THE IMPACT OF NATIONAL INFRASTRUCTURE AND CYBERSPACE SECURITY STRATEGIES ON LEGAL RIGHTS AND LIABILITIES

Jeffrey H. Matsuura

Assistant Professor and

Director of the Program in Law and Technology

University of Dayton School of Law

300 College Park

Dayton, Ohio  45469

937-229-2256

Jeffrey.Matsuura@notes.udayton.edu

 

 

INTRODUCTION

The United States government has established general strategies for protection of critical infrastructure facilities, including telecommunications networks, and for providing security in cyberspace.  Although those strategies are not yet directly reflected in statutes or regulations, they can, nonetheless, have a significant impact on legal rights and obligations associated with provision of online services and use of computer networks.  This paper identifies and examines some of the key ways in which the recently established U.S. national infrastructure and cyberspace security strategies are likely to influence standards of legal responsibility for computer network security.  More specifically, although these strategies do not create a legislative or regulatory agenda, they are likely to affect legal rights and liabilities associated with computer security by influencing the ways in which courts apportion responsibility for security.  In addition, the strategies are likely to affect future rights and responsibilities related to computer security by providing a framework for future statutory or administrative law initiatives.  The strategies to secure cyberspace and critical infrastructure thus have an important role to play in the allocation of rights and responsibilities associated with computer security, even though they do not directly create those rights and responsibilities.

OVERVIEW OF NATIONAL STRATEGIES

In February 2003, the U.S. government released two reports: “The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets”[1] and “The National Strategy to Secure Cyberspace.”[2]  Those documents provided an overview of the nature and scope of the security threats now facing key U.S. infrastructure facilities and computer network operations.  These reports were developed under authority from the President of the United States, acting through the President’s Critical Infrastructure Protection Board, and they represent the current views of the U.S. government regarding the security risks now facing our national computer networks.[3]

The critical infrastructure protection strategy identified three key objectives.  The first objective is to identify and protect U.S. infrastructure deemed to be essential to the nation’s public health and safety, economic and national security, governance, and public confidence.  A second objective recognized by the infrastructure protection strategy is provision of effective warnings when there are specific and imminent threats to critical infrastructure assets.  Finally, the infrastructure strategy seeks to provide protection for future critical assets through effective collaboration involving all levels of government and the private sector.

The critical infrastructure protection strategy also establishes core principles to govern efforts to protect key infrastructure assets.  Those principles include the need to assure public safety and confidence by establishing responsibility and accountability for infrastructure security.  Core principles also include the need to foster partnering and cooperation, including information sharing, involving all levels of government, the private sector, and international partners.  The principles recognize the need to develop innovative technology and expertise to provide effective security and the need to deploy the security measures in ways that preserve personal privacy and constitutional rights.

The national strategy to secure cyberspace developed another set of objectives for security priorities.  The strategy establishes three critical goals.  The first is to prevent cyber attacks against important U.S. assets.  The second goal is to reduce the nation’s vulnerability to cyber attacks.  The third objective is to minimize the damage and recovery time associated with cyber attacks that take place.  The general approach adopted by the strategy is thus one of reducing the nation’s vulnerability to cyber attacks and improving its ability to respond quickly and effectively to attacks, when they occur.

The strategy to secure cyberspace sets five key priorities for cyberspace security.  The first priority is to develop an effective system to respond to cyber attacks.  The second priority is to initiate a program to reduce our national vulnerability to cyberspace attack.  The strategy recommends that a comprehensive cyberspace security training and threat awareness program should be developed.  Efforts to secure government cyberspace resources provide another security priority.  Finally, international cooperation to promote cybersecurity is also identified as a policy priority.  Conspicuously absent from the strategy are proposals for legislative or regulatory action and government initiatives to foster cybersecurity.

