One of the things that has struck me about the debate concerning cybersecurity legislation is that we don’t have a really good baseline of existing legal authorities for the protection of cyberspace. Slowly, that is changing. Here is one offering — a paper from the Homeland Security Studies and Analysis Institute by Matthew H. Fleming and Eric Goldstein: “An Analysis of the Primary Authorities Governing and Supporting the fforts of the Department of Homeland Security to Secure the Cyberspace of the United States.” [Full disclosure: In my capacity as a Distinguished Visiting Fellow at HSSAI, I had the opportunity to review and comment on an earlier draft of this paper.]. Here’s the abstract:
The Department of Homeland Security (DHS) has a central role to play in the cybersecurity of the United States. However, authorities governing and supporting this central role appear to lack sufficient clarity. As a result, it remains difficult to judge their adequacy — and, more importantly, the fundamental nature and extent of the department’s role in securing U.S. cyberspace. In an attempt to provide clarity to the national cybersecurity community, staff from the Homeland Security Studies and Analysis Institute conducted research to determine: what are the primary authorities supporting/governing DHS efforts to secure U.S. cyberspace (and what do the authorities say); and what ambiguities, conflicts, and gaps appear to exist in these authorities (and what are their implications for the DHS mission). This paper presents the findings of the research. It is designed to serve as a foundational document for use by DHS and its partners in the U.S. government (USG) and broader homeland security enterprise. Overall, the research suggests that existing DHS-related authorities may not be fully sufficient for DHS to: require or incentivize the protection of critical systems and information; gather (i.e., collect) information to be shared; define clearly when DHS may intervene during a cyber incident; support actions necessary to manage and coordinate cyber incident response, including for the most serious of incidents; and delineate the responsibilities of DHS and DoD for the most serious of incidents.