Critical Information Infrastructure Protection and the Law

AN OVERVIEW OF KEY ISSUES

Committee on Critical Information Infrastructure Protection and the Law

Computer Science and Telecommunications Board

NATIONAL ACADEMY OF ENGINEERING

NATIONAL RESEARCLH COUNCIL OF THE NATIONAL ACADEMIES

Stewart D. Personick and Cynthia A. Patterson, Editors

THE NATIONAL ACADEMIES PRESS
Washington, D.C. www.nap.edu



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues Critical Information Infrastructure Protection and the Law AN OVERVIEW OF KEY ISSUES Committee on Critical Information Infrastructure Protection and the Law Computer Science and Telecommunications Board NATIONAL ACADEMY OF ENGINEERING NATIONAL RESEARCLH COUNCIL OF THE NATIONAL ACADEMIES Stewart D. Personick and Cynthia A. Patterson, Editors THE NATIONAL ACADEMIES PRESS Washington, D.C. www.nap.edu

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. Support for this project was provided by the National Academy of Engineering. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsor. International Standard Book Number 0-309-08878-X (book) International Standard Book Number 0-309-50637-9 (PDF) Copies of this report are available from the National Academies Press, 500 Fifth Street, N.W., Lockbox 285, Washington, D.C.20055, (800) 624-6242 or (202) 334-3313 in the Washington metropolitan area. Internet, http://www.nap.edu Copyright 2003 by the National Academy of Sciences. All rights reserved. Printed in the United States of America

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues THE NATIONAL ACADEMIES Advisers to the Nation on Science, Engineering, and Medicine The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Bruce M. Alberts is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Wm. A. Wulf is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Bruce M. Alberts and Dr. Wm. A. Wulf are chair and vice chair, respectively, of the National Research Council. www.national-academies.org

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues COMMITTEE ON CRITICAL INFORMATION INFRASTRUCTURE PROTECTION AND THE LAW STEWART D. PERSONICK, Drexel University, Chair MICHAEL COLLINS, Lockheed Martin WILLIAM J. COOK, Freeborn & Peters DEBORAH HURLEY, Harvard University DANIEL SCHUTZER, Emerging Technologies, Citigroup W. DAVID SINCOSKIE, Telcordia Technologies RICHARD R. VERMA, Council on Foreign Relations MARC J. ZWILLINGER, Sonnenschein Nath & Rosenthal Staff CYNTHIA A. PATTERSON, Study Director and Program Officer MARJORY S. BLUMENTHAL, Director D.C. DRAKE, Senior Project Assistant

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD DAVID D. CLARK, Massachusetts Institute of Technology, Chair ERIC BENHAMOU, 3Com Corporation DAVID BORTH, Motorola Labs JOHN M. CIOFFI, Stanford University ELAINE COHEN, University of Utah W. BRUCE CROFT, University of Massachusetts at Amherst THOMAS E. DARCIE, University of Victoria JOSEPH FARRELL, University of California at Berkeley JOAN FEIGENBAUM, Yale University WENDY KELLOGG, IBM Thomas J. Watson Research Center BUTLER W. LAMPSON, Microsoft Corporation DAVID LIDDLE, U.S. Venture Partners TOM M. MITCHELL, Carnegie Mellon University HECTOR GARCIA MOLINA, Stanford University DAVID A. PATTERSON, University of California at Berkeley HENRY (HANK) PERRITT, Chicago-Kent College of Law DANIEL PIKE, GCI Cable and Entertainment ERIC SCHMIDT, Google, Inc. FRED SCHNEIDER, Cornell University BURTON SMITH, Cray Inc. LEE SPROULL, New York University WILLIAM STEAD, Vanderbilt University JEANNETTE M. WING, Carnegie Mellon University MARJORY S. BLUMENTHAL, Executive Director KRISTEN BATCH, Research Associate JENNIFER BISHOP, Senior Project Assistant JANET BRISCOE, Administrative Officer DAVID DRAKE, Senior Project Assistant JON EISENBERG, Senior Program Officer RENEE HAWKINS, Financial Associate PHIL HILLIARD, Research Associate MARGARET MARSH HUYNH, Senior Project Assistant ALAN S. INOUYE, Senior Program Officer HERBERT S. LIN, Senior Scientist LYNETTE I. MILLETT, Program Officer DAVID PADGHAM, Research Associate CYNTHIA A. PATTERSON, Program Officer JANICE SABUDA, Senior Project Assistant

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues BRANDYE WILLIAMS, Staff Assistant STEVEN WOO, Dissemination Officer For more information on CSTB, see its Web site at <http://www.cstb.org>; write to CSTB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20418; call at (202) 334-2605; or e-mail the CSTB at cstb@nas.edu.

