hearing, February 12, 2009). As early as 1997, the US government began to appreciate the threat to government computer systems after a joint White House and DOD-run exercise, Eligible Receiver (ER97), demonstrated how DOD networks could be attacked, resulting in the penetration of the Joint Chiefs command system (Frontline, April 24, 2003). In February 2008, the Senate Armed Services Committee released its Intelligence Community Annual Threat Assessment. (Director of National Intelligence, 2008) Notably, for the first time, the annual report included cyber attacks by foreign governments, non-state actors and criminal elements, as one of the critical issues facing the national security of the United States. It goes on to describe how states like Russia and China have used cyber attacks to disrupt the U.S. infrastructure and to collect intelligence (Director of National Intelligence, 2008). In 1998, Frontline reported on a highly classified incident in which U.S. officials accidentally discovered a pattern of probing of computer systems at the Pentagon, NASA, Energy Department, private universities and research labs had

11 11 begun in March The hackers accessed thousands of files within these systems. To date, the perpetrators have not been discovered. The attack was traced back to the former Soviet Union, however, Russia denies any involvement. Another set of attacks against DOD, Department of Energy, and corporate networks took place from 2003 to This event was called Titan Rain and most analysts believe China sponsored the attacks (Graham, 2005). In 2007, the Defense Science Board released a report on the Mission Impact of Foreign Influence on DOD Software, (Defense Science Board, 2007) concluding, DOD does not fully know when or where intruders may have already gained access. According to the 2008 Senate Armed Services Committee report, there is no indication that this trend in the use of cyber technology against U.S. security interests will end any time soon. Moreover, the report notes that with government, private and personal activity linked together as part of a common infrastructure, the U.S. Government must take proactive measures to detect and prevent intrusions from whatever sources (Director of National Intelligence, February 27, 2009). The Committee report was not only a warning signal about the damages that the U.S. continues to face from cyber attacks, highlighting the need for proactive cyber security measures; it was also a hint about the role the intelligence community would play in combating some of these cyber threats. On February 12, 2009, the Intelligence Community published its annual threat report to the Senate. (Director of National Intelligence, 2009) According to the report, the nation s information infrastructure is increasingly being targeted for exploitation and potentially for disruption or destruction by a growing number of state and non-state

12 12 adversaries. The targets include the Internet, telecommunications networks, computer systems, and embedded computer processors and controllers in critical industries. The report concluded that the nation must take proactive measures to detect and prevent intrusions from whatever source, as they happen, and before they can do significant damage. As evidenced from the threat reports from the U.S. government, there are an increasing array of state and non-state actors such as governments, terrorists and international criminal organizations that are targeting the United States -- the government, individuals, corporations and critical infrastructures. According to the DNI, these actors have illustrated their ability to exploit, compromise, steal and destroy information they target (2009). In testimony before Congress in May 2009, James Lewis, (J. Lewis, U.S. House of Representatives Committee on Oversight and Reform Hearing, May 5, 2009) director of the Technology and Public Policy program at the Center for Strategic and International Studies, described 17 significant security incidents worldwide that had been reported in just the last two years. He noted that there were likely more incidents that have gone unreported. A number of those reported involved U.S. government targets. For example, according to Lewis, the Federal Aviation Administration (FAA) computer systems were hacked, foreign intruders hacked into the State Department s computer systems and downloaded terabytes of information, and classified networks at the Department of Defense and Central Command were hacked by foreign intruders. According to the Commission on Cybersecurity for the 44 th Presidency, headed by James Lewis, America s failure to protect cyberspace is one of the most urgent national security problems facing the new administration. (CSIS, 2009).