Although the national strategies do not propose specific legal requirements, they substantially influence allocation of legal rights and duties.  The strategies help to define the scope and the nature of security threats.  They thus provide a form of notice to all parties involved with the critical infrastructure and cyberspace, as to the security threats that are present and those that are likely to emerge.  The strategies offer recommendations as to methods to reduce security threats and to respond to security breaches.  In this way, the strategies begin to identify best practices and acceptable standards of conduct to promote security.  By providing notice to operators and users of infrastructure and cyberspace, and by providing basic standards of conduct, the national strategies give courts guidelines which, although not formal or binding, are helpful as the courts try to resolve security-based disputes.  In this way the strategies are likely to influence the decisions of courts with respect to computer security, and thus affect the legal rights and liabilities of the parties involved.

NO LEGISLATIVE OR REGULATORY ACTIONS

            The national strategies presented by the federal government did not offer or invite specific legislative or regulatory initiatives to address the security concerns they identified.  Instead, the strategies promoted a cooperative approach, under which private and public sectors would cooperate to address security concerns.  The national strategies placed significant reliance on actions to enhance security performed by private parties, commercial entities and individual users alike.  Although the strategies do not present specific statutory or regulatory proposals, they will have an impact on the assertion and enforcement of legal rights associated with computer security.

            Some observers have been critical of the national cyberspace and critical infrastructure strategies as they do not create a clear, specific legislative and regulatory agenda to promote cybersecurity.[4]  Many of these critics take the position that a formal statutory and administrative framework is necessary in order to meet effectively the serious computer security threats facing the nation.[5]  Absent targeted computer security laws and regulations, these observers contend that the legal environment will be inadequate to support effective security for our national computer resources.

Upon reflection, it appears that these criticisms are overly harsh.  Although undoubtedly appropriate statutes and regulations can have a meaningful beneficial impact supporting national computer security, effective legal support for security does not necessarily require a statutory or administrative law focus.  Interpretation of existing common law rights by courts in many different jurisdictions can have a significant positive impact on computer system security.  Although the national cybersecurity strategies did not create a targeted set of computer security laws or rules, they do establish guidelines and standards that can help the courts to promote security as they interpret existing legal principles to resolve the disputes that arise in the computer security context.

            Some critics of the security strategies also point to an apparent lack of enforcement mechanisms for the policies developed as part of the strategies.  These observers express concern that, without clear enforcement processes, the significant threats to security remain unchecked.  However, this concern also seems to be overstated.  There is, in fact, an effective legal enforcement mechanism available to promote computer security.  At one level, criminal law sanctions are now actively applied to computer security violations.[6]  Significant cases brought under computer crimes statutes are now common.[7]  In addition, law enforcement authorities now aggressively pursue intellectual property crimes.

Supplementing the criminal law actions associated with computer security is the process of civil litigation in this country, through which private parties, both individuals and organizations, make use of the federal and state judicial systems to enforce their private rights.  The process of civil litigation exercising private causes of action provides an effective vehicle for the promotion of computer security.  The national cyberspace and critical infrastructure strategies provide valuable tools for private parties as they make use of that legal vehicle to enforce their rights.  Those tools are the suggestions regarding appropriate security practices and the assessment of the scope of the computer security threat.

            Private parties in the United States already have a wide range of choices as to legal remedies for computer security.  Legal theories applicable to security liability issues include tort law claims and breach of contract actions.  Also available are claims based on existing statutes, such as the federal Computer Fraud and Abuse Act.[8]  Under each of these civil liability theories, a party injured as a result of a computer security failure can take legal action to recover monetary compensation for harm caused by that failure.  If the claim is based on tort law, the injured party must generally demonstrate that the defendant owed the plaintiff a duty of care and that the failure of the defendant to meet that duty caused the injury.  In a computer security context, for example, the operator of a computer network might face claims of legal liability under a tort law theory for damage to another party’s computer caused by negligent use of the network.  In a breach of contract action, the plaintiff must demonstrate that there is a binding contractual relationship in place, and that the defendant failed to meet a material obligation placed on the defendant by the contract.  Thus for example, the owner of a Web site might sue the party providing hosting services for the site, under a breach of contact claim, if the service provider failed to offer security consistent with its obligations under the contract, and if that failure resulted in damage to the site.