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues NATIONAL ACADEMY OF ENGINEERING PROGRAM COMMITTEE PETER STAUDHAMMER, TRW Inc., Chair RODICA A. BARANESCU, International Truck & Engine Corporation CORALE L. BRIERLEY, Brierley Consultancy LLC PALLAB K. CHATTERJEE, i2 Technologies WOODIE C. FLOWERS, Massachusetts Institute of Technology GORDON E. FORWARD, TXI RENATO FUCHS, Transkaryotic Therapies, Inc. MARTIN E. GLICKSMAN, Rensselaer Polytechnic Institute THOMAS E. GRAEDEL, Yale University BRUCE HAJEK, University of Illinois GEORGE M. HORNBERGER, University of Virginia KENNETH H. KELLER, University of Minnesota MARGARET A. LEMONE, National Center for Atmospheric Research RICHARD J. LIPTON, Georgia Institute of Technology EUGENE MEIERAN, Intel Corporation FREDERICK G. POHLAND, University of Pittsburgh C. PAUL ROBINSON, Sandia National Laboratories FRIEDER SEIBLE, University of California, San Diego LAURENCE C. SEIFERT, AT&T Corporation CHRIS G. WHIPPLE, Environ, Inc. Ex Officio Members GEORGE M.C. FISHER, Eastman Kodak Company, NAE Chair SHEILA WIDNALL, Massachusetts Institute of Technology, NAE Vice President WM. A. WULF, National Academy of Engineering, President Staff PROCTOR REID, National Academy of Engineering, Associate Director, Program Office JACK FRITZ, National Academy of Engineering, Senior Program Officer, Program Office

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues This page in the original is blank.

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues PREFACE Critical infrastructure protection emerged as a national concern in the late 1990s. The establishment in 1996 of the President’s Commission on Critical Infrastructure Protection (PCCIP), its 1997 report Critical Foundations: Protecting America’s Infrastructures, and the issuance in 1998 of Presidential Decision Directive 63 and the establishment of the Critical Infrastructure Assurance Office (CIAO) promoted awareness of critical infrastructure issues. Among the many forms of critical infrastructure—such as transportation, energy, and water—the information infrastructure, which combines computing and communications systems, stands out as important in its own right and as a crosscutting factor in all other infrastructures. Like power, information infrastructure is a critical infrastructure that all other critical infrastructures depend upon. The Bush administration’s review of critical infrastructure protection activities, the tragic events of September 11, and the new national focus on homeland security in general (and cyberterrorism in particular) signal a need for broader reflection, as well as action, on these issues. Progress, however, will require the development of a clear legal framework, in addition to focusing on the technology and current business practices in the public and private sectors. The National Academy of Engineering asked the Computer Science and Telecommunications Board to organize a symposium to illuminate the range of legal issues and the range of perspectives on issues associated with protection of the critical information infrastructure. CSTB convened the Committee on Critical Information Infrastructure Protection

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues and the Law (see Appendix A for committee biographies) to undertake the project, asking it to focus on information sharing and liability. While previous CSTB efforts addressed technical, procedural, and policy aspects of [information] security and crisis management, this project emphasizes the role of the law as a barrier to or a facilitator of progress. The committee met in June 2001 to plan a 2-day symposium, which was held October 22-23, 2001 (the agenda is listed in Appendix B). The committee met again in December 2001 to plan the structure and format of this summary report, which evolved through the end of 2002. The attacks of September 11, 2001, had a major impact on this project. The tragic events forced some expected participants to cancel their travel, while other initially reluctant parties became willing to participate. The subject matter of the symposium became even more relevant to participants who were not speakers, and the tone and subject matter of presentations and discussions were tailored to and colored by the attacks. As a result, the symposium was larger than anticipated. The discussions were less abstract or hypothetical and more rooted in various realities. Concerns that were expressed at the symposium about issues such as privacy rights and the legal and business risks of sharing information appeared to some committee members to be surprisingly muted. Law enforcement representatives at the symposium expressed a surprising willingness to share information in ways that might impair their ability to prosecute suspected criminals and terrorists, in exchange for improving the ability of the broader community to prevent attacks. The committee does not know if this is a short-lived, politically correct retrenchment or a permanent shift to a new balance of the trade-offs associated with these complex issues. Meanwhile, responses to September 11 continued to unfold throughout the period in which this report was drafted, greatly complicating the task of describing contemporary conditions and prospects. The dynamism of the situation would make any report with concrete recommendations obsolete before it was published. Against this backdrop, the committee chose to highlight enduring observations, focusing on two issues that could potentially facilitate critical information infrastructure protection efforts—information sharing and the liability of unsecured systems and networks. The committee sought to summarize the debate surrounding use of the Freedom of Information Act (FOIA), antitrust, and liability laws that lie at the heart of critical information infrastructure protection, attempting to maintain that focus in the face of substantial blurring between those issues and the larger set of homeland security issues facing the country. The content of this report reflects the issues identified at the symposium and during subsequent deliberations by the committee. The value of the

