Presidential Directives and Cybersecurity
Concerning the use of Presidential Directives in Cybersecurity Policy
- EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public: EPIC has filed an amicus brief in a case concerning the privacy and public safety risks of “connected” cars. EPIC warned that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury.” EPIC said a lower court was wrong to dismiss the case. EPIC urged a federal appeals court to allow consumers to "the opportunity to present legal claims stemming from the defendants’ sale of vehicles that place them at risk." This week researchers at Black Hat revealed new vulnerabilities in networked vehicles as Senators Blumenthal and Markey urged the FCC to establish “robust safety, cybersecurity, and privacy protections before automakers deploy vehicle-2-vehicle . . . communication technologies.” EPIC has filed several amicus briefs defending consumers' rights to enforce their privacy rights. (Aug. 5, 2016)
- EPIC Presses House Leaders on "Data Protection": At a symposium organized by the Council on Foreign Relations, EPIC President Marc Rotenberg asked Republican leaders in the U.S. Congress whether "data protection" should be a campaign issue in 2016. Rep. Goodlatte, who chairs the House Judiciary Committee, responded "I very much believe it should be and is an issue in this election." He pointed to his own work to update the Electronic Communication Privacy Act (ECPA), "because that is an enhancement of the protection of people's privacy that I think they want and expect." Rep. McCaul, who chairs the House Homeland Security Committee, noted "in the cybersecurity bill we passed we met very closely with the privacy advocates. That was very important to me that we protect personally identifying information as we try to share these malicious codes." EPIC has launched a non-partisan campaign to make Data Protection a campaign issue in 2016. (Jun. 10, 2016)
- New Congressional Report Explores Legal Issues Regarding Compelled Decryption: "Encryption: Selected Legal Issues," a new report from the Congressional Research Service, explores two important legal questions that arise from government requests for compelled decryption: the Fifth Amendment right agains self-incrimination and the scope of the All Writs Act, the federal statute at issue in Apple v. FBI. EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case, pointing to the increased risk of cell phone theft and financial fraud that would result from compelled encryption. (Mar. 8, 2016)
- EPIC Files Brief in Support of Apple and Consumers in FBI iPhone Case: Today EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case. In Apple v. FBI, EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues. EPIC has filed two briefs in the United States Supreme Court in the past year in cases concerning consumer privacy and also the Fourth Amendment. (Mar. 3, 2016)
- Bill to Establish Digital Security Commission Introduced in House: Rep. Lieu (D-CA) has cosponsored bipartisan legislation to create a Digital Security Commission that will explore how law enforcement should pursue investigations without undermining constitutional privacy protections or American competitiveness. Rep. Lieu emphasized, "strong national security and a strong economy requires strong encryption." The legislation comes as Apple opposes a court order to compromise iPhone security to allow government access. Congressman Lieu called upon "the FBI and DOJ to withdraw their coercive demands of Apple and allow the democratic process to work." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Mar. 2, 2016)
- Apple Opposes FBI Decryption Order: Today Apple filed a "motion to vacate" a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. In its brief, Apple asserts that this case is about "the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe." Apple argued that the FBI's requested court order violates the First and Fifth Amendments. Consumer Reports found that more than 3.1 million cellphones were stolen in 2013, and noted that "efforts by the telecom industry to reduce thefts don't seem to be helping matters." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Feb. 25, 2016)
- Writers Side with Apple in Encryption Fight with FBI: In a letter to the Attorney General, leading writers and artists protested the FBI's "efforts to force Apple to create software that could effectively enable the U.S. government to unlock any iPhone." The letter from the PEN America Center highlights how "intrusions on privacy damage creative expression and free speech." EPIC has long supported strong encryption as key to the future of privacy and security. EPIC recently gave the 2015 Champion of Freedom Award to Apple CEO Tim Cook for his work in promoting encryption and protecting privacy and security. The 2016 EPIC Awards dinner will be held on June 6th in Washington, DC. (Feb. 24, 2016)
- President Announces $19 billion Cybersecurity Plan: President Obama has proposed a $19 billion Cybersecurity National Action Plan that aims to modernize government IT and improve Americans' cybersecurity. The government will reduce reliance on social security numbers and promote increased use of multi-factor authentication. The plan will also establish a Commission on Enhancing National Cybersecurity. A Federal Privacy Council will coordinate federal privacy guidelines but lacks authority to enforce Privacy Act obligations. EPIC has repeatedly urged federal agencies to uphold Privacy Act protections. (Feb. 23, 2016)
