Cybercrime Law and Public Policy
Local, state, and federal government are divided into three separate and distinct branches (legislative, judicial, and executive) that all work to provide safety, security, and order to society. The legislative branch creates laws. The executive branch is the administrative branch that among other things enforces the laws created by the legislative branch. Finally, the judicial branch interprets laws. One potential negative aspect of our Constitutional Republic is associated with the fact that “the lawmaking process moves slowly” (UMUC, 620 Module 1, p. 4). Lawmaking is cumbersome, reactionary, and subject to a plethora of opinions from subject matter experts, attorneys, the judiciary, and most importantly special interests groups such as the Cybersecurity Shared Interest Group (Cyber SIG) or FIRST, the Forum of Incident Response and Security Teams. Public law and public policy creation are reactionary because each is an action taken in response to some perceived social need. At the federal level, bills go through three phases (debate, committee, and enactment) in the lawmaking process before they finally become law. Bills, joint resolutions, concurrent resolutions and simple resolutions are the various means by which the process begins in reaction to some event or series of events that catch the public’s attention and requires action by Congress, (legislation) the Judiciary, (Court Opinions) or the Office of the President (Executive Orders). Once a bill has been introduced and has worked its way through committees it goes on to debate, and then through the amendment process if needed; once this is completed the bill goes to the President’s desk where he has a specific time period to sign the bill, veto the bill, or take no action, in which case the bill becomes law. The veto process includes sending an unsigned bill back to the legislative branch. At the federal level, a veto is overridden by a two-third vote in each house. Sometimes proposed legislation takes years–maybe decades–before they finally become law. Some legislation takes a long time because of partisanship which could be rooted in ideological differences, but at other times is the result constitutional issues. But perhaps the biggest reason some legislation takes time is the requirement that is passes both the house and senate at the federal or state level.
The critical infrastructure consists of 16-sectors that include chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial, food and agriculture, government facilities, healthcare, information technology, nuclear reactors, material and waste, sector specific, transportation, and water and wastewater. It is copiously clear that in the post 9/11 epoch cyber-threats are ubiquitous; and because this is true and the threats focus on government, commercial, and personal information systems (including critical infrastructure), the obligatory need for comprehensive and far-reaching laws and policies at every level (from personal to government) are indispensable. (Rollins and Henning (2009) state that the George H. W. Bush Administration created the Comprehensive National Cybersecurity Initiative (CNCI) by means of “a classified joint presidential directive” (Summary, no page). The President, through the Homeland Security Presidential Directive 23 and the National Security Presidential Directive 54, created the CNCI which is now responsible for establishing “policy, strategy, and guidelines to secure federal systems” (p. 1). The government’s justification for creating those guidelines is based in part on the potential for infiltration by unauthorized and illegal hackers, vandals, and saboteur’s intent on fulfilling economic, political, and social chaos. The same justification is used to mandate compliance with laws, regulations, and polices in the private sector (i.e., Sarbanes-Oxley Act-SEC; Gramm-Leach-Bliley Act –Financial Services; HIPPA-Health Information; HITECH-which appends HIPPA; CFAA; The PATRIOT Act; FISA-Foreign Intelligence; and National Security Letters-FBI authority to demand personal customer information) (UMUC, Module 1, Topic 4). There are, of course, supporters and opponents to each of these measures. But for the most part, the opposition to one or any of these is based on the potential for misuse by the government. Misuse in this sense is intended to mean outside the scope of applicability by the agency and/or personnel associated with the agency and its goals and objectives and such use. In most cases this is illegal and exposes violators to criminal and civil liability—such as IRS misusing their authority, or the FBI or state and local law enforcement that use illegal or unauthorized means for personal gain or retribution.
Government Methods of Intervention
National Security Letters (NSLs) and otherwise known as administrative subpoenas are an interesting example of how government uses their power and authority through the FBI in ascertaining someone’s bank account information, credit card account information, bank account information, wireless provider information and Internet service provider (ISP) information, all without a judge or magistrate signing a warrant or any approval from the court of jurisdiction. Additionally, the bank, credit card company, ISP, or wireless provider are expressly prohibited from disclosing to their customers the fact that the FBI has requested and been given access to that information. What is interesting about NSLs is that they are intended only for terrorism and espionage. Intelligence-led policing and investigations thrive on the networking between individuals or someone’s network of contacts.
