Cybercrime Law and Public Policy Emphasizing the Use of National Security Letters


Social contract theory was originally promulgated by the sophists between 450-350 B.C. and later was significant in the works of Hobbes, Locke and Rousseau. And while there are some differences accorded by each of these political philosophers it is generally accepted that the government or the sovereign state is responsible for security and order through social contract. Citizens who voluntarily surrender some rights and freedoms in return for some degree of security, freedom, and right to life, liberty, and property give the government their authority. One example of a right that is forfeited is the personal retaliation. In a state of nature, life is limitless, and everyone has a right to everything. The state attempts to maintain order and security through laws and statutes that govern action or inaction and in the case of the criminal law provides sanctions or punishment for those found guilty of violation of those laws and statutes.
The purpose of this short essay is to examine cyber-security law, regulation, and Executive Orders in relation to national security and the protection of the population. One example of an Executive Order is EO 13636, Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience. Over half of the states enacted legislation relative to cybersecurity in 2019. One example is in Louisiana is LA H 74 which created the crime of trespass against state computers.

Key Words

Some key words and terms include but are not limited to cyber-crime, cyber-security, mosaic theory, national security, government intervention, and private industry.

Cybercrime Law and Public Policy


     Local, state, and federal government are divided into three separate and distinct branches (legislative, judicial, and executive) that all work to provide safety, security, and order to society.  The legislative branch creates laws.  The executive branch is the administrative branch that among other things enforces the laws created by the legislative branch.  Finally, the judicial branch interprets laws.  One potential negative aspect of our Constitutional Republic is associated with the fact that “the lawmaking process moves slowly” (UMUC, 620 Module 1, p. 4).  Lawmaking is cumbersome, reactionary, and subject to a plethora of opinions from subject matter experts, attorneys, the judiciary, and most importantly special interests groups such as the Cybersecurity Shared Interest Group (Cyber SIG) or FIRST, the Forum of Incident Response and Security Teams.  Public law and public policy creation are reactionary because each is an action taken in response to some perceived social need.  At the federal level, bills go through three phases (debate, committee, and enactment) in the lawmaking process before they finally become law.  Bills, joint resolutions, concurrent resolutions and simple resolutions are the various means by which the process begins in reaction to some event or series of events that catch the public’s attention and requires action by Congress, (legislation) the Judiciary, (Court Opinions) or the Office of the President (Executive Orders).  Once a bill has been introduced and has worked its way through committees it goes on to debate, and then through the amendment process if needed; once this is completed the bill goes to the President’s desk where he has a specific time period to sign the bill, veto the bill, or take no action, in which case the bill becomes law.  The veto process includes sending an unsigned bill back to the legislative branch.  At the federal level, a veto is overridden by a two-third vote in each house.  Sometimes proposed legislation takes years–maybe decades–before they finally become law.  Some legislation takes a long time because of partisanship which could be rooted in ideological differences, but at other times is the result constitutional issues.  But perhaps the biggest reason some legislation takes time is the requirement that is passes both the house and senate at the federal or state level.

The critical infrastructure consists of 16-sectors that include chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial, food and agriculture, government facilities, healthcare, information technology, nuclear reactors, material and waste, sector specific, transportation, and water and wastewater.  It is copiously clear that in the post 9/11 epoch cyber-threats are ubiquitous; and because this is true and the threats focus on government, commercial, and personal information systems (including critical infrastructure), the obligatory need for comprehensive and far-reaching laws and policies at every level (from personal to government) are indispensable.  (Rollins and Henning (2009) state that the George H. W. Bush Administration created the Comprehensive National Cybersecurity Initiative (CNCI) by means of “a classified joint presidential directive” (Summary, no page).  The President, through the Homeland Security Presidential Directive 23 and the National Security Presidential Directive 54, created the CNCI which is now responsible for establishing “policy, strategy, and guidelines to secure federal systems” (p. 1).  The government’s justification for creating those guidelines is based in part on the potential for infiltration by unauthorized and illegal hackers, vandals, and saboteur’s intent on fulfilling economic, political, and social chaos.  The same justification is used to mandate compliance with laws, regulations, and polices in the private sector (i.e., Sarbanes-Oxley Act-SEC; Gramm-Leach-Bliley Act –Financial Services; HIPPA-Health Information; HITECH-which appends HIPPA; CFAA; The PATRIOT Act; FISA-Foreign Intelligence; and National Security Letters-FBI authority to demand personal customer information) (UMUC, Module 1, Topic 4).  There are, of course, supporters and opponents to each of these measures. But for the most part, the opposition to one or any of these is based on the potential for misuse by the government.  Misuse in this sense is intended to mean outside the scope of applicability by the agency and/or personnel associated with the agency and its goals and objectives and such use. In most cases this is illegal and exposes violators to criminal and civil liability—such as IRS misusing their authority, or the FBI or state and local law enforcement that use illegal or unauthorized means for personal gain or retribution.