- Apple Opposes FBI Decryption Order: Apple has opposed a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. The order followed an FBI application under the All Writs Act, a law from 1789. Apple CEO Tim Cook wrote in response that the government's action "would undermine the very freedoms and liberty our government is meant to protect." In 2015, EPIC gave the Champion of Freedom Award to Mr. Cook for his work protecting privacy and promoting encryption. The EPIC 2016 Awards dinner will be held June 6 in Washington, DC. (Feb. 17, 2016)
- House Adds Cyber Surveillance to Budget Bill: Today, the House added the Cybersecurity Act of 2015 to an expansive appropriations bill. The Cybersecurity Act was negotiated behind closed doors and represents a new version of the Cybersecurity Information Sharing Act (CISA). Previous versions of CISA have been opposed by a broad coalition of organizations. The current bill, like previous ones, would allow the government to obtain personal information from private companies without judicial oversight. The Act would also expand government secrecy. EPIC previously won a five-year court battle to obtain NSPD 54, a foundational legal document for U.S. cybersecurity policies that revealed the government's interest in enlisting the private sector to monitor user activity. (Dec. 16, 2015)
Cybersecurity encompasses an array of challenges to protect cyberspace. Cyberspace as defined by the Cyberspace Policy Review is the "interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries." The policy review goes on to define Cybersecurity policy to include "strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities." Cyberspace has become a common feature of modern society and touches almost every citizen in a number of different areas including online commerce, healthcare, financial services, and social media.
The ubiquity of cyberspace and its importance in our lives puts cybersecurity front and center as one of the more important policy issues going forward. The public deserves a debate about appropriate cybersecurity measures that includes clear and accessible explanations of the Whitehouse's cybersecurity policy. Too often cybersecurity policy is set by presidential directives that are not available to the public.
Presidential directives are similar to Executive Orders--they have the same substantive legal effect. Just like executive orders, presidential directives do not lose their legal effectiveness upon a change of administration. Presidential directives are used as an instrument of national security to affect policy in this area and generally derive from the policy papers produced by the National Security Council (NSC) that advises the president on national security issues. They are not required to be published in the Federal Register and are often highly classified. This has been the case for presidential directives pertaining to cybersecurity. The secrecy surrounding cybersecurity policy has hindered the ongoing public debate in this area.
National Security Decision Directive 145 (NSDD 145)
NSDD 145 was issued by President Reagan in 1984. The directive gave the NSA control over all government computer systems containing "sensitive but unclassified" information. NSDD 145 was followed by a second directive issued by National Security Advisor John Poindexter that extended NSA authority over non-government computer systems. In response to these directives, Congress passed the Computer Security Act of 1987 (CSA). The Act reaffirmed that the National Institute for Standards and Technology (NIST) was responsible for the security of unclassified, non-military government computer systems. CSA limited the National Security Agency to providing technical assistance in the civilian security realm.National Security Presidential Directive 38 (NSPD 38)
NSPD 38 was issued on July 7, 2004, as the National Strategy to Secure Cyberspace. The contents of this classified directive have never been released, but prior to the issuance of NSPD 38, the Whitehouse released a different document also entitled "National Strategy to Secure Cyberspace" that detailed five priorities to secure cyberspace:
- A National Cyberspace Security Response System.
- A National Cyberspace Security Threat and Vulnerability Reduction Program.
- A National Cyberspace Security Awareness and Training Program.
- Securing Governments' Cyberspace
- National Security and International Cyberspace Security Cooperation
NSPD 54 was implemented by President George W. Bush in January 2008. NSPD 54 was issued concurrently as Homeland Security Presidential Directive 23. The NSPD 54/HSPD 23 authorized the DHS (together with OMB) to set minimum operational standards for Federal Executive Branch civilian networks, and it empowers DHS to lead and coordinate the national cybersecurity effort to protect cyberspace and the computers connected to it. The directive also contains the Comprehensive National Cybersecurity Initiative (CNCI). The broad scheme of CNCI was described in a publicly-released 20009 document which included 12 initiatives:
- Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.
- Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
- Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
- Initiative #4. Coordinate and redirect research (R&D) and development efforts.
- Initiative #5. Connect current cyber ops centers to enhance situational awareness.
- Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
- Initiative #7. Increase the security of our classified networks.
- Initiative #8. Expand cyber education.
- Initiative #9. Define and develop enduring "leap-ahead" technology, strategies, and programs.
- Initiative #10. Define and develop enduring deterrence strategies and programs.
- Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
- Initiative #12. Define the Federal role of extending cybersecurity into critical infrastructure domains.
On June 5, 2014, the NSA released National Security Presidential Directive 54 ("NSPD 54") to EPIC after nearly five years of FOIA litigation. NSPD 54 is the foundational legal document outlining the Comprehensive National Cybersecurity Initiative (CNCI), the federal government’s effort to coordinate cybersecurity policy across federal law enforcement, intelligence and executive agencies, as well as with other law enforcement agencies and the private sector. The previously-classified document reveals the underlying legal authority for sweeping changes to federal cybersecurity that have taken place over the last five years. Additionally, NSPD 54 contains significant differences from the previously-released description of the CNCI. For the first time, the public now has access to the document empowering federal agencies to share cybersecurity information, develop offensive cyber programs and improve automated and predictive cyber technologies. NSPD 54 provides the public with an explanation of the government's legal and policy choices regarding cybersecurity and reveals new information about the government's coordinated cybersecurity efforts.Presidential Policy Directive 20 (PPD 20)
PPD 20 was implemented by President Obama in October 2012, but was not released to the public. However, on June 7, 2013, PPD 20 was released by The Guardian, which had received the document from NSA leaker Edward Snowden. The directive details government policy regarding offensive cyber action and instructions to compile a list of potential targets for such action. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk ..." According to news reports, the directive gives broader power to the military to block cyberattacks and discusses what constitutes an "offensive" verses a "defensive" action with respect to cyberwar and cyberterrorism. Additionally, the directive discusses the use of cyber-operations--actions taken outside U.S. networks.
Freedom of Information Request for NSPD 54
EPIC submitted a FOIA request in June 2009 directed at the NSA requesting copies of the directive along with copies of any initiatives or privacy policies associated with the directive. The NSA initially made no substantive determination regarding EPIC's FOIA request. EPIC subsequently filed an administrative appeal and then the NSA released two documents that had previously been made public. Eventually, NSA also identified three relevant documents that it refused to disclose. EPIC appealed the NSA's determination and after receiving no response filed a lawsuit against the NSA.
The NSA eventually released heavily redacted versions of two of the three documents identified by the NSA as responsive to EPIC's request. EPIC appealed this decision in Federal Court, but the District Court ruled that NSPD 54 was not an agency record discoverable under FOIA. However, after EPIC appealed this decision to the D.C. Circuit Court, the NSA released the document to EPIC with minor redactions. EPIC has released NSPD 54, allowing the public to review the government’s foundational cybersecurity policy for the first time.
Freedom of Information Request for PPD 20Immediately after the news broke that President Obama had signed a new cybersecurity directive, EPIC submitted a FOIA request directed at the NSA requesting the release of the directive. The NSA denied EPIC's request. PPD 20 became public after it was leaked to the Guardian by NSA whistleblower Edward Snowden. The directive orders the creation of potential targets for Offensive Cyber Effects Operations by the National Security Agency. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ."