13 13 Cyberspace has been a tremendous asset to U.S. national security and the economy. To the extent it remains unsecured, however, it is a tremendous liability to both U.S. national security and U.S. economic prosperity. In many ways, cyberspace poses an asymmetric liability for the U.S. as compared to our adversaries. We are much more vulnerable to the exploitive manipulation of cyberspace than our adversaries because so much of what the nation does (economically, militarily, and politically) is integrated and closely tied to cyberspace. Our nation is figuratively and literally an open nation whose basic principles come from innovation, openness, and the free movement of people and ideas. Yet, these very principles are at risk if the nation does not find a way to secure cyberspace. As Richard Clarke, the nation s first cyber security czar stated, As long as we have vulnerabilities in cyberspace and as long as America has enemies, we are at risk of the two coming together to severely damage our great nation (Krebs, 2003). The cyber threat that the U.S. faces is complex and lacking clearly delineated boundaries. While some of the cyber intrusions operate through foreign nations military or intelligence-gathering operations, others have links to terrorist groups and organized crime syndicates. Some of these cyber threats are international and others domestic. Regardless of the nature of the perpetrators, the U.S. government has recognized that it must operate both domestically and internationally in assessing these threats and make efforts to stop the intrusions. Waiting until the threats have inflicted their damage is too late. This Chapter focuses on the U.S. government s efforts to act domestically in trying to prevent those that seek to exploit computer systems and data that are critical to the U.S. national security, as well as reactions from civil libertarians to these efforts. The

14 14 Chapter explores the authorities of the federal government in its efforts to conduct cyber security operations in light of Supreme Court precedent interpreting and applying the Fourth Amendment in areas of governmental actions vis-à-vis the people. B. Government Policy Responses Over the past couple of decades, as the cyber threats have grown in number and sophistication, U.S. policy makers have taken steps to protect the cyber domain -- computer systems, networks and information -- from our adversaries. In 1998, President Clinton directed government agencies to begin to cooperate to protect critical infrastructures that were central to U.S. national security. Presidential Decision Directive 63 (PDD-63, 1998), signed by Clinton in May 1998, established a structure under White House leadership to coordinate the activities of designated lead departments and agencies, in partnership with the private sector, to eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems. Importantly, PDD-63 elevated the issue of cyber security to the White House and instituted a policy that continues to shape U.S. policy on cyber security. Unfortunately, today, government and commercial networks remain vulnerable. In 2003, the Clinton policy was updated by the Bush administration in its National Strategy to Secure Cyberspace (National Strategy to Secure Cyberspace, February 2003), which laid out a vision for the secure use of cyberspace. The strategy offered suggestions to government, academic and private sector users of cyberspace on how to better secure their computer systems and networks. The key part of the strategy included the shifting of many responsibilities to the Department of Homeland Security. Homeland Security

15 15 Presidential Directive 7 (HSPD-7, 2003) assigned the Secretary of Homeland Security the responsibility for coordinating the nation s overall critical infrastructure protection efforts, including those for cyber infrastructure, across all sectors working in cooperation with Executive Branch agencies (2003). This strategy, consistent with previous policies, focused on defensive strategies, placing the primary responsibility for cyber security on individual users and corporations rather than the U.S. government. Many security experts have argued that the U.S. government should have the responsibility for protecting cyber security as a national security matter, criticizing the government s policies to date that place responsibility on the individual and corporate users to secure their own computers. As attacks against government and private information systems continued, becoming more complex and sophisticated, the Bush administration took the offensive and established the Comprehensive National Cybersecurity Initiative (CNCI, January 2008) as both an offensive and defensive strategy to thwart the cyber attacks. This strategy was a departure from the past approaches, as CNCI seeks to bridge the gaps between the separate cyber missions of law enforcement, intelligence, counterintelligence and military organizations in order to prevent and counter the threats that exist in cyberspace. This initiative places the central emphasis on proactive interception as the best defensive strategy against these threats. Notably, in line with this new preventive approach, the CNCI relies primarily on the intelligence community to take the lead in protecting the cyber domain. This has raised a number of concerns articulated by civil liberties organizations.

16 16 In January of 2008, President Bush issued two presidential directives, National Security Presidential Directive 54 (NSPD-54, January 2008) and Homeland Security Presidential Directive 23 (HSPD-23, January 2008) codifying the establishment of the general framework for the CNCI and initiating programs focused primarily on the security of Executive Branch networks. One program currently in use by the government to secure government systems is the Einstein program administered by within the Department of Homeland Security. The first two versions of the Einstein program have been discussed publicly, with privacy assessments for each version made public by the Department of Homeland Security (Department of Homeland Security, 2008). DHS has recently released the privacy assessment for Einstein 3, however many of the privacy concerns still remain (Privacy Impact Assessment, 2010). This version has raised the most concerns voiced by from civil liberties groups. While many of the details of the presidential directives are classified, some details of the Einstein programs have been made public in Departmental press releases, speeches by policymakers and insights offered by cyber policy experts. Since the creation of the Einstein programs under the Bush administration, versions 1 and 2 have been partially deployed and version 3 is currently being developed and, according to DHS officials, is currently under a legal review. According to those involved with CNCI, including former DHS Secretary Michael Chertoff, the goal of the CNCI is to reduce the vulnerability of federal government networks to attacks and intrusions by extending the tools that currently protect classified networks of all federal government networks (Chertoff, 2008). In March 2010, the White House issued a press release providing more details about the