Government Methods of Intervention

     National Security Letters (NSLs) and otherwise known as administrative subpoenas are an interesting example of how government uses their power and authority through the FBI in ascertaining someone’s bank account information, credit card account information, bank account information, wireless provider information and Internet service provider (ISP) information, all without a judge or magistrate signing a warrant or any approval from the court of jurisdiction.  Additionally, the bank, credit card company, ISP, or wireless provider are expressly prohibited from disclosing to their customers the fact that the FBI has requested and been given access to that information.  What is interesting about NSLs is that they are intended only for terrorism and espionage.  Intelligence-led policing and investigations thrive on the networking between individuals or someone’s network of contacts.

According to German, Richardson, Caproni, and Siegel (2012), several types of NSLs exist.  Two were established by Congress in 1986, one through the Electronic Communications Privacy Act and another through the Right to Financial Privacy Act in an effort to add another tool to the FBI investigative toolbox for foreign intelligence investigations.  Congress also authorized the Fair Credit Reporting Act and the National Security Act authorizing the use of NSLs when investigating government employees.  German and Richardson argue that the Patriot Act gives the FBI “overbroad authority” and they have “disrespect for legal boundaries.  Further the FBI appears to be unable to maintain control over their agents or to “self-police” because their use of NSLs has resulted in “the issuance of hundreds of thousands of NSLs, often targeting people two or three times removed from the subjects of investigations” (German, et. al., 2012, para. 14).

German and Richardson’s position is supported by several Inspector General’s reports to the House Judiciary Committee, and an FBI internal investigation into NSLs revealed and “identified violations of law or intelligence policy” (para. 17).  According to IG audits, it is estimated 2003 there may have been as many as “600 cases of serious misconduct” (para. 17).

Caproni and Siegel (2012) admit that there are some issues associated with the FBI’s use of NSLs, but counter the argument made by German and Richardson (2012) by stating that the FBI’s authority relating to NSLs is very restricted and that the vast majority of issues listed by their counterparts are merely mistakes on the part of the third party who provided information that the FBI did not request in the first place.  The Inspector Generals determined that the FBI did have some issues regarding NSLs but by the second year the FBI had put “checks and balances” (mandatory training for high-ranking FBI officials) into place that prevented misuse of NSLs and provided rules and regulations for high-level executives within the FBI (including SACS, Supervisor Agents in charge of field offices) in association with NSLs.  To further demonstrate adherence to these rules, regulations, guidelines and the law, FBI attorneys are now responsible for reviewing every NSL “before it may be authorized and clearly articulates the parameters for that review” (German, et. al., 2012, para. 40).  The Federal Bureau of Investigation first used NSLs in 1986 and since that time there have been far too many abuses by the FBI.  Based upon the recommendations of three Inspector Generals’ reports, anyone involved in NSLs must go through mandatory training related to all issues (legal, ethical, and operational) before they can be part of any NSL process. FBI policies mandate that only high-ranking FBI officials at FBI headquarters and Special Agents in charge of field offices can issue NSLs.  Their training is provided by the United States Department of Justice and the training is mandatory.  Because the number of persons eligible to issue NSLs is so small this training compliance is easily maintained by the U.S. DOJ (German, et. al., 2012). The United States Department of Justice oversees all matters related to NSLs.

Earlier mention was made of the three branches of government (legislative, judicial, and executive); the three branches serve as the “checks and balances” for the efficient and fair application of laws and due process.  Our Constitutional Republic was set up by the Founding Fathers specifically to prevent government depravation of citizen’s rights (individually and collectively).  Often unmentioned in the system of checks and balances is the “Grand Jury” which serves as the checks and balances on law enforcement and their adherence to the Fourth, Fifth, Sixth, Eight, Tenth, and Fourteenth Amendments to the United States Constitution (Bill of Rights).

