Presidential Directives on Cybersecurity
Cybersecurity encompasses an array of challenges to protect cyberspace. Over the years, Presidential Directives have often been used to set cybersecurity policy in the United States.
The ubiquity of cyberspace and its importance in our lives puts cybersecurity front and center as one of the more important policy issues of our times. The public deserves a debate about appropriate cybersecurity measures that includes clear and accessible explanations of the White House’s cybersecurity policy. Too often cybersecurity policy is set by presidential directives that are not available to the public.
Presidential directives are used as an instrument of national security to affect cybersecurity policy and generally derive from the policy papers produced by the National Security Council (NSC) that advises the president on national security issues. Presidential Directives are not required to be published in the Federal Register and are often highly classified. This has been the case for presidential directives pertaining to cybersecurity. The secrecy surrounding cybersecurity policy has hindered the ongoing public debate in this area.
Presidential Policy Directive 41 (PPD-41)
The Obama Administration released PPD-41 in July 2016 to outline how the Federal Government responds to significant cyber incidents following Russian cyber-attacks during the 2016 election. PPD-41 clarifies that the FBI is the lead federal agency for investigating cyber-attacks in the United States by criminals, overseas adversaries, and terrorists.
But questions have been raised about the failure of the FBI to adequately investigate the attacks on the nation’s political institutions. In 2017, EPIC therefore pursued to help the public “evaluate the FBI response to the Russian interference, assess threats to American democratic institutions, and to ensure the accountability of the federal agency with the legal authority to safeguard the American people against foreign cyber-attacks. In EPIC v. FBI, EPIC obtained documents concerning the FBI’s victim notification procedures. The Inspector General found that the FBI’s system for notifying victims of cyberattacks is “unreliable” and “incomplete” and that “not all victims were informed of their rights as required by” DOJ guidelines, which are “outdated since they do not consider the needs of victims of cybercrime.”
Presidential Policy Directive 20 (PPD-20)
PPD-20 was implemented by President Obama in October 2012, but was not released to the public. However, on June 7, 2013, PPD 20 was released by The Guardian, which had received the document from NSA leaker Edward Snowden. The directive details government policy regarding offensive cyber action and instructions to compile a list of potential targets for such action. According to the classified document, the “Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk …” According to news reports, the directive gives broader power to the military to block cyberattacks and discusses what constitutes an “offensive” verses a “defensive” action with respect to cyberwar and cyberterrorism. Additionally, the directive discusses the use of cyber-operations–actions taken outside U.S. networks.
National Security Presidential Directive 54 (NSPD 54)
NSPD 54 was implemented by President George W. Bush in January 2008. NSPD 54 was issued concurrently as Homeland Security Presidential Directive 23. The NSPD 54/HSPD 23 authorized the DHS (together with OMB) to set minimum operational standards for Federal Executive Branch civilian networks, and it empowers DHS to lead and coordinate the national cybersecurity effort to protect cyberspace and the computers connected to it. The directive also contains the Comprehensive National Cybersecurity Initiative (CNCI). The broad scheme of CNCI was described in a publicly-released 20009 document which included 12 initiatives:
- Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.
- Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
- Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
- Initiative #4. Coordinate and redirect research (R&D) and development efforts.
- Initiative #5. Connect current cyber ops centers to enhance situational awareness.
- Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
- Initiative #7. Increase the security of our classified networks.
- Initiative #8. Expand cyber education.
- Initiative #9. Define and develop enduring “leap-ahead” technology, strategies, and programs.
- Initiative #10. Define and develop enduring deterrence strategies and programs.
- Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
- Initiative #12. Define the Federal role of extending cybersecurity into critical infrastructure domains.
On June 5, 2014, the NSA released National Security Presidential Directive 54 (“NSPD 54”) to EPIC after nearly five years of FOIA litigation. NSPD 54 is the foundational legal document outlining the Comprehensive National Cybersecurity Initiative (CNCI), the federal government’s effort to coordinate cybersecurity policy across federal law enforcement, intelligence and executive agencies, as well as with other law enforcement agencies and the private sector. The previously-classified document reveals the underlying legal authority for sweeping changes to federal cybersecurity that have taken place over the last five years. Additionally, NSPD 54 contains significant differences from the previously-released description of the CNCI. For the first time, the public now has access to the document empowering federal agencies to share cybersecurity information, develop offensive cyber programs and improve automated and predictive cyber technologies. NSPD 54 provides the public with an explanation of the government’s legal and policy choices regarding cybersecurity and reveals new information about the government’s coordinated cybersecurity efforts.
National Security Presidential Directive 38 (NSPD 38)
NSPD 38 was issued on July 7, 2004, as the National Strategy to Secure Cyberspace. The contents of this classified directive have never been released, but prior to the issuance of NSPD 38, the White House released a different document also entitled “National Strategy to Secure Cyberspace” that detailed five priorities to secure cyberspace:
- A National Cyberspace Security Response System.
- A National Cyberspace Security Threat and Vulnerability Reduction Program.
- A National Cyberspace Security Awareness and Training Program.
- Securing Governments’ Cyberspace
- National Security and International Cyberspace Security Cooperation
National Security Decision Directive 145 (NSDD 145)
NSDD 145 was issued by President Reagan in 1984. The directive gave the NSA control over all government computer systems containing “sensitive but unclassified” information. NSDD 145 was followed by a second directive issued by National Security Advisor John Poindexter that extended NSA authority over non-government computer systems. In response to these directives, Congress passed the Computer Security Act of 1987 (CSA). The Act reaffirmed that the National Institute for Standards and Technology (NIST) was responsible for the security of unclassified, non-military government computer systems. CSA limited the National Security Agency to providing technical assistance in the civilian security realm.
Freedom of Information Request for NSPD 54
EPIC submitted a FOIA request in June 2009 directed at the NSA requesting copies of the directive along with copies of any initiatives or privacy policies associated with the directive. The NSA initially made no substantive determination regarding EPIC’s FOIA request. EPIC subsequently filed an administrative appeal and then the NSA released two documents that had previously been made public. Eventually, NSA also identified three relevant documents that it refused to disclose. EPIC appealed the NSA’s determination and after receiving no response filed a lawsuit against the NSA.
The NSA eventually released heavily redacted versions of two of the three documents identified by the NSA as responsive to EPIC’s request. EPIC appealed this decision in Federal Court, but the District Court ruled that NSPD 54 was not an agency record discoverable under FOIA. However, after EPIC appealed this decision to the D.C. Circuit Court, the NSA released the document to EPIC with minor redactions. EPIC has released NSPD 54, allowing the public to review the government’s foundational cybersecurity policy for the first time.
Freedom of Information Request for PPD 20
Immediately after the news broke that President Obama had signed a new cybersecurity directive, EPIC submitted a FOIA request directed at the NSA requesting the release of the directive. The NSA denied EPIC’s request. PPD 20 became public after it was leaked to the Guardian by NSA whistleblower Edward Snowden. The directive orders the creation of potential targets for Offensive Cyber Effects Operations by the National Security Agency. According to the classified document, the “Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . .”
Recent Documents on Presidential Directives on Cybersecurity
Seeking NPSD 54, a Presidential Directive that grants the National Security Agency broad authority to conduct surveillance of domestic communications.
Executive Order on Improving the Nation’s Cybersecurity
The White House | 2021
Justice Department’s Role in Cyber Incident Response
Congressional Research Service | 2017
Cyberspace Policy Review
The White House (Obama) | 2009