17 17 objectives of CNCI (Comprehensive National Cybersecurity Initiative, 2010). Siobhan Gorman, a Wall Street Journal reporter, has spoken with government officials knowledgeable about the CNCI program, and has stated that, The plan calls for the NSA to work with the Department of Homeland Security and other federal agencies to monitor such networks to prevent unauthorized intrusion (Gorman, 2007). This Chapter explores the legal contours of the U.S. government s cyber security programs like the CNCI program based on the facts that are publicly available and argues that a sound legal foundation for these programs is critical to the program s legitimacy and its ultimate success. Moreover, in light of the fact that the CNCI has been shrouded in secrecy with limited information provided even to oversight officials in Congress, the Chapter concludes that it is important for the government to provide, to the fullest extent possible, information to the public about the nature and scope of the particular programs. Please add a paragraph about recent White House release of CNCI portions. As is often the case with new and innovative programs, analyzing the government s actions to provide cyber security requires a review of current legal authorities for the new programs as well as a review of the available technical and policy options under the existing legal framework. The challenge in assessing the legal parameters of government action in cyber is that this is a new frontier in Fourth Amendment jurisprudence that has been little explored (Quon v. Arch Wireless Operating Co., 2008). In seeking to understand the constitutional framework for government programs that seek to protect computer systems, one must first determine the appropriate organizational and functional approach the government needs to take in order

18 18 to effectively address the threats. Once that specific approach has been established, the constitutional framework governing the government s authorities can be assessed. Part II. A National Security Approach to Preventing Cyber Attacks A. A National Security Approach versus a Law Enforcement Approach The cyber attacks that continue against U.S. government networks and critical information systems are threats to the U.S. national security. Some have argued that these threats should be addressed through traditional law enforcement mechanisms (criminal investigations and prosecutions) or by market forces (competition, innovation and technological developments). Others have argued that there is an urgent need to address these threats as national security threats and that criminal statutes or market forces are ineffective in deterring or preventing those that conduct cyber attacks. Some policymakers, like former DNI Mike McConnell, argue that to successfully defend against cyber attacks requires the U.S. government to monitor, screen or surveil Internet traffic transiting in the United States (Jean, 2009). Monitoring information at the border of the U.S. as it flows into the U.S. is one part of that defense but, arguably, a more effective defense would include the monitoring of all information that moves within the United States in order to look for the specific threats. This traffic could be traveling to government-owned computer networks or privately owned networks. Those like McConnell who argue for such monitoring believe that an attack against privately owned networks could be just as devastating -- and potentially more than an attack against government networks.

19 19 In developing a strategy to counter these cyber threats, the federal government must first consider the legal framework for any specific policy proposal to confront the threats. The premise of this Chapter is that, based upon the number, scope and complexity of the past cyber attacks against government and non-government systems, the best approach to counter the attacks is a national security one which would operate within the bounds of the Fourth amendment provisions and exceptions. Such an approach would leverage the capabilities and resources of the federal government, drawing upon the authorities of the intelligence community and the Department of Homeland Security, while coordinating with those closest to the problem state and local authorities and Chief Executive Officers of private companies. While the attacks, are indeed criminal acts, a criminal approach using criminal investigations and prosecutions is not the appropriate or most effective means to protect the systems from these threats. In the case of a U.S. government system that has been attacked, a criminal investigation based upon evidence collected after the fact may do little to protect U.S. national security. A criminal prosecution if at all possible may be too late. Based upon the rapid speed of technological developments, leaving it to criminal statutes to deal with this threat would likely not be sufficient. Moreover, the benefit of using a criminal framework may be minimal in light of the limited deterrent effect it has had so far. If policymakers accept a national security approach as appropriate for cyber threats, a legal basis for the specific policy prescriptions must be established to ensure that any program is lawful and viewed as legitimate. Such a legal assessment would involve analyzing the constitutional authority and limitations of the federal government actions in the domestic realm as well as the relevant statutes implicated by those actions.