The recommendations offered by the federal government through the cybersecurity and critical infrastructure strategies begin to establish standards of security conduct and accepted notions of security risk that are likely to be applied in civil litigation.  Although the strategies do not propose or advocate specific security laws, they provide evaluations and analyses that are likely to be applied by courts as those courts resolve civil law disputes arising from security problems.  As guidelines considered by courts as they evaluate competing claims in litigation, the strategies exert an indirect influence on assessments of liability for cybersecurity.  In this way, the strategies serve to influence legal liability without dictating any particular result, through the application of indirect influence.

THE STRATEGIES AS STANDARDS OF CONDUCT

            The national strategies provide guidance as to appropriate standards of conduct in response to the security threats facing computer systems and other critical infrastructure facilities.  The strategies include recommendations for computer system security.  Those recommendations, in effect, place the public on notice of the government’s assessment of the scope and form of computer and infrastructure security threats.  With these national strategies on the public record, it is now difficult for any party to make a credible argument that it is unaware of the potential scope of computer security threats.

            Decisions regarding legal liability often involve an assessment of the reasonableness of conduct.  With tort law claims for damages associated with “downstream” injury caused by the failure of a computer system operator to secure its system, for example, there are questions of what duty of care the operator owes with regard to securing its system.  The national strategies on securing infrastructure and cyberspace appear to provide a basis upon which we can begin to evaluate the duty of care.  Actions that totally disregard the analysis and recommendations made by the national strategies seem to constitute breaches of a duty of care, conduct that should trigger legal liability.

            Although the suggestions and concerns expressed in the strategies do not carry the force of law, they will likely have legal impact.  Courts at all levels will look to these strategies for guidance.  The national strategies will thus influence court assessments of what constitutes reasonable conduct as to cybersecurity and infrastructure security measures.  Security practices consistent with the views expressed in the national strategies will be more likely to be assessed as prudent, reasonable conduct than those that diverge significantly from those views.  Prudent, reasonable conduct is less likely to trigger legal liability in civil litigation, thus the national security strategies are likely to exert their influence on private party conduct in this indirect way, in contrast to the direct influence exerted by statutes and regulations.

            For example, the national strategy to secure cyberspace highlights the importance of effective information sharing regarding vulnerabilities, threats, and actual cyber attacks.  Such sharing of information is important as it helps parties to recognize threats and to respond to them more quickly than would be possible absent that cooperation.  In the past, there has sometimes been reluctance to share this type of security information, as there was a perception that sharing the information could invite more attacks (suggesting that the target was vulnerable), could undermine confidence in the organization that was attacked (on the part of customers, investors, and business partners), and could provide competitors with information that they would use to derive a competitive advantage (by characterizing the attack as an indication that customers should abandon the compromised company in favor of their more secure offerings).

Now that the national cybersecurity strategy underscores the importance of sharing cybersecurity information, refusal to share that information with government authorities and appropriate private parties is more likely to be viewed as unreasonable conduct by a court, particularly if that refusal to share information results in harm to another party.  As courts apply this type of interpretation of the national strategy, the terms of the strategy begin to shape conduct, even though they do not have formal legal authority.  The recommendations contained in the strategy derive their power from the willingness of the courts to adopt the recommendations as standards of reasonable conduct.

            The critical infrastructure security strategy identifies 11 categories of critical infrastructures and five categories of key national assets.  Enterprises operating any of those specifically identified infrastructures or assets are now on notice that the federal government views those infrastructures and assets to be likely targets for attack.  Having been expressly designated as assets critical to national security and as the most likely targets of attack, failure to adopt stringent security policies and practices commensurate with such governmental designation would likely be viewed to be unreasonable, and perhaps negligent, conduct by a court when assessing liability for security failures.

            The strategies are also likely to affect the ways in which courts view the obligations of computer system users who may be the victims of security breaches.  Although the strategies recognize the importance of protecting system users from security failures, the strategies also contemplate precautionary actions by the users.  The strategies include recommendations that all system users take action to understand the scope of the security threats they face, and that they make use of training, information sharing, and technology to reduce their exposure and to mitigate harm in the event of a security failure.  Courts are likely to hold computer system users to these standards, even to the extent that they may, in part, be innocent victims of security violations.

