Wednesday, February 20, 2013

Federalism Issues with Cyber Security



Incidents of American government IT networks being illegally accessed are increasing in sophistication and tempo.  These software intrusions come from foreign states, as well as foreign and domestic non-state actors.  They range from pranks to malicious efforts to shut down databases, software, hardware, and equipment.  This article is aimed at discussing some constitutional issues arising from a catastrophic incident against a state government that necessitates federal protection of their IT systems.

The main threat is from online worms that could steal data (e.g. a list of a police department's undercover officers), destroy data (e.g. the property tax transactions), or control infrastructure like the controls for an aqueduct.  In the immediate aftermath of a big cyber event on a state government, it may seem intuitive to have the federal Department of Defense of Homeland Security put up a virtual firewall and set compliance procedures.  But that would bring a whole host of questions about federal power and potentially civil-military relations.

In the fall of 2012, the state of South Carolina had a major hacking occurrence with over 3 million citizens having their (federal) Social Security Numbers stolen, as well as tax information for several businesses.[1]  It was the U.S. Secret Service that informed the state government of this.  It took the state government several days to secure its network and even more days to disclose this to the public.[2]  In this case, a private company was contracted to survey the damage and recommend remedial steps, but an attack from a foreign government on several states at once may require a federal government response.[3]

The courts have always maintained the federal government's plenary authority to coordinate defense of the country.  There are also constitutional designs articulated in cases such as New York v United States (1992)[4] and Printz v United States (1997)[5] that elucidate the notion that states are sovereign and must be allowed to function independently in a federal system.  That is a check against political tyranny by the federal government.[6] So how does cyberspace fit in?

"Traditional and non-traditional" government functions have we're debated for a centuries in determining where federal regulation reached its limits. While in 1985, the Supreme Court declared that "traditional and non-traditional" functions was impossible to delineate[7], the following decades of jurisprudence have narrowed the federal government's authority in general.  The Internet, and its pervasiveness and mobility, has transformed our way of life, our economy, and thus, how we govern ourselves.  We can pay for municipal parking tickets on our cell phone, take classes at a state university online, and we can have a federal court subpoena our documents stored in "the cloud." 

New York v U.S. and Printz v U.S. stand for the notion that the federal government cannot mandate that the states follow a federal policy scheme, nor can the federal government commandeer state workers and resources to follow federal processes.  As more state government functions are processed through information technology, and more interaction between states and the public is virtual, a federal regulation of a state's IT systems would be a major constitutional quagmire.

According to cyber security experts, the weakest link in protecting IT systems from hackers is the human element.  Therefore federal regulations regarding how state workers answer email and plug in thumb drives into their home computers could take effect.  Regulations punishing a state worker for a security lapse could very well be required.  Who would administer that is very unclear.  Needless to say, any government functions blending federal and state networks like law enforcement, Medicaid, or public health administration could be impeded if a state did not secure its network.

Given its vast IT resources, the Department of Defense (DoD) is the lead agency protecting the federal government, as opposed to the Department of Homeland Security (DHS).  This raises popular concerns about involving the military in the management of not only federal civilian agencies, but state and local agencies.  The law in fairly clear, as argued in a U.S. Department of Justice memo[8], that there is no law against DoD civilians enforcing the law, or regulations.  Laws such as the Posse Comitatus Act[9] prohibit members of the armed forces from law enforcement and regulating civilians, but non civil servants in the DoD.

During the midst of a massive, debilitating hacking, there could be no choice but for the president to find that state civil resources have been overwhelmed and invoke the Insurrection Act[10] to allow troops to take temporary control of state IT infrastructure.  This is not the notion of army troops on trucks with fixed bayonets driving down Main Street.  It is more likely a bunch of young soldiers in massive computer labs working with state officials to restore their databases, computer systems and websites.

Legal processes would be easiest if a state asked the federal government for help.  Issues of commandeering a state could be written into a contract.  The main problem concerns the protocol for identifying that a major incident is underway, and whether the president decides he or she must act in the national interest to protect state governments.  The incident in South Carolina for example took place with cumulative software intrusions over months[11].

There are a host of issues not analyzed in the article including contract monitoring of state government vendors' cyber security, private companies controlling critical infrastructure, how states collect digitized data, and the criminal investigatory methods states use to deter and investigate hackers.

I hope to have provoked some ideas for the constructional concerns that would come with the federal government protecting a state online. 
Posted by at No comments:
Subscribe to: Posts (Atom)