20 20 The remainder of this Chapter focuses on the constitutional authorities and limitations imposed upon the government, as interpreted by the courts, review of Presidential powers under Article II of the U.S. Constitution and the constitutional restrictions codified in the Fourth Amendment, applying court precedent to government actions to counter cyber threats. One alternative to the national security framework is a law enforcement framework. In 1998, as U.S. military assets were being deployed to the Arabian Gulf, the Defense Information Systems Agency (DISA), charged with protecting the computer systems of DOD, determined that U.S. Air Force logistics systems at a number of bases had been penetrated. Ultimately, the hackers were identified as two California teenagers and one teenager from Israel. The FBI charged the American teenagers. The case was called Solar Sunrise (Poulsen, 2001). In a criminal case like Solar Sunrise, the executive branch obtains legal authority to take action based on specific statutory authorities in a number of federal criminal statutes. One of the earliest efforts of the government in this area was when Congress passed the Computer Fraud and Abuse Act of 1986, which criminalized certain forms of computer crime (18 U.S.C. 1030). In addition to this statute, there are several other provisions in the US Criminal Code that establish federal Cybercrime offenses and authorize prosecution (Doyle, 2007). Most criminal provisions, however, are reactive by nature and generally do not authorize preventative measures to defend against potential future cyber threats. In the past, the US has relied on the Federal Information Security Management Act, which requires federal agencies to take administrative steps to assess risk and protect their computer systems

21 21 from cyber intrusions (2002). This statute is preventative in nature, however, and it only allows protective measures that are relatively limited. A law enforcement approach to cyber threats involves law enforcement authorities, i.e., FBI agents and police, whose main purpose is to collect evidence of a crime to be used in court to prosecute those responsible. Traditionally, the Fourth Amendment requires individualized suspicion or probable cause that the person is involved in criminal activity. Unlike law enforcement, national security intelligence services must cast a wide net with a fine mesh to catch the clues that may enable the next attack to be prevented (Posner, 2005). The purpose of criminal justice is to hold a specific person responsible for a discrete crime that has already happened. By contrast, the purpose of intelligence collection or monitoring is to guide actions, such as stopping a cyber attack from occurring by, for instance, preventing a malware-infected from reaching its destination. It is in this preventive fashion that the current national security framework operates to prevent future harm. Similar to airport screening or postal mail screening, there is no requirement of individualized suspicion followed by a warrant in the national security framework for cyber threats. Rather, when in a period of war, the nation is in its last line of defense of the homeland when defending its computer networks. Similar to actions in wartime, the armed forces are not required to have individualized suspicion or to meet a probable cause requirement before intercepting enemy communications in order to anticipate the enemy s move and counter it. B. CNCI under a National Security Approach In May 2008, the Senate Armed Services Committee released its budget report for the CNCI, (Report on National Defense Authorization Act for Fiscal Year 2009,

22 22 February 2008) increasing the privacy concerns of many citizens. As previously mentioned, the White House, as recently as March 2010, issued a more detailed statement explaining the goals of the program to the general public including the mission of the Einstein 3 system (Comprehensive National Cybersecurity Initiative, 2010). As some details about the Einstein 3 program were reported in the press, the level of concern about the potential of the government to violate the privacy interests of those using the Internet increased. Civil liberties groups called for a release of the details of the Einstein program and Congress called for reports about the privacy impact of Einstein and other programs as well as the legal authorities for the programs. The challenge for the government in developing programs that will proactively detect and stop cyber attacks is to develop and implement the programs in a manner that is lawful and consistent with society s expectations of privacy. In examining the legal contours of such programs, the rest of the Chapter focuses on two aspects of programs like the CNCI that need some analysis, which has been absent from the public debate to date about the CNCI and other programs: (1) separation of powers and the scope and limits of executive power, and (2) Fourth Amendment implications based upon the scope and implementation of any programs. The Chapter will focus on the CNCI and the Einstein systems in analyzing these two areas of the law in the context of government action in cyberspace. Congress has maintained its concerns regarding the level of classification of the CNCI details. In its 2008, budget report, the Senate warned about the dangers of the highly classified nature of the cyber security initiative. The report stated, These restrictions preclude public education, awareness, and debate about the policy and legal issues, real or imagined, that the initiative poses in the areas of privacy and civil liberties

