EPIC v. DHS (Election Cybersecurity)
- EPIC Pursues Privacy Impact Assessments for Proposed DHS Biometric Database: EPIC has submitted an urgent Freedom of Information Act request to the Department of Homeland Security seeking the Privacy Impact Assessment for the "Homeland Advanced Recognition Technology," a proposed system that will integrate biometric identifiers across the federal government. HART would replace IDENT, which now contains biometric records on over 220 million unique individuals. In 2015 a breach at the Office of Personnel Management compromised 22 m records, including 5 m digitized fingerprints. It appears that Homeland Security failed to complete the Privacy Assessment prior to launching HART. By law, a federal agency is required to conduct a Privacy Impact Assessment before procuring information technology that stores personally identifiable information. In EPIC v. Presidential Election Commission, EPIC challenged the failure of the Commission to undertake a Privacy Impact Assessment prior to the collection of state voter data. The Commission was shuttered earlier this year. (Jun. 18, 2018)
- Senators Urge DHS to Address Concerns Over Facial Recognition at Airports; Conduct Public Rule-Making: In a letter to DHS Secretary Kirstjen Nielson, Senators Edward Markey (D-MA) and Mike Lee (R-UT) urged the agency to promptly conduct a public rulemaking on the agency's biometric exit program prior to any expansion of the program. The program, currently implemented in nine U.S. airports, requires travelers on departing international flights to submit to facial recognition identification. The Senators requested that DHS determine the accuracy of the technique and the procedures for collecting passenger data. EPIC is currently pursuing documents about the biometric exit program, but documents EPIC obtained about a related program that tested iris and facial recognition scanning at the border revealed that the technology did not perform operational matching at a "satisfactory" level. An earlier EPIC lawsuit against the DHS led to the removal of backscatter x-ray devices — "body scanners" — at US airports. (May. 11, 2018) More top news »
In Freedom of Information Act lawsuit EPIC v. DHS, EPIC is seeking Department of Homeland Security research, integration, and analysis of the Russian interference in the 2016 presidential election. The U.S. Intelligence Community (“IC”) concluded that Russia carried out a multi-pronged campaign to interfere in the 2016 U.S. Presidential Election to “undermine public faith in the US democratic process,” demonstrating a “significant escalation” in Russian activities. Nine months since the IC report on the interference, few new details of the interference have been made public.
In March 2017, Representative Bennie Thompson (D-MS), Ranking Member of the Committee on Homeland Security, introduced House Resolution 235 directing the Secretary of Homeland Security to transmit the Department of Homeland Security’s research, integration, and analysis related to Russian interference directly to the House. Following Rep. Thompson's proposal, EPIC seeks the same documents under the Freedom of Information Act.
DHS Investigation of the Russian Interference
The mission of DHS is mission to “safeguard the American people, our homeland, and our values,”, and has played a key role in the federal response to the Russian interference. On December 29, 2016, DHS and the Federal Bureau of Investigation published the first public report on the interference — the “Joint Analysis Report,” or JAR. The JAR highlighted and explained techniques used to perpetrate the interference and techniques used to enhance systems defense. Significantly, the JAR formally tied the attack to Russian intelligence services. While “[p]revious JARs have not attributed malicious cyber activity to specific countries or threat actors,” the report stated, this report immediately identified “Russian civilian and military intelligence Services (RIS)” as the actors who “compromise[d] and exploit[ed] networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities.” On January 6, 2017, then DHS Secretary Jeh Johnson also announced the designation of election infrastructure as a subsector of the U.S. government’s critical infrastructure. Former DHS Secretary Johnson has since stated that he made the designation after “concerns about the possibility of a cyberattack around our national election grew” following the events of 2016
Since the publication of the JAR and the critical infrastructure designation, DHS’s has continued the Russian interference investigation. But the agency has not provided any significant, new information to the American public. On June 21, 2017, nearly eight months after election day, in an open hearing before the Senate Select Committee on Intelligence, NPPD’s Acting Deputy Under Secretary for Cybersecurity and Communications Jeanette Manfra confirmed for the first time that “election-related systems in 21 states were targeted” by Russian cyber actors during the 2016 election cycle. Nearly half of the United States were targets of Russian activities during the 2016 election cycle. Acting Deputy Under Secretary Manfra did not indicate which states were affected, and, when pressed, would not disclose the states from which data was exfiltrated.
