But the question remains, do federal law enforcement agencies really need greater leverage in the fight against hacktivists and cyberterrorists? In his address, the president made it clear that his administration believes so, but upon closer examination of computer security enforcement laws, his case becomes progressively less convincing.
It's More A Question Of What Can't They Do
While CSEA and the PATRIOT Act play a background role in defining computer crimes, they're the centerpiece of the federal government's exceptional enforcement capabilities. In conjuction with the Federal Information Security Management Act (FISMA), federal law enforcement has the ability to: survey and collect information on American citizens, share collected intelligence between agencies, and is required to perform regular audits on its secured networks. To explain how this all works, I'll start with the PATRIOT Act.
Title I of the Act called for the expansion of the U.S. Secret Service's National Electronic Crime Task Force (NECTF) charged with preventing, detecting, and investigating electronic crimes. "Electronic Crimes" applies not solely to hacking attempts on protected computers under Title 18 U.S.C. Sec. 1030, but also to potential acts of terrorism against national infrastructure and financial payment systems. Title V reinforces Title I by conferring the FBI's enforcement authority under Section 1030 to the Secret Service, and these are further supported by Title VII, which authorizes the Justice Department to create "secure information sharing systems" between federal, state, and local law enforcement.
Title II includes most of the provisions that allow federal agencies to conduct surveillance operations on American citizens. Under this title, law enforcement can: intercept internet communications, record telephone conversations without a wiretap warrant, collect identification information from electronic devices (i.e. MAC Addresses), access subscriber records from cable/internet service providers (ISP) and can preempt disclosure of the rationale behind a judge granting a warrant in a federal investigation of suspected terrorist activity. Title VIII of the Act authorizes the Attorney General to create regional computer forensic labs to examine intercepted computer evidence and facilitate more efficient information sharing between federal, state, and local authorities.
The CSEA opens the information gathering door even wider by amending the regulations around how often and to whom ISPs can release subscriber information. Under this act, an ISP doesn't need a "reasonable belief" to divulge either records of internet communications or the content of the communication itself. An ISP only needs to act in "good faith" instead of legitimate suspicions that there's an immediate danger. In addition, ISPs can release this information to any federal, state, or local "government entitiy" as opposed to a law enforcement agency.
Lastly, FISMA requires federal agencies and substations to regularly test their networks for vulnerabilities and perform risk assessments on successful breaches from outside attackers. Under this law, Certified Ethical Hackers and Licensed Penetration Testers can be employed to conduct penetration tests, develop, document, and implement agency-wide security programs, including inter-agency systems.