Real World Example: Doe v. Ashcroft, 334 F. Supp. 2d 471 (S.D.N.Y.)

     18 U.S.C. § 2709 was first challenged in 2004 in the case of Doe v. Ashcroft, 334 F. Supp. 2d 471 (S.D.N.Y.) by the American Civil Liberties Union (ACLU) who represented an unidentified ISP.  At the heart of the legal argument was the fact that 18 U.S.C. § 2709 violated the First, Fourth, and Fifth Amendment rights of the ISP in that the ISP was prevented from even seeking legal advice from counsel among other things.  And while the presiding Judge Victor Marrero acknowledged the government’s arguments related to secrecy and their “mosaic theory” he nonetheless ruled in favor of the ISP stating that “the government has failed to carry its burden to show that the extraordinary scope of

  • 2709(c) is always necessary,” and struck down § 2709 as unconstitutional under the First Amendment (Neiland, 2007, p. 1220). This was the first legal attack on the government’s use of NSLs but not the last. The second challenge came in August of the following year (2005).  And what is compelling here is that the ACLU rather than moving for Summary Judgment as was the case in Doe v. Ashcroft, they decided upon a different strategy that forced the case to trial and public exposure and a full debate “over the extension and amendment of the Patriot Act” and “sought a preliminary injunction barring enforcement of § 2709(c)’s nondisclosure provision” (p. 1220).

The law, especially in the United States is a living, breathing entity that always lives to fight another day which this case proved by the actions of Judge Janet C. Hall.  In a very savvy move, Judge Janet C. Hall granted the preliminary injunction, but then she cleverly “ordered a stay of the judgment pending appeal” (p. 1223).  Hall’s reasoning was this; ordering a permanent injunction would conceivably reduce the need for a trial on the merits “partially moot.”

Once the plaintiffs could publicly disclose their identity in defiance of § 2709(c), there

would be little point in litigating that provision’s constitutionality.  As a result, the plaintiffs needed to show a heightened likelihood of ultimate success on the merits (Doe v. Gonzales, 546 U. S. (2005).

Judge Hall played her role perfectly and the case was heard by the Second U. S. Circuit Court of Appeal and then by Justice Ginsburg who sat alone as the Second Circuit Justice for the United States Supreme Court.  In the end, the court once again rejected the government’s arguments.

Impact of the real-world examples of Gonzales and Ashcroft

     The first two challenges to the Patriot Act and 18 U.S.C. § 2709 and NSLs were the quintessential example of how the “checks and balances” that the Founding Fathers envisioned should work in a Constitutional Republic based in democratic principles.  As a result of the two successful challenges to 18 U.S.C. § 2709 and NSLs, Congress was forced to go back in 2006 and address the unconstitutional issues brought forth in the Gonzales and Ashcroft cases.  The following are changes that resulted from the two challenges:

  • NSL recipients can now seek the advice of counsel
  • NSL recipient can now challenge the NSL in court
  • A mechanism is now in place for enforcing compliance and allows for a judge to punish noncompliance which was not in the original statute
  • There are new definitions of nondisclosure
  • Nondisclosure is no longer automatic and forces the government to prove or certify that disclosure would have a detrimental impact on national security


There are no arguments that protecting life, liberty, and property are not the expressed province of local, state, and federal government agencies and branches (legislative, judicial, executive).  Fortunately, the men and women who work so methodologically and diligently are for the most part honest, hard-working, and professional.  Unfortunately, there are times when people become over-zealous in their attempts to carry out their jobs and missions and resort to short-cuts.  It is also true, that some people lose their way and resort to using information (protected, sensitive information, classified and unclassified) for personal gain; these are the types of abuses that cannot be tolerated.  But in the end, the “Grand Jury” and what some like to call the fourth branch of government is another avenue that citizens can rely on when illegal activity by someone is suspected. Cybercrime and cyberterrorism are problems that must be dealt with using every tool possible and within the law.  As we observe here, many unconstitutional aspects of the Patriot Act or NSLs has been reviewed, adjudicated, and amended on a continual basis.  God bless American and the Founding Fathers whose vision continues to amaze me.