According to German, Richardson, Caproni, and Siegel (2012), several types of NSLs exist. Two were established by Congress in 1986, one through the Electronic Communications Privacy Act and another through the Right to Financial Privacy Act in an effort to add another tool to the FBI investigative toolbox for foreign intelligence investigations. Congress also authorized the Fair Credit Reporting Act and the National Security Act authorizing the use of NSLs when investigating government employees. German and Richardson argue that the Patriot Act gives the FBI “overbroad authority” and they have “disrespect for legal boundaries. Further the FBI appears to be unable to maintain control over their agents or to “self-police” because their use of NSLs has resulted in “the issuance of hundreds of thousands of NSLs, often targeting people two or three times removed from the subjects of investigations” (German, et. al., 2012, para. 14).
German and Richardson’s position is supported by several Inspector General’s reports to the House Judiciary Committee, and an FBI internal investigation into NSLs revealed and “identified violations of law or intelligence policy” (para. 17). According to IG audits, it is estimated 2003 there may have been as many as “600 cases of serious misconduct” (para. 17).
Caproni and Siegel (2012) admit that there are some issues associated with the FBI’s use of NSLs, but counter the argument made by German and Richardson (2012) by stating that the FBI’s authority relating to NSLs is very restricted and that the vast majority of issues listed by their counterparts are merely mistakes on the part of the third party who provided information that the FBI did not request in the first place. The Inspector Generals determined that the FBI did have some issues regarding NSLs but by the second year the FBI had put “checks and balances” (mandatory training for high-ranking FBI officials) into place that prevented misuse of NSLs and provided rules and regulations for high-level executives within the FBI (including SACS, Supervisor Agents in charge of field offices) in association with NSLs. To further demonstrate adherence to these rules, regulations, guidelines and the law, FBI attorneys are now responsible for reviewing every NSL “before it may be authorized and clearly articulates the parameters for that review” (German, et. al., 2012, para. 40). The Federal Bureau of Investigation first used NSLs in 1986 and since that time there have been far too many abuses by the FBI. Based upon the recommendations of three Inspector Generals’ reports, anyone involved in NSLs must go through mandatory training related to all issues (legal, ethical, and operational) before they can be part of any NSL process. FBI policies mandate that only high-ranking FBI officials at FBI headquarters and Special Agents in charge of field offices can issue NSLs. Their training is provided by the United States Department of Justice and the training is mandatory. Because the number of persons eligible to issue NSLs is so small this training compliance is easily maintained by the U.S. DOJ (German, et. al., 2012). The United States Department of Justice oversees all matters related to NSLs.
Earlier mention was made of the three branches of government (legislative, judicial, and executive); the three branches serve as the “checks and balances” for the efficient and fair application of laws and due process. Our Constitutional Republic was set up by the Founding Fathers specifically to prevent government depravation of citizen’s rights (individually and collectively). Often unmentioned in the system of checks and balances is the “Grand Jury” which serves as the checks and balances on law enforcement and their adherence to the Fourth, Fifth, Sixth, Eight, Tenth, and Fourteenth Amendments to the United States Constitution (Bill of Rights).
Real World Example: Doe v. Ashcroft, 334 F. Supp. 2d 471 (S.D.N.Y.)
18 U.S.C. § 2709 was first challenged in 2004 in the case of Doe v. Ashcroft, 334 F. Supp. 2d 471 (S.D.N.Y.) by the American Civil Liberties Union (ACLU) who represented an unidentified ISP. At the heart of the legal argument was the fact that 18 U.S.C. § 2709 violated the First, Fourth, and Fifth Amendment rights of the ISP in that the ISP was prevented from even seeking legal advice from counsel among other things. And while the presiding Judge Victor Marrero acknowledged the government’s arguments related to secrecy and their “mosaic theory” he nonetheless ruled in favor of the ISP stating that “the government has failed to carry its burden to show that the extraordinary scope of
- 2709(c) is always necessary,” and struck down § 2709 as unconstitutional under the First Amendment (Neiland, 2007, p. 1220). This was the first legal attack on the government’s use of NSLs but not the last. The second challenge came in August of the following year (2005). And what is compelling here is that the ACLU rather than moving for Summary Judgment as was the case in Doe v. Ashcroft, they decided upon a different strategy that forced the case to trial and public exposure and a full debate “over the extension and amendment of the Patriot Act” and “sought a preliminary injunction barring enforcement of § 2709(c)’s nondisclosure provision” (p. 1220).