GUIDES FOR RISK ASSESSMENT

            The national strategies can serve as a guide to assist assessment of risks with regard to computer security threats.  The strategies identify key vulnerabilities and major security threats.  That assessment provides an important foundation for risk assessment efforts.  Effective risk assessment is an important aspect of enforcement of legal rights and liabilities.  In part, the legal system attempts to shift the cost of preventing damages to the parties best positioned to bear those costs.  Accurate evaluation of security risks assists in the process of risk allocation.

            By providing an assessment of the greatest security vulnerabilities for critical infrastructure and cybersecurity, the government has, through the national strategies, taken a first step toward defining the portions of our information technology network that presently bear the greatest risk of attack.  The owners and users of those portions of the national infrastructure are the parties who initially face the greatest exposure to the potential security breaches.  As civil lawsuits associated with computer security breaches become more common, these are the parties who will most likely be the first defendants.  As courts evaluate the scope of their liability, the courts will, indirectly, begin the process of apportioning the costs of security failures among the many different parties affected by those failures.

            Courts will continue to grapple with the problem of allocating the costs of system security for the foreseeable future.  Currently, there is an apparent effort to avoid overburdening Internet service providers with the costs of security.  For example, a federal court determined, earlier this year, that America Online was not liable for malicious (or “hostile”) code sent by one subscriber to another.[9]  That decision applied Section 230 of the Communications Decency Act to protect the ISP from liability.[10]  This approach is part of the overall effort to permit ISPs to avoid an activist role managing content provided by users of their systems.  That approach, however, is an example of security cost allocation, in this instance shifting some of that cost to system users and away from service providers.

            The national strategies indirectly assist the courts to begin the process of allocating responsibility for security measures.  In that way, the strategies provide an initial framework for the courts as they allocate liability and thus influence the economic incentives associated with cybersecurity investment.  Although the courts will ultimately find their own way with respect to assessing which of the involved parties are best positioned to bear the costs of computer security, they are most likely to make those allocations within the general framework of risk assessment presented by the government’s national strategies.  The general progression of the risk allocation process involves identification of risks, assessment of their impact and their frequency, and allocation of legal liability, with the corresponding shift of security costs to the parties who bear the greatest liability for security breaches.

EVOLVING RIGHTS AND LIABILITIES

            We currently see courts and private parties shaping the future landscape of computer security rights and liabilities as they resolve specific disputes.  A growing number of computer security problems are generating disputes that are working their way to resolution.  One of the most common categories of computer security failures involves lapses that result in compromise of personal information.  There have been many high profile incidents where personal information has been compromised as a result of security breaches in computer systems.  For example, Ziff Davis Media recently entered into a settlement agreement with several state authorities to resolve claims of liability resulting from a computer security breach that resulted in disclosure of information associated with several thousand subscription orders.[11]

            Another common category of computer security disputes involve enforcement of computer crime statutes.  These legal actions are brought by the government against parties who violate criminal laws.  Many of these criminal actions are brought under the criminal provisions included in copyright law, aimed at copyright piracy.[12]  Some computer crime cases involve actions against unauthorized use, invoking the Computer Fraud and Abuse Act.

            We have not yet seen major litigation based on claims of liability brought by third parties against private computer operators who provide inadequate security measures, and thus contribute to a cyber attack that causes damage to the third party.  One example of this context would involve a distributed denial of service attack launched by commandeering computers owned by another party (i.e., creating “zombie” computers).  In this situation, tort and other legal claims could be raised by the owners of computers or content damaged by the attack against the owner of the zombie computers.  This type of action is likely to be initiated by a computer system operator, or perhaps an insurance company responsible for coverage for a computer system damaged by such an attack, against the owner of the zombie computer equipment.

            The evolving conception of rights and liabilities associated with computer security affects all parties involved in the computer system.  It affects the owners and operators of the computer systems, as well as the users of those systems.  Rights and responsibilities of equipment manufacturers and service providers are also at issue in the context of security.  There is a wide range of parties who are affected by computer security.  All of these parties will likely be asked to bear some portion of the costs of providing computer security.  The relative size of those portions remains very much in flux.

