Presidential Directives and Cybersecurity
Concerning the use of Presidential Directives in Cybersecurity Policy
- EPIC Awarded Nearly $100,000 in Internet Surveillance Case: A federal judge in Washington, DC has issued a final order granting EPIC substantial attorney's fees in a long-running case against the Department of Homeland Security. EPIC sued the DHS in 2012 for information about a secret program to monitor Internet traffic. The "Cyber Pilot" program applied originally to defense contractors, but an executive order dramatically expanded the program, raising concerns about violations of federal wiretap law. EPIC's lawsuit produced the release of several thousand pages on the program. EPIC sought attorneys fees for the successful litigation, which the DHS opposed. In November, Judge Gladys Kessler ruled that EPIC was entitled to attorney's fees because it "substantially prevailed in [the] litigation" and added "to the fund of information that citizens may use in making vital political choices." On Monday, Judge Kessler confirmed that decision and awarded EPIC nearly $100,000 in fees—the largest such award in EPIC's history. (Jun. 5, 2017)
- Executive Order on Cybersecurity Finally Released: A long delayed Executive Order on cybersecurity was released this week. The Order continues many of the cybersecurity policies of the Obama and Bush administrations. The Executive Order requires agency heads to use the NIST Framework to manage cybersecurity risk, and to provide a risk management report. The Order also requires Cabinet officials to devise a strategy for international cooperation in cybersecurity. However, the Order does not address Russia's cyber interference with the 2016 Presidential Election. EPIC, and a group of forty leading experts in law and technology, had urged the White House to strengthen privacy and data protection, and support strong encryption. The EPIC Cybersecurity and Democracy Project focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (May. 12, 2017)
- On Cyber Policy, EPIC Urges Senate to Protect Consumers, Democratic Institutions: In advance of a hearing on "Cyber Threats Facing America: An Overview of the Cybersecurity Threat Landscape," EPIC has sent a statement to a Senate Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project that will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (May. 8, 2017)
- EPIC To Senate Judiciary - "Public Has Right to Know About Russia Ties": EPIC has sent a statement to the Senate Judiciary Committee for a hearing on "Russian Interference in the 2016 United States Election." EPIC described its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions. EPIC is also pursuing the release of any FISA orders for Trump Tower, as well as Donald Trump's tax returns. EPIC wrote the "need to understand Russian efforts to influence democratic elections cannot be overstated.” (May. 5, 2017)
- Intelligence Agency Provides Non-Responsive Response in EPIC Lawsuit for Russia Report: The Director of National Intelligence has failed to provide a sufficient response in EPIC v. ODNI, concerning release of the report on the Russian interference in the 2016 Presidential election. The intelligence agency was required to release all “non-exempt portions" of the report to EPIC on May 3, 2017. However the agency withheld the entire document, refusing to provide even partial information that should have been released to EPIC under the Freedom of Information Act. As EPIC made clear in the complaint, “There is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks on democratic institutions.” EPIC will challenge the agency’s response as the litigation continues in federal district court in Washington, DC. EPIC v. ODNI is a part of the EPIC Cybersecurity and Democracy Project, which focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (May. 3, 2017)
- Pew Survey Finds Varying Cybersecurity Knowledge Among the Public: The Pew Research Center has released a report on "What the Public Knows About Cybersecurity." According to the Pew survey, 75% of respondents could identify the strongest password out of four options. About half of the people who took the survey could identify a phishing attack; a similar number knew what ransomware is. Only 16% answered that "a group of computers that is networked together and used by hackers to steal information" is called a "botnet." EPIC maintains an Online Guide to Practical Privacy Tools and resources on Public Opinion and Privacy. (Mar. 22, 2017)
- EPIC Urges House Committee to Protect Consumers, Democratic Institutions with Strong Cyber Security Measures: In advance of a hearing on "Cyber Warfare in the 21st Century: Threats, Challenges, and Opportunities," EPIC has sent a letter to the House Armed Services Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (Feb. 28, 2017)
- FBI Responds to EPIC FOIA Suit for Details of Russian Interference with 2016 Election: The FBI has filed an answer to EPIC's Freedom of Information Act lawsuit for records pertaining to the Russian interference with the 2016 Presidential election. In the answer, the FBI acknowledged receipt of EPIC's FOIA request. EPIC filed suit against the FBI in federal district court after the agency failed to make a timely decision concerning EPIC's request for expedited processing of the FOIA request. The parties will next confer to set a schedule for production of documents and briefing, if necessary. EPIC has also filed suit against the ODNI for public release of the Complete ODNI Assessment of the Russian interference in the 2016 election. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking. (Feb. 23, 2017)
- EPIC Seeks Public Release of Secret Directive on Cybersecurity: EPIC has filed an urgent FOIA request with the DHS, the Department of Justice, and the NSA, seeking the expedited release of NSPD-1. The National Security Presidential Directive sets out procedures for cybersecurity "policy coordination, guidance, dispute resolution, and periodic in-progress review." EPIC has previously litigated, and successfully obtained, NSPD-54, a Presidential Directive concerning the NSA's authority to conduct surveillance within the United States. (Jan. 28, 2017)
- EPIC Sues for Release of Complete Report on Russian Interference with 2016 Election: EPIC has filed a Freedom of Information Act lawsuit against the Office of the Director of National Intelligence in federal district court in Washington, DC. The case is designated EPIC v. ODNI, No. 17-163 (D.D.C. filed Jan. 25, 2017). As EPIC makes clear in the complaint, "there is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks in democratic institutions." More details in the press release. Last week EPIC sued the FBI to uncover details of the Bureau's response to Russian interference. (Jan. 26, 2017)
Cybersecurity encompasses an array of challenges to protect cyberspace. Cyberspace as defined by the Cyberspace Policy Review is the "interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries." The policy review goes on to define Cybersecurity policy to include "strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities." Cyberspace has become a common feature of modern society and touches almost every citizen in a number of different areas including online commerce, healthcare, financial services, and social media.