The law, especially in the United States is a living, breathing entity that always lives to fight another day which this case proved by the actions of Judge Janet C. Hall. In a very savvy move, Judge Janet C. Hall granted the preliminary injunction, but then she cleverly “ordered a stay of the judgment pending appeal” (p. 1223). Hall’s reasoning was this; ordering a permanent injunction would conceivably reduce the need for a trial on the merits “partially moot.”
Once the plaintiffs could publicly disclose their identity in defiance of § 2709(c), there
would be little point in litigating that provision’s constitutionality. As a result, the plaintiffs needed to show a heightened likelihood of ultimate success on the merits (Doe v. Gonzales, 546 U. S. (2005).
Judge Hall played her role perfectly and the case was heard by the Second U. S. Circuit Court of Appeal and then by Justice Ginsburg who sat alone as the Second Circuit Justice for the United States Supreme Court. In the end, the court once again rejected the government’s arguments.
Impact of the real-world examples of Gonzales and Ashcroft
The first two challenges to the Patriot Act and 18 U.S.C. § 2709 and NSLs were the quintessential example of how the “checks and balances” that the Founding Fathers envisioned should work in a Constitutional Republic based in democratic principles. As a result of the two successful challenges to 18 U.S.C. § 2709 and NSLs, Congress was forced to go back in 2006 and address the unconstitutional issues brought forth in the Gonzales and Ashcroft cases. The following are changes that resulted from the two challenges:
- NSL recipients can now seek the advice of counsel
- NSL recipient can now challenge the NSL in court
- A mechanism is now in place for enforcing compliance and allows for a judge to punish noncompliance which was not in the original statute
- There are new definitions of nondisclosure
- Nondisclosure is no longer automatic and forces the government to prove or certify that disclosure would have a detrimental impact on national security
There are no arguments that protecting life, liberty, and property are not the expressed province of local, state, and federal government agencies and branches (legislative, judicial, executive). Fortunately, the men and women who work so methodologically and diligently are for the most part honest, hard-working, and professional. Unfortunately, there are times when people become over-zealous in their attempts to carry out their jobs and missions and resort to short-cuts. It is also true, that some people lose their way and resort to using information (protected, sensitive information, classified and unclassified) for personal gain; these are the types of abuses that cannot be tolerated. But in the end, the “Grand Jury” and what some like to call the fourth branch of government is another avenue that citizens can rely on when illegal activity by someone is suspected. Cybercrime and cyberterrorism are problems that must be dealt with using every tool possible and within the law. As we observe here, many unconstitutional aspects of the Patriot Act or NSLs has been reviewed, adjudicated, and amended on a continual basis. God bless American and the Founding Fathers whose vision continues to amaze me.
German, M., Richardson, M., Caproni, V., and Siegel, S. (2012). National Security Letters:
Building blocks for investigations or intrusive tool? ABA Journal, September 01, 2012
Neiland, A. E. (2007). National security letters and the amended Patriot Act. Cornell Law
Review. Vol. 92 Issue 6, September 2007. Retrieved from:
Rollins, J. W. and Henning, A. C. (2009). Comprehensive National Cybersecurity Initiative:
Legal authorities and policy considerations. Retrieved from:
UMUC (2015). CSEC, 620 Module 1, p. 4
United States Department of Justice. (N.D.). U.S. Department of Justice Office of the Inspector
General UNCLASSIFIED A Review of the FBI’s Use of National Security Letters: Assessment of Corrective Actions and Reauthorization Act. Retrieved from
Areas: Criminal Justice, Cyber Security