            Thus, the evolving concept of rights and liabilities associated with computer security is illustrated by the recognition that all parties now bear some level of responsibility for system security.  Even those parties who may suffer harm as a result of a security breach have an obligation to act prudently to prevent or minimize the harm they suffer from such a breach.  Courts have recognized, in contexts other than computer networks, that even though a party may be a victim of a security breach, the party nonetheless bears a responsibility to avoid or reduce the harm suffered.[13]  The duty to take reasonable action to avoid a known threat of injury is likely to be an important factor in computer security liability cases.  As noted previously, the cyberspace and infrastructure security strategies make it very difficult for a computer system operator to argue successfully that it was unaware of security threats and unaware that means to defend against those threats are available.

            One aspect of the computer security field in which we see significant evolution of conduct is that of insurance.  Once unavailable and not widely recognized as important, insurance coverage for liability and loss associated with computer security breaches is now common.[14]  Many different carriers now provide computer security coverage, and that coverage is available on an independent basis, distinct from other standard business coverage.  Underwriters of general business liability coverage now recognize the significance of the computer security threat, and thus increasingly insist that parties obtain separate insurance coverage for computer-related liability.  Premiums for computer security coverage can be high, thus insurers are also shaping security conduct.  More effective computer security practices can result in reduced lower insurance premiums, and in this way insurance companies provide a direct incentive for their customers to adopt more comprehensive and effective computer security practices.  The rapid development and acceptance of this form of coverage is an illustration of evolving risk assessments as to computer security.

FOUNDATION FOR FUTURE LEGISLATION AND REGULATION

            The national strategies rely substantially on private party action, coupled with cooperation with government, as the means of implementation.  Some observers question whether this significant reliance on private party action will be effective.[15]  Instead, various industry participants suggest that there is a need for formal statutory or regulatory action.[16]  Although these national strategies do not establish legislative initiatives in their fields of coverage, the strategies can, nonetheless, have an important impact on future laws and regulations.  The strategies will likely serve as a platform upon which future legislation or regulation can be based.  Effectiveness of the strategies as guidelines for security conduct can be assessed, over time, based on experience generated as a result of the influence of these strategies.

            One way in which the strategies can serve as a foundation for future legislation or regulation is by helping to define the potential scope of such future policy action.  For example, the critical infrastructure strategy specifically identifies several of this country’s  most important infrastructure assets.  Future legislation or regulation could easily build upon that classification, choosing for instance, to establish special security rules for the infrastructure assets already recognized to be the most significant assets in the critical infrastructure strategy.  The critical infrastructure security strategy defines a set of assets which can be the focus of future legislative or regulatory action to promote security if the need for a more formal legal framework for those assets is acknowledged in the future.

            The cybersecurity strategy recommends that enterprises continuously evaluate the security of their computer systems.  That recommendation is currently provided in the form of a suggestion.  In the future, however, it would be possible for Congress to convert that recommendation into a statutory requirement.  This offers another example of an element of the current national security strategy that could easily serve as the basis for a future direct legislative or regulatory initiative.  The transition from informal recommendations to formal legal requirements would not be a difficult one.

Although the current national strategies do not create a legislative agenda, they offer a foundation which can be readily developed into legislation and regulation in the future.  There may well be advantages to this approach.  By deferring formal legislative action, we avoid hasty legislation enacted before the full scope of the security problem is understood.  The approach adopted by the national strategies affords informal action the first opportunity to respond to the growing computer security threat.  As experience regarding the effectiveness of informal private action develops, we will be in a position to enact more effective formal regulation in the future if informal action proves to be inadequate to protect the public interest.

BALANCING INFRASTRUCTURE AND CYBERSPACE SECURITY

            The national strategies address security for the vital physical infrastructure of this country and for the cyberspace content.  An open issue remains as to the relative levels of attention and resources to be devoted to those two different sets of security concerns.  Should more attention and resources be applied to protect the critical infrastructure than to protect cyberspace resources?  What is the appropriate measure to be applied to the allocation of scarce resources between infrastructure security and cyberspace security?  There appears to be some risk that the decision to present separate strategies for cyberspace security and critical infrastructure security establishes potential competition between the two, when in fact, they should be treated collectively.  One may also argue that separation of the two strategies suggests independence between critical infrastructure and cyberspace that simply does not exist.

