You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Presidential Directives and Cybersecurity

Concerning the use of Presidential Directives in Cybersecurity Policy

Latest News

  • EPIC Signs on to Protect Encryption in the Brazilian Code of Criminal Procedure Updates: EPIC has joined other members of the Global Encryption Coalition in a letter urging Brazil to address proposed updates to the Brazilian Code of Criminal Procedure that would threaten encryption and data security in Brazil. The text as it stands could force companies using strong security protections - such as end-to-end encryption - to introduce security flaws into their systems to be used as backdoors for law enforcement. Such measures endanger users and encourage exploitation of these weaknesses. EPIC led the effort in the United States in the 1990s to support strong encryption tools and played a key role in the development of the international framework for cryptography policy that favored the deployment of strong security measures to safeguard personal information. EPIC also filed an amicus brief in Apple v. FBI in support of encryption. (Jun. 29, 2021)
  • EPIC to Maryland Legislators: Security Questions Need Upgrade: EPIC Interim Associate Director and Policy DIrector Caitriona Fitzgerald will testify today before the Maryland Senate Committee on Finance in support of stronger authentication methods to protect consumers. Senate Bill 185 requires financial institutions who choose to use security questions as a authentication method to provide customers with more than one security question option. EPIC noted that there are plenty of alternative authentication methods available today and that financial institutions truly should no longer be using basic security questions. "The requirement that your password contain one uppercase letter, one lowercase letter, one symbol, and one number is meaningless if all that is required to bypass that password is your pet’s name," EPIC told the Committee. But, EPIC said, if security questions are going to be used, institutions should ensure that multiple question options are given, and that users are permitted to answer the questions with randomly-generated password-like answers rather than factual, semantic answers. (Feb. 9, 2021)
  • Documents Obtained by EPIC Reveal DHS’s Slow Response to Election Cybersecurity Threats, Underscore Risks Posed by New Voting Technologies: EPIC has obtained additional documents related to federal efforts to respond to election cybersecurity threats in its suit against the Department of Homeland Security. The documents include summaries of: the DHS's contacts with election officials, state reports of election security incidents going back to 2016, meeting minutes from the DHS Election Task Force in 2017, and a September 2016 Election Infrastructure Cyber Risk Characterization Report. The incident logs reveal difficulties contacting campaign officials in the lead up to the 2016 Election and concern voiced within the agency about "unbalanced" outreach. And DHS contacts with state election officials were somewhat limited as some were wary that the critical infrastructure designation "would at a later time lead to regulation on states." In the September 2016 Election Infrastructure Cyber Risk Characterization Report, the DHS Office of Cyber and Infrastructure Analysis found that compromises in voter registration databases resulted in the potential release of personally identifiable information but not the modification of the underlying records. The DHS determined that exposure of this information could undermine public confidence in election systems. The DHS also counseled strongly against untested voting technologies, finding that the "introduction of new technologies in the voting system will increase vulnerabilities to the election system in the future," particularly the implementation of internet-connected voting systems. The case is EPIC v. DHS, 17-2047 (D.D.C.). (Aug. 19, 2020)
  • EPIC to Congress: Strong Encryption Keeps Our Nation Secure: In advance of a hearing on "Encryption on Lawful Access," EPIC wrote to the Senate Judiciary Committee "now is not the time to undermine the systems that we all rely upon to secure our data and communications." EPIC cited growing problems of data breach and cyber attack. Leading computer scientists and security experts, including members of the EPIC Advisory Board, have found that proposals to add "backdoors" for law enforcement are "unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm." EPIC previously filed an amicus brief in Apple v. FBI in support of robust security safeguards for cellphone users. EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC President Marc Rotenberg warned of the risk of NSA-mandated backdoors in a 1990 article, "The Only Locksmith in Town." (Dec. 10, 2019)
  • Report: FBI Victim Notification Procedures ‘Unreliable’ and ‘Incomplete’: The FBI’s system for notifying victims of cyberattacks is “unreliable” and “incomplete,” according to a report by the Inspector General for the Department of Justice. The IG report found that “not all victims were informed of their rights as required by” DOJ guidelines, which are “outdated since they do not consider the needs of victims of cybercrime.” In 2017, EPIC obtained through EPIC v. FBI, a FOIA lawsuit, the FBI Victim Notification Procedures that should have applied to Russian cyberattacks during the 2016 Presidential election. The FBI Notification Procedures made clear that notification should occur “even when it may interfere with another investigation or (intelligence) operation.” The records obtained by EPIC led to Associated Press investigation ("FBI gave heads-up to fraction of Russian hackers’ US targets”), which found that the FBI did not follow the Procedures and failed to notify U.S. officials that their email accounts were compromised. The EPIC Democracy and Cybersecurity Project has pursued multiple FOIA cases concerning Russian interference with the 2016 election, including EPIC v. DOJ (the Mueller Report), EPIC v. ODNI (Russian hacking), EPIC v. IRS I release of Trump's tax returns), EPIC v. IRS II (release of Trump business tax records), and EPIC v. DHS (election cybersecurity). (Apr. 1, 2019)
  • EPIC Files Brief on Government Hacking With Court of Human Rights: EPIC has filed a brief with the European Court of Human Rights detailing the public safety and privacy risks of government hacking. Privacy International v. United Kingdom asks whether remote hacking by UK intelligence services violates the European Charter of Fundamental Rights. The Court recently granted EPIC's request to intervene in the case. "Hacking tools stockpiled by governments could be used by criminals to mount cyberattacks," EPIC's brief states. EPIC also explained that "Government hacking weakens security safeguards." EPIC has long advocated for strong cybersecurity policies. (Feb. 28, 2019)
  • EPIC, Coalition Ask Australia to Amend "Assistance and Access" Law: EPIC and a coalition of civil society organizations told the Australian Parliament that a law allowing police to require weak security for tech products should be amended. The Parliament reopened debate over the "Assistance and Access" law, broadly denounced as a threat to security and freedom of expression. Following earlier comments, the coalition has now called on the Australian Parliament to narrow the law. EPIC has long advocated for strong encryption, led the campaign against the Clipper Chip, and published the first global survey on Cryptography and Liberty. And when the FBI sued Apple in 2016 for refusing to allow law enforcement access to iPhones, EPIC filed an amicus brief in support of Apple arguing the FBI's demand "places at risk millions of cell phone users across the United States." (Feb. 25, 2019)
  • EPIC Commends FAA Comment Opportunity on Aircraft Security, Urges More Public Reporting: In comments to the Federal Aviation Administration, EPIC praised the agency for inviting public input on technology that exposes aircraft control networks to remote hacking. EPIC previously warned the FAA that, "hackers can exploit weaknesses in drone software to gain control of a drone's movement and other features." EPIC has also called attention to the potential for connected cars and Internet of Things devices to be hacked. EPIC recommended that the FAA routinely report on the growing risks of cyber attack. (Jan. 8, 2019)
  • EPIC, Coalition Call for Investigation into FBI's Inflated Encryption Statistic: EPIC and a coalition of twenty organizations called for the Department of Justice Inspector General to investigate the FBI's "grossly inflated" statistic of encrypted devices inaccessible to law enforcement in 2017. The Washington Post reported that the FBI repeatedly stated it was locked out of 7,800 devices, but subsequent review suggested the actual number is about 1,200. The coalition wrote to the IG asking him to investigate the error, why DOJ officials used the data point after it was discovered to be incorrect, and what measures were taken to inform Congress and the public of the FBI's miscalculation. EPIC President Marc Rotenberg previously told POLITICO that the revelation was "a very serious matter" that "calls into question" the FBI's other statements about "the scope of electronic surveillance in the United States." (Jun. 5, 2018)
  • EPIC to Senate: Weaknesses in Cybersecurity Threaten Both Consumers and Democratic Institutions: EPIC submitted a statement to the Senate Homeland Security Committee in advance of a hearing on "Cyber Threats Facing America." Last year, the White House National Security Strategy report set out the administration's goals for global policy. EPIC supports several of the goals in the National Strategy report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the Senate Committee to seek assurances that those goals will remain priorities for this administration. Quoting former world chess champion Garry Kasparov, EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time." (Apr. 24, 2018)