German, M., Richardson, M., Caproni, V., and Siegel, S. (2012).  National Security Letters:

Building blocks for investigations or intrusive tool? ABA Journal, September 01, 2012

Retrieved from:

Neiland, A. E. (2007). National security letters and the amended Patriot Act. Cornell Law

            Review. Vol. 92 Issue 6, September 2007. Retrieved from:

Rollins, J. W. and Henning, A. C.  (2009).  Comprehensive National Cybersecurity Initiative:

Legal authorities and policy considerations.  Retrieved from:

UMUC (2015). CSEC, 620 Module 1, p. 4

United States Department of Justice. (N.D.). U.S. Department of Justice Office of the Inspector

General UNCLASSIFIED A Review of the FBI’s Use of National Security Letters: Assessment of Corrective Actions and Reauthorization Act.  Retrieved from

Dr. Charles T. Kelly, Jr. received his Ph.D. in the Administration of Justice from the University of Southern Mississippi, a regionally accredited (SACS) Institution of Higher Learning in 2003. Dr. Kelly received a master’s degree in National Security from American Military University, master’s degree in Cyber Security Policy from the University of Maryland, master’s degree in Criminal Justice from the University of Alabama, and a bachelor’s degree in Criminal Justice from Loyola University. He selected USM at Hattiesburg, MS. for his doctoral degree because of the university’s wide-ranging doctoral studies approach and comprehensive requirements for doctoral students to concentrate on multiple academic disciplines. While at the University of Southern Mississippi, Dr. Kelly successfully completed arduous studies and specializations in the areas of Blackstone’s Commentaries on the Laws of England, the Political Economy of Criminal Justice, Police Administration, Public Policy in Criminal Justice Agencies, Quantitative Analysis, Special Problems in Policing, and Grantsmanship. As a result of his multidisciplinary expertise, Dr. Kelly has been selected to teach classes in criminal law, research and statistics, police administration, police supervision and management, multi-cultural law enforcement, diversity in law enforcement, criminal investigations, interview and interrogation, corrections administration, corrections management and supervision, ethical leadership in criminal justice agencies, training and development in criminal justice agencies, and criminological theory. At present, Dr. Kelly serves as a member of the teaching faculty for Columbia Southern University and is the managing general partner for Security & Risk Assessment Consultants, LLC. (
Dr. Kelly began his teaching career in 1996 at Loyola University and has served on the teaching faculty of Tulane University, Southeastern Louisiana University, Southern University, Northwestern State University, and, Louisiana State University-Alexandria. LSU-A recruited Dr. Kelly to write their four-year criminal justice degree program and to prepare it for presentation to the Louisiana Board of Regents and the Southern Association of Colleges and Schools (SACS). Dr. Kelly was also the Department Chair of Criminal Justice for Virginia College where he oversaw both the undergraduate degree program, graduate program, was Chairman of the Graduate School Committee, and Editor of the Journal of Law and Justice. He is widely published in the academic discipline of criminal justice and has authored such works such as:

Doctoral Dissertation University of Southern Mississippi (2003): COMMERCIAL BAIL: THE INEQUITABLE TAXING OF THE POOR IN LOUISIANA
Master’s Thesis University of Maryland (2016): Protecting Information Systems: Law Enforcement Technology


Dr. Kelly has also written and published journal articles that address contemporary issues in the law and justice profession which include:
• A Cross-Cultural Comparison of Police Personality” International Journal of Comparative and Applied Criminal Justice,”
• “Katrina: An American Poseidon: Orleans Parish’s Disaster Response—Bifurcation and Chaos Theory, published in American Jail Magazine.

Dr. Kelly’s law and justice career is inclusive of a variety of senior management and command level positions. This demonstrative level of professional experience helps to provide him with unique insights into the requirements for professional education and the interrelation of academic curricula with professional training needs. Dr. Kelly rose to the rank of Major with the Orleans Parish Sheriff’s Office and was assigned to the Office of the Chief Deputy as Confidential Assistant to the Chief Deputy. During the 1970’s he served with the New Orleans Police Department in the Sixth District and Urban Squad. In 1983, he joined the Orleans Parish Criminal Sheriff’s Office as a full-time sworn deputy sheriff working in the Warrants Division. Since his affiliation with the Orleans Parish Sheriff’s Office he has held a variety of advisory, policy, and training positions and been responsible for leading efforts to modernize the department’s Policy and Procedure Manual; he also served in the POST Training Academy where he taught recruits, full-time deputies, and ranking officers in the areas of Ethics, Investigative Report Writing, Stress, and the legal issues associated with Use of Force.

Areas: ,
Categories: General