- Coalition Letter Outlining Concerns Regarding Lack of Civil Society Presence in Decision Making
- White House Cybersecurity Memo Title: FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, April 21, 2010
- Advance Senate Armed Services Confirmation Hearing Questions for Lieutenant General Keith Alexander, USA Nominee for Commander, United States Cyber Command (Hearing Date April 15, 2010
- Remarks on Internet Freedom, Hillary Rodham Clinton, Secretary of State at The Newseum, Washington, DC, January 21, 2010
- Privacy and Technology Experts Reply to Clinton's Remarks by Urging Ratification of the Council of Europe Convention on Privacy, January 28, 2010
- EPIC FOIA for National Security Presidential Directive 54
- Obama Administration: Cyberspace Policy Review
- Critical Infrastructure Protection and the Endangerment of Civil Liberties
- DHS Cybersecurity Documents
- DHS: A Road Map to Cybersecurity
- CRS Analysis of the US PATRIOT Act
- White House Cyberspace Policy Review (May 29, 2009)
- President Obama's Speech on Cyber-security (May 29, 2009)
- EPIC's Testimony to the House Subcommittee on Oversight and Investigations on "Creating the Department of Homeland Security: Consideration of the Administration's Proposal" (July 9, 2002)
- EPIC's Testimony to the Senate Committee on Governmental Affairs on "Securing Our Infrastructure: Private/Public Information Sharing" (May 8, 2002)
- EPIC's Letter to the House Judiciary Committee, Subcommittee on Crime, on H.R. 3482, The Cyber Security Enhancement Act of 2002(February 26, 2002)
- EPIC's Testimony to the House Government Reform Committee on H.R. 4246, The Cyber Security Information Act (June 22, 2000)
- EPIC's Testimony to the Senate Judiciary Committee on "CyberAttack: The National Protection Plan and its Privacy Implications" (PDF, 128K) (February 1, 2000)
- EPIC Press Release on "National Plan for Information Systems Protection" (February 1, 2000)
- Memo from Ronald D. Lee, Associate Deputy Attorney General, Department of Justice to Jeffrey Hunker, Director, Critical Infrastructure Assurance Office regading the National Information Systems Protection Plan, March 8, 1999. Obtained by EPIC under the Freedom of Information Act.
- Memo from Jeffrey Hunker, CIAO to CICG Members regarding "Offsite Materials." Obtained by EPIC under the Freedom of Information Act.
- White House "National Plan for Information Systems Protection" (PDF, 912K) (January 7, 2000)
- Executive Summary of "National Plan for Information Systems Protection" (PDF, 664K) (January 7, 2000)
- White House Press Release on "Cyber-Security" (January 7, 2000)
- Transcript of White House Press Briefing on "Cyber-Security" (January 7, 2000)
- European Parliament: Report ont he existence of a global system for interception of privacy and commercial communications(ECHELON intercept system) (2001/2098(INI))
- EPIC FOIA for disclosure of National Security Presidential Directive 54
- NSA FOIA Request for Classified Supplement from Cyber Command Nominee Alexander
- E-Deceptive Campaign Practices: Internet Technology and Democracy 2.0
- Critical Infrastructure Protection and the Endangerment of Civil Liberties (October 1998)
- Surfer Beware: Notice is Not Enough (1998)
- Surfer Beware I (1997)
- EPIC Privacy Guidelines National Information Infrastructure (1994)
- Federal Bureau of Investigation
- United States Department of Defense
- United States Department of the Treasury
- Department of Commerce
- Department of Homeland Security
- Department of Energy
- Defense Information Systems Agency
- The Defense Intelligence Agency
- National Institute of Standards and Technology
- The National Security Institute
- Terrorism Research Center
- American Bar Association Standing Committee On Law and National Security
- National Telecommunications and Information Administration
- Infrastructure Assurance Center
- Office of the Director of National Intelligence
- Federation of American ScientistsComprehensive Guide to Information Warfare Resources
- The Institute for Advanced Study of Information Warfare
- National Archives and Records Administration
- The Government Printing Office (Research site)
- Institute for Telecommunication Science (ITS is the research and engineering branch of the National Telecommunications and Information Administration, which is part of the U.S. Department of Commerce.)
- White House cyber security plan to cite e-health, Health IT, By Mary Mosquera, Wednesday, May 12, 2010
- A House insider's view of U.S. cybersecurity policy, Federal Computer Week, Ben Bain, May 6, 2010
- Summit in Dallas targets cybercrime, Dallas Morning News, By VICTOR GODINEZ, May 3, 2010
- Whitehouse: Congress needs clarity on who handles cybersecurity, the Hill, By Tony Romm - May 3, 2010
- Cyber-Security Survey Shows Distrust Between Public and Private Sectors, Government Technology, May 3, 2010
- FBI Names Cybersecurity Division Chief, Elizabeth Montalbano, InformationWeek, April 26, 2010
- Meeting of the Minds Over Fed Cybersecurity, Government Info Security
- Politicians jockey for cybersecurity positioning, Federal Computer Week, Ben Bain, April 23, 2010
- FCC launches NOI on voluntary cybersecurity certification program - NOI seeks to implement National Broadband Plan information security recommendation, Association of Corporate Council, April 22, 20101
- DHS Fills 2 Key Cybersecurity Posts, Government Info Security, April 21, 2010
- Cyber Command nominee lays out rules of engagement, Ben Bain, Federal Computer Week, April 16, 2010
- Pick to lead cyber command lays out battle plans, Ben Bain, Federal Computer Week, April 15, 2010
- Computer Security Review Due This Week, Helene Cooper, N.Y. Times, May 26, 2009.