Introduction

Cybersecurity encompasses an array of challenges to protect cyberspace. Cyberspace as defined by the Cyberspace Policy Review is the "interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries." The policy review goes on to define Cybersecurity policy to include "strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities." Cyberspace has become a common feature of modern society and touches almost every citizen in a number of different areas including online commerce, healthcare, financial services, and social media.

The ubiquity of cyberspace and its importance in our lives puts cybersecurity front and center as one of the more important policy issues going forward. The public deserves a debate about appropriate cybersecurity measures that includes clear and accessible explanations of the Whitehouse's cybersecurity policy. Too often cybersecurity policy is set by presidential directives that are not available to the public.

Presidential directives are similar to Executive Orders--they have the same substantive legal effect. Just like executive orders, presidential directives do not lose their legal effectiveness upon a change of administration. Presidential directives are used as an instrument of national security to affect policy in this area and generally derive from the policy papers produced by the National Security Council (NSC) that advises the president on national security issues. They are not required to be published in the Federal Register and are often highly classified. This has been the case for presidential directives pertaining to cybersecurity. The secrecy surrounding cybersecurity policy has hindered the ongoing public debate in this area.

Presidential Directives

National Security Decision Directive 145 (NSDD 145)

NSDD 145 was issued by President Reagan in 1984. The directive gave the NSA control over all government computer systems containing "sensitive but unclassified" information. NSDD 145 was followed by a second directive issued by National Security Advisor John Poindexter that extended NSA authority over non-government computer systems. In response to these directives, Congress passed the Computer Security Act of 1987 (CSA). The Act reaffirmed that the National Institute for Standards and Technology (NIST) was responsible for the security of unclassified, non-military government computer systems. CSA limited the National Security Agency to providing technical assistance in the civilian security realm.