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues report lies in its integration of a very diverse set of perspectives to provide a roadmap and stimulus for future more focused and in-depth inquiries. The committee is particularly grateful to Wm. A. Wulf, whose commitment to addressing the problems posed by critical infrastructure protection (CIP) and whose recognition that the law presents challenges and opportunities in that arena helped to shape this project. His engagement with members of the National Academy of Engineering (NAE), among them John Harris, and with its program committee provided most of the project’s funding. The committee thanks the symposium participants (see Appendix B for a list of speakers) as well as the many people who responded to its requests for briefings and discussions. Lee Zeichner and Timothy Nagle provided informed discussion on how to frame the project. The committee appreciates the thoughtful comments received from the reviewers of this report. These comments were instrumental in helping the committee to sharpen and improve the report. The chairman and the entire committee wish to express their deep appreciation for the herculean efforts of the study director, Cynthia Patterson, and the project assistant, David Drake, who performed the lion’s share of the work required to organize and run the symposium, to create this report, and to shepherd it through the necessary review and revision processes. We would also like to express our deep appreciation for the guidance, leadership, encouragement, and advice provided to us by Marjory Blumenthal, the director of the Computer Science and Telecommunications Board of the NRC. Stewart D. Personick, Chair Committee on Critical Information Infrastructure Protection and the Law

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues This page in the original is blank.

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues ACKNOWLEDGMENT OF REVIEWERS This report was reviewed by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s (NRC’s) Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the authors and the NRC in making the published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The contents of the review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their participation in the review of this report: Kent Alexander, Emory University; David A. Balto, White & Case LLP; Stanley M. Besen, Charles River Associates; Nicholas M. Donofrio, IBM Corporation; Marc D. Goodman, Decision Strategies; John C. Klensin, AT&T Labs; David J. Loundy, DePaul University College of Commerce; Alan B. Morrison, Stanford Law School; Robert Murphy, Congressional Budget Office; Debra Pearlstein, Weil, Gotshal & Manges LLP;

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues Abraham D. Sofaer, Stanford University; and Suzanne Spaulding, American Bar Association’s Standing Committee on Law and National Security. Although the reviewers listed above provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by Chris Sprigman of King & Spalding LLP. Appointed by the National Research Council, he was responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues CONTENTS     EXECUTIVE SUMMARY   1 1   INTRODUCTION AND CONTEXT   8     Rise of CIP as a Policy Issue,   9     Events of September 11, 2001,   14     This Report,   15 2   INCREASING THE FLOW OF INFORMATION   17     Information Sharing Framework,   20     (Perceived) Barriers to Information Sharing,   24     Freedom of Information Act,   25     Antitrust,   30     Concluding Observations,   33 3   LIABILITY FOR UNSECURED SYSTEMS AND NETWORKS   35     Criminal Law,   35     Domestic Jurisdiction,   36     International Jurisdiction,   39     Civil Liability,   40     Contract Law,   44     Tort Law,   45     Standards and Best Practices,   50     Regulation,   56

OCR for page R1
Critical Information Infrastructure Protection and the Law: An Overview of Key Issues 4   MOVING FORWARD   61     Motivating the Private Sector,   62     Market Failure?,   62     Insurance: Motivator for Good Behavior,   65     R&D to Alter the Costs of Security,   66     Awareness,   67     Security and Privacy Tensions,   69     A Trust Network,   72     APPENDIXES         A COMMITTEE MEMBER AND STAFF BIOGRAPHIES   77     B SYMPOSIUM AGENDA   83