- Cyber Terror Arsenal Grows. Niall McKay, Wired News, October 16, 1998.
- An Electronic Pearl Harbor? Not Likely. George Smith, Issues in Science and Technology, Fall 1998.
- American Military Intervention: A User's Guide. The Heritage Foundation's look at military intervention.
- Protecting America's Critical Infrastructures. Critical Infrastructure Assurance Office factsheet on PDD 63.
- White House Fact Sheet: Protecting America's Critical Infrastructures: PDD 63. May 22, 1998.
- President Clinton's speech on infrastructure protection at the U.S. Naval Academy, May 22, 1998.
- Statement of Dr. Jeffrey A. Hunker (Director, Critical Infrastructure Assurance Office).
- Is Cyberterrorism a Real Threat?. Reuters.
- Reno Unveils Center to Protect Infrastructure. Heather Harreld and Torsten Busse, Federal Computer Week.
- Hearing Before the House Science Subcommittee on H.R. 1903, The Computer Security Enhancement Act of 1997.. Testimony of Willis H. Ware, Chairman, Computer System Security and Privacy Advisory Board, June 19, 1997.
- Report to the President's Commission on Critical Infrastructure Protection. James Ellis, David Fisher, Thomas Longstaff, Linda Pesante, and Richard Pethia, CERT Coordination Center Software Engineering Institute, Carnegie Mellon University, January 1997.
- Reflections on the 1997 Commission on Critical Infrastructure Protection (PCCIP) Report. Clark Staten, The Emergency Responce and Research Institute.
- Report of the Defense Science Board Task Force on Information Warfare. November 1996.
- What is Information Warfare?. Martin C. Libicki, March 1996.
- Papers on Network Centric Warfare.
- EPIC: The Clipper Chip.
- Overview of the Defense Intelligence Agency (DIA).
- List of websites related to the Department of Defense Advanced Research Projects Agency.
Cybersecurity Infrastructure Surveillance Laws
- US PATRIOT ACT
- Foreign Intelligence Surveillance Act
- Electronic Communications Privacy Act
- Federally Funded State Managed Fusion Centers
- Office of National Intelligence Director's Information Sharing Environment
- DHS Einstein Program (I, II, III)
- National Security Presidential Directive 54 (Amended by George Bush)
Cybersecurity Legislation in the 111th Congress
- H.R.2165: Bulk Power System Protection Act of 2009 (Barrow)
- S. 3193: International Cyberspace and Cybersecurity Coordination Act of 2010 (Kerry)
- Cybersecurity Enhancement Act of 2010, (Lipinski)
- S. 773: Cybersecurity Act of 2009 (Rockefeller)
- S. 778: To establish, within the Executive Office of the President, the Office of the National Cybersecurity Advisor (Rockefeller)
- S. 1438: Fostering a Global Response to Cyber Attacks Act (Gillibrand)
- S. 921: U.S. ICE Act of 2009 (Carper)
- H.R. 1319: Informed P2P User Act (Bono Mack)
- Cyberwar Commander Survives Senate Hearing, Wired Magazine, Threat Level Blog, April 15, 2010
- DHS Announces National Cybersecurity Awareness Campaign Challenge Deadline April 30, 2010
- U.S. to Reveal Rules on Internet Security, By JOHN MARKOFF, New York Times, March 1, 2010
- Google Asks Spy Agency for Help With Inquiry Into Cyberattacks, By JOHN MARKOFF, New York Times, February 4, 2010
- Privacy experts see room for improvement from Obama, By Andrew Noyes, CongressDaily, September 9, 2009
- Cybersecurity Plan Doesn't Breach Employee Privacy, Administration Says, By Ellen Nakashima, Washington Post, September 19, 2009
- Obama Set to Create A Cybersecurity Czar With Broad Mandate, Ellen Nakashima, Washington Post, May 26, 2009
- National Cyber Security Czar Steps Down, March 9, 2009
- Cybersecurity Plan to Involve NSA, Telecoms DHS Officials Debating The Privacy Implications, By Ellen Nakashima, Washington Post Staff Writer, July 3, 2009
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
Communications Law and Policy
Jerry Kang and Alan Butler