National Security Presidential Directive 38 (NSPD 38)

NSPD 38 was issued on July 7, 2004, as the National Strategy to Secure Cyberspace. The contents of this classified directive have never been released, but prior to the issuance of NSPD 38, the Whitehouse released a different document also entitled "National Strategy to Secure Cyberspace" that detailed five priorities to secure cyberspace:

  1. A National Cyberspace Security Response System.
  2. A National Cyberspace Security Threat and Vulnerability Reduction Program.
  3. A National Cyberspace Security Awareness and Training Program.
  4. Securing Governments' Cyberspace
  5. National Security and International Cyberspace Security Cooperation
National Security Presidential Directive 54 (NSPD 54)

NSPD 54 was implemented by President George W. Bush in January 2008. NSPD 54 was issued concurrently as Homeland Security Presidential Directive 23. The NSPD 54/HSPD 23 authorized the DHS (together with OMB) to set minimum operational standards for Federal Executive Branch civilian networks, and it empowers DHS to lead and coordinate the national cybersecurity effort to protect cyberspace and the computers connected to it. The directive also contains the Comprehensive National Cybersecurity Initiative (CNCI). The broad scheme of CNCI was described in a publicly-released 20009 document which included 12 initiatives:

  • Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.
  • Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
  • Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
  • Initiative #4. Coordinate and redirect research (R&D) and development efforts.
  • Initiative #5. Connect current cyber ops centers to enhance situational awareness.
  • Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
  • Initiative #7. Increase the security of our classified networks.
  • Initiative #8. Expand cyber education.
  • Initiative #9. Define and develop enduring "leap-ahead" technology, strategies, and programs.
  • Initiative #10. Define and develop enduring deterrence strategies and programs.
  • Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
  • Initiative #12. Define the Federal role of extending cybersecurity into critical infrastructure domains.

On June 5, 2014, the NSA released National Security Presidential Directive 54 ("NSPD 54") to EPIC after nearly five years of FOIA litigation. NSPD 54 is the foundational legal document outlining the Comprehensive National Cybersecurity Initiative (CNCI), the federal government’s effort to coordinate cybersecurity policy across federal law enforcement, intelligence and executive agencies, as well as with other law enforcement agencies and the private sector. The previously-classified document reveals the underlying legal authority for sweeping changes to federal cybersecurity that have taken place over the last five years. Additionally, NSPD 54 contains significant differences from the previously-released description of the CNCI. For the first time, the public now has access to the document empowering federal agencies to share cybersecurity information, develop offensive cyber programs and improve automated and predictive cyber technologies. NSPD 54 provides the public with an explanation of the government's legal and policy choices regarding cybersecurity and reveals new information about the government's coordinated cybersecurity efforts.

Presidential Policy Directive 20 (PPD 20)

PPD 20 was implemented by President Obama in October 2012, but was not released to the public. However, on June 7, 2013, PPD 20 was released by The Guardian, which had received the document from NSA leaker Edward Snowden. The directive details government policy regarding offensive cyber action and instructions to compile a list of potential targets for such action. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk ..." According to news reports, the directive gives broader power to the military to block cyberattacks and discusses what constitutes an "offensive" verses a "defensive" action with respect to cyberwar and cyberterrorism. Additionally, the directive discusses the use of cyber-operations--actions taken outside U.S. networks.

EPIC's Efforts

Freedom of Information Request for NSPD 54

EPIC submitted a FOIA request in June 2009 directed at the NSA requesting copies of the directive along with copies of any initiatives or privacy policies associated with the directive. The NSA initially made no substantive determination regarding EPIC's FOIA request. EPIC subsequently filed an administrative appeal and then the NSA released two documents that had previously been made public. Eventually, NSA also identified three relevant documents that it refused to disclose. EPIC appealed the NSA's determination and after receiving no response filed a lawsuit against the NSA.

The NSA eventually released heavily redacted versions of two of the three documents identified by the NSA as responsive to EPIC's request. EPIC appealed this decision in Federal Court, but the District Court ruled that NSPD 54 was not an agency record discoverable under FOIA. However, after EPIC appealed this decision to the D.C. Circuit Court, the NSA released the document to EPIC with minor redactions. EPIC has released NSPD 54, allowing the public to review the government’s foundational cybersecurity policy for the first time.

Freedom of Information Request for PPD 20

Immediately after the news broke that President Obama had signed a new cybersecurity directive, EPIC submitted a FOIA request directed at the NSA requesting the release of the directive. The NSA denied EPIC's request. PPD 20 became public after it was leaked to the Guardian by NSA whistleblower Edward Snowden. The directive orders the creation of potential targets for Offensive Cyber Effects Operations by the National Security Agency. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ."

Resources

EPIC Reports, FOIA and Testimony

Organizations Working on Cybesecurity

Papers and Articles

Cybersecurity Infrastructure Surveillance Laws

Cybersecurity Legislation in the 111th Congress

News Articles

 

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security