Vice Chair Mark Warner (D-VA) questioned Ms. Manfra during the hearing about whether “at this moment in time there may be a number of state and local election officials that don’t know their states were targeted in 2016.” Senator Rubio (R-FL) urged, “[A]s much of [the systems data] must be made available to the public as possible,” and said to “err on the side of disclosure about our systems so people have full confidence when they go vote.”
Former DHS Secretary Johnson emphasized in written testimony to the House Select Committee on Intelligence on June, 21, 2017, that his “very troubling experience highlights cyber vulnerabilities in our political process, and in our election infrastructure itself. With the experience fresh in our minds and clear in our rear-view mirror, we must resolve to further strengthen our cybersecurity generally, and the cybersecurity around our political/election process specifically.”
On September 13, 2017, Acting Secretary of Homeland Security Elain Duke issued a Binding Operational Directive to Federal Executive Branch departments and agencies to stop using software made by the Russian cybersecurity firm Kaspersky Lab. In a statement DHS said “[t]he risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.
There is a profound and urgent public interest in the release of records in possession of the DHS sought by EPIC, through EPIC v. DHS, concerning the Russian interference with the 2016 Presidential Election. The release of these records is necessary for the public to evaluate DHS’s response to the Russian interference, assess future threats to American democratic institutions, and to ensure the accountability of the federal agency with the legal authority to safeguard the American people against foreign cyber-attacks. EPIC v. DHS is one of a suite of FOIA lawsuits EPIC is pursuing as a part of the EPIC Cybersecurity and Democracy Project. This project focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. EPIC has filed three other Freedom of Information Act lawsuits concerning Russian interference in the 2016 Presidential Election: EPIC v. FBI seeks information about the FBI's response to the attacks, EPIC v. IRS EPIC v. IRS seeks public release of Donald J. Trump’s tax returns, and EPIC v. ODNI seeks release of the complete report on the Russian interference.
- March Production Letter (March 15, 2018)
- April Production Letter (April 16, 2018)
- May Production Letter (May 11, 2018)
- June Production Letter (June 15, 2018)
- July Production Letter (July 16, 2018)
U.S. District Court for the District of Columbia (No. 17-2047)
- EPIC: Democracy and Cybersecurity: Preserving Democratic Institutions
- EPIC: Open Government Project
- EPIC: EPIC v. FBI
- EPIC: EPIC v. ODNI
- EPIC: EPIC v. IRS
- Homeland Security and Gov't Affairs Comm. Democratic Staff, Memorandum Highlighting DHS Aid to States to Secure Elections Systems (2017)
- U.S. Department of Homeland Security & Federal Bureau of Investigation, GRIZZLY STEPPE - Russian Malicious Cyber Activity, Joint Analysis Report (2016)
- ODNI Assessing Russian Activities and Intentions in Recent US Elections, Assessment (2017)
- Tim Starks, The Checklist for DHS on Election Security, Politico (Dec. 12, 2017)
- Tal Kopan, Feds Have Eye On Cybersecurity Issues As Voters Go To Polls, CNN (Nov. 7, 2017)
- Maryam Saleh, The U.S. Election System Remains Deeply Vulnerable, But States Would Rather Celebrate Fake Success, The Intercept (Oct. 3, 2017)
- Morgan Chalafant, California: DHS gave 'bad information' on Russian hacking, Hill (Sept. 28, 2017)
- Callum Borchers, What We Know About the 21 States Targeted by Russian Hackers, Wash. Post (Sept. 23, 2017)
- Eric Geller, DHS bars government from using Russia-based Kaspersky software, Politico (Sept. 13, 2017)
- Matt Zapotosky and Karoun Demirjian, Homeland Security official: Russian government actors tried to hack election systems in 21 states, Wash. Post (June 21, 2017)
- Rebecca Shabad, Jeh Johnson says FBI delayed notification of DNC cyberattack, CBS News (June 21, 2017)