23 23 (National Defense Authorization Act, 2009). Because the cyber security initiative is shrouded in secrecy, there has been no public debate about the legal issues that are relevant in examining how the U.S. Government can and should conduct cyber security. Based upon some of the limited reports in the press about the CNCI, however, some facts are known about the program. Facts about the details of the programs are important to the legal assessment of the program and will be relevant to the review and conclusions about the law in this Chapter. In October 2008, the Bush administration revealed some details about the program. The Department of Homeland Security announced that the CNCI included 12 components that either formalized existing cyber security processes or introduced new policies and business practices to better protect computer networks and systems. The Department released very few specifics of these components. One component that was discussed that is central to the government actions analyzed in this Chapter is the intrusion prevention component of the CNCI. Most cyber security specialists say that computer networks must be monitored in order to identify cyber attacks before they successfully break into the system. Many critics of the government s efforts to protect the government systems said the initial version of Einstein only allowed for network flow monitoring and did not allow for more in-depth network traffic monitoring, a major flaw of the system. DHS added intrusion detection capabilities in the second version of Einstein (Aitoro, 2009). The Department of Homeland Security deployed the initial version of Einstein, called Einstein 1, in Einstein 1 provides an automated process for collecting, correlating, and analyzing computer network security information from voluntary federal

24 24 executive agencies. According to the Department of Homeland Security, Einstein 2, like Einstein 1, will continue to passively observe network traffic to and from participating federal executive agencies networks Einstein 2 adds to Einstein 1 a network intrusion detection technology that will monitor for malicious activity in [network traffic to and from participating federal executive agencies. According to more recent press reports, the federal government is currently developing a new version of the Einstein system, which includes an intrusion prevention system to help secure civilian networks in the.gov space. This new system is called Einstein 3. According to government officials familiar with the new version, Einstein 3 will have the added ability to read the content of and other Internet traffic in addition to traffic that is on government systems (Gorman, 2009). Moreover, the system is to have the capability to intercept threatening Internet traffic before it reaches a government system (Bain, 2010). In a meeting in October 2009, former Secretary of Homeland Security Michael Chertoff described how Einstein 3 would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target (CNN, 2008). In short, Einstein 3 functions as a preventive intrusion technology by stopping the threats before they can cause damage, rather than waiting until the threat reaches its target. Both Einstein 2 and Einstein 3 have raised privacy concerns. The details known about Einstein 3 have raised concerns that the government will be scanning, monitoring, reading Internet traffic without an individualized court order or probable cause. The Digital Due Process Coalition, for example, is working through its partners in industry and advocacy to update current federal statutes in order to upgrade and enhance privacy protections for individuals using

25 25 the Internet (The Los Angeles Times, March 30, 2010). One question addressed in this Chapter is whether the government needs a court order or probable cause. Recently, the Office of Legal Counsel within the Department of Justice has released two opinions regarding Einstein 2.0. The Bush Administration wrote the first opinion and concluded that Einstein 2.0 complied with the Constitution and applicable federal laws provided that users are properly warned that Einstein was operating and monitoring their Internet traffic (Office of Legal Counsel, 2009). The Obama administration signed off on a second opinion related to Einstein 2.0, which concurred with the earlier opinion and also concluded that the system does not violate state wiretapping or communications privacy laws (Office of Legal Counsel, 2009). The Department of Homeland Security has also released its Privacy Impact Assessment for the first two versions of the Einstein system. The government released a preliminary privacy impact assessment on Einstein 3.0 in March 2010, but the initiative is still under review. (Privacy Impact Assessment, 2010) By necessity cyber security will involve the monitoring of Internet traffic in transit if the government is to prevent cyber attacks before they reach the intended computer systems within the United States. Cyber security also involves installing firewalls and other safeguards on computer networks. As former DNI McConnell has explained, in order for the government to effectively protect its networks, the government cannot wait until the intrusion or attack has occurred. Instead, the government must be proactive in monitoring for information about the threats before they reach the target of a government or other critical computer system (Harris, 2008). There are two general varieties of Internet traffic that are potentially threatening to U.S. computer systems: those