            Infrastructure security is essential to cybersecurity.  The online environment is, in effect, an extension of the physical infrastructure as it relies on the telecommunications and power networks for its existence.  In a very real sense, critical infrastructure protection is cyberspace protection.  One is not possible without the other.  Secure cyberspace is impossible without a secure physical infrastructure.

            Viewed from another perspective, cyberspace is part of the nation’s critical infrastructure.  The Internet and private computer networks are so integrally involved in the operation of physical infrastructure systems such as power grids, transportation networks, and the telecommunications system, that it is not particularly meaningful to try to distinguish between the computer network and the other elements of this country’s critical infrastructure.  In a very real sense, cyberspace is now part of the nation’s critical infrastructure, thus it makes little sense to develop separate strategies to secure them.

            As the strategies are interpreted and implemented over time, it is likely that they will gradually be integrated.  Cybersecurity will increasingly be viewed as an element of virtually all of the different forms of critical infrastructure.  An important lesson that may ultimately be derived from the national strategies to secure cyberspace and critical structure is that all of those assets, cyberspace and infrastructure alike, are integrated and should be treated as a unit, not as different classes of critical assets.  It is likely that integration of the cybersecurity strategy into the overall infrastructure strategy would provide a more efficient and effective approach to computer security.

CONCLUSIONS

            The national strategies to protect critical U.S. infrastructure and cyberspace do not involve specific legislative or regulatory actions.  Instead they advocate public and private sector cooperation to develop and implement security initiatives largely managed and conducted by private parties, both businesses and individuals.  Despite the fact that these strategies do not present specific legislative or regulatory agendas, they will likely have a significant impact on legal rights and liabilities associated with computer security.  They will exercise that influence through indirect means.

            The strategies will influence legal rights and liabilities by influencing the actions of courts as they resolve actual security-based disputes.  To resolve a variety of legal claims, courts consistently look for standards of care and reasonable conduct against which the actions of the parties in any specific dispute can be properly compared.  These strategies to secure physical infrastructure and cyberspace provide convenient standards of care and conduct with regard to computer system security, and for that reason, they are likely to be attractive tools for the courts.

            The strategies may influence legal rights and duties in the future by providing a foundation upon which security-oriented statutes and regulations may be built.  They provide a framework of risks and recommended actions that can be readily converted into specific legislative or regulatory standards in the future.  In addition, the experience developed as the informal strategies guide conduct over time can provide useful information as to modifications and enhancements that can be incorporated to make any formal legislation more effective than the informal security strategies.

            The strategies may eventually lead us to reexamine the distinctions we currently draw between infrastructure and cyberspace.  Even at present, the separation between physical infrastructure and cyberspace, for security purposes, seems inappropriate.  The critical physical infrastructure, particularly telecommunications and electrical power systems, are essential to the existence of cyberspace.  In addition, computer networks now play such a critical role in the operations of physical infrastructure assets that one can effectively consider those computer networks to be components of the physical infrastructure.  In this environment, it does not seem to be either meaningful or accurate to attempt to distinguish cyberspace from the physical infrastructure which both supports it, and is supported by it.  The degree to which the critical physical infrastructure strategy and the cyberspace security strategy overlap and cross-reference each other provides a vivid indication of the value of integrating those security strategies, in recognition of the integration of the infrastructure and cyberspace assets.

            The concern expressed by some that the national strategies to secure critical infrastructure and cyberspace are inadequate because they do not establish formal legal requirements appears to be overstated.  Although the strategies do not carry the force of law, they are likely to have a noticeable impact on efforts to allocate responsibility for computer security.  They will most likely influence the standards of reasonable conduct applied by courts as they work to resolve computer security disputes.  The strategies are also likely to serve as the basis for any future legislation or regulation that is developed to address computer security concerns.  Finally, the strategies may ultimately evolve into a  single concept of security that treats cyberspace as an integral element of our nation’s critical infrastructure.  That evolution could assist us to address security concerns comprehensively, and thus more effectively.  Such a result, if achieved, would be the greatest success attributable to the security strategies.