26 26 communications that originate overseas and target U.S. systems, and those that originate in the United States. Based upon the government s access to domestic telecommunication systems, the government will likely find it easier from a practical standpoint to monitor these communications within the United States rather than overseas. While the legal requirements of the Fourth Amendment apply to government intrusions against individuals (at least U.S. citizens) whether the government is acting domestically or overseas, it is the domestic monitoring of Internet traffic that poses the more difficult challenge for the U.S. government, and therefore it is on this area that this Chapter concentrates. Regardless of which agencies of the government carry out activities in cyberspace within the United States, through CNCI or other programs, the government s actions will be subject to a number of constitutional and statutory restrictions. Similarly, the authorities for such actions are statutory or constitutionally based. Currently, there is no specific statute that constitutes authority for the CNCI, as the President has only outlined its objectives. Arguably, it is constitutional authorities that provide the President with the necessary power to carry out the objectives of any cyber security program. The next section of this Chapter examines the constitutional authorities of the President, arguing that there is independent authority for the President to carry out the objectives of the CNCI without congressional legislation as he/she seeks to protect the country from attack. The extent of those constitutional powers, however, will depend on the particular facts of the CNCI and how the program is implemented. Under the constitutional legal analysis of shared powers between the Congressional and Executive branches of the government, the legal analysis would come down to the President s war powers and

27 27 foreign affairs powers, which include the authority to conduct intelligence activities. Although the President has some inherent authorities in these areas to act independently from Congress, this Chapter proposes that the President should work with Congress to adopt legislation, which would place programs such as the CNCI on firm legal grounding with the support of the legislative branch. Part III. A Constitutional Framework for Presidential Actions A. Article I Congressional Powers vis-à-vis Article II Presidential Powers Article II, section 1 of the Constitution imposes a duty on the President to preserve, protect and defend the Constitution of the United States. Because of that duty, the Supreme Court has stated that the President has implicit authority to protect our system of government from subversion or attack (United States v. United States District Court for the Eastern District of Michigan, 1972). Thus, we begin by recognizing the inherent constitutional authority of the President to respond to attack, even if only a cyber attack, as part of his/her constitutional executive authority. Importantly, in recognizing this authority that the President has as part of his/her foreign affairs powers, the Supreme Court has stated that the President s authority in this area is strongest when working in conjunction with an explicit Congressional act that supports the President s actions. In the Youngstown Steel Seizure case (1952), the Court settled the issue that Presidential powers are not fixed but fluctuate depending upon their disjunction or conjunction with those of Congress. Thus, the question is not whether the President has inherent authority to conduct computer network monitoring, but whether

28 28 the Congress has legislated in support of those authorities and thereby provided the President with maximum authority in his/her actions. According to Justice Jackson in the Youngstown case, the President s inherent constitutional powers are relatively strong when authorized by Congress and are at their lowest ebb when a president takes measures incompatible with the express or implied will of Congress. Jackson articulated an additional category, Category Two, the zone of twilight in which congressional inertia can occasionally enable, if not invite, measures on independent presidential responsibility. Actions in this category prompt a complicated, totality-of-the-circumstances inquiry, in which courts determine congressional intent vis-à-vis executive action, analyzing statements made by members of Congress, for instance, in an effort to determine what the lawmakers meant in responding to executive action. Given the existing statutes passed by Congress, the Executive Branch s responses to cyber threats in CNCI would likely fall outside of the first of Justice Jackson s categories. Congress has not expressly authorized the cyber security reforms proposed by the CNCI, nor do other generally related statutes appear to impliedly authorize all potential cyber security protections. Arguably, the cyber security efforts of the Executive Branch that focus on monitoring and gathering information on Internet traffic most closely parallel the government s actions in conducting intelligence collection domestically without individualized court orders. Justice Jackson s third category, where the President s power is at its lowest in acting contrary to what Congress has declared, is probably inapplicable to the CNCI operations. Unlike the area of electronic surveillance, in which Congress has explicitly limited those operations