The ubiquity of cyberspace and its importance in our lives puts cybersecurity front and center as one of the more important policy issues going forward. The public deserves a debate about appropriate cybersecurity measures that includes clear and accessible explanations of the Whitehouse's cybersecurity policy. Too often cybersecurity policy is set by presidential directives that are not available to the public.
Presidential directives are similar to Executive Orders--they have the same substantive legal effect. Just like executive orders, presidential directives do not lose their legal effectiveness upon a change of administration. Presidential directives are used as an instrument of national security to affect policy in this area and generally derive from the policy papers produced by the National Security Council (NSC) that advises the president on national security issues. They are not required to be published in the Federal Register and are often highly classified. This has been the case for presidential directives pertaining to cybersecurity. The secrecy surrounding cybersecurity policy has hindered the ongoing public debate in this area.
National Security Decision Directive 145 (NSDD 145)
NSDD 145 was issued by President Reagan in 1984. The directive gave the NSA control over all government computer systems containing "sensitive but unclassified" information. NSDD 145 was followed by a second directive issued by National Security Advisor John Poindexter that extended NSA authority over non-government computer systems. In response to these directives, Congress passed the Computer Security Act of 1987 (CSA). The Act reaffirmed that the National Institute for Standards and Technology (NIST) was responsible for the security of unclassified, non-military government computer systems. CSA limited the National Security Agency to providing technical assistance in the civilian security realm.National Security Presidential Directive 38 (NSPD 38)
NSPD 38 was issued on July 7, 2004, as the National Strategy to Secure Cyberspace. The contents of this classified directive have never been released, but prior to the issuance of NSPD 38, the Whitehouse released a different document also entitled "National Strategy to Secure Cyberspace" that detailed five priorities to secure cyberspace:
- A National Cyberspace Security Response System.
- A National Cyberspace Security Threat and Vulnerability Reduction Program.
- A National Cyberspace Security Awareness and Training Program.
- Securing Governments' Cyberspace
- National Security and International Cyberspace Security Cooperation
NSPD 54 was implemented by President George W. Bush in January 2008. NSPD 54 was issued concurrently as Homeland Security Presidential Directive 23. The NSPD 54/HSPD 23 authorized the DHS (together with OMB) to set minimum operational standards for Federal Executive Branch civilian networks, and it empowers DHS to lead and coordinate the national cybersecurity effort to protect cyberspace and the computers connected to it. The directive also contains the Comprehensive National Cybersecurity Initiative (CNCI). The broad scheme of CNCI was described in a publicly-released 20009 document which included 12 initiatives:
- Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.
- Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
- Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
- Initiative #4. Coordinate and redirect research (R&D) and development efforts.
- Initiative #5. Connect current cyber ops centers to enhance situational awareness.
- Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
- Initiative #7. Increase the security of our classified networks.
- Initiative #8. Expand cyber education.
- Initiative #9. Define and develop enduring "leap-ahead" technology, strategies, and programs.
- Initiative #10. Define and develop enduring deterrence strategies and programs.
- Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
- Initiative #12. Define the Federal role of extending cybersecurity into critical infrastructure domains.
On June 5, 2014, the NSA released National Security Presidential Directive 54 ("NSPD 54") to EPIC after nearly five years of FOIA litigation. NSPD 54 is the foundational legal document outlining the Comprehensive National Cybersecurity Initiative (CNCI), the federal government’s effort to coordinate cybersecurity policy across federal law enforcement, intelligence and executive agencies, as well as with other law enforcement agencies and the private sector. The previously-classified document reveals the underlying legal authority for sweeping changes to federal cybersecurity that have taken place over the last five years. Additionally, NSPD 54 contains significant differences from the previously-released description of the CNCI. For the first time, the public now has access to the document empowering federal agencies to share cybersecurity information, develop offensive cyber programs and improve automated and predictive cyber technologies. NSPD 54 provides the public with an explanation of the government's legal and policy choices regarding cybersecurity and reveals new information about the government's coordinated cybersecurity efforts.Presidential Policy Directive 20 (PPD 20)
PPD 20 was implemented by President Obama in October 2012, but was not released to the public. However, on June 7, 2013, PPD 20 was released by The Guardian, which had received the document from NSA leaker Edward Snowden. The directive details government policy regarding offensive cyber action and instructions to compile a list of potential targets for such action. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk ..." According to news reports, the directive gives broader power to the military to block cyberattacks and discusses what constitutes an "offensive" verses a "defensive" action with respect to cyberwar and cyberterrorism. Additionally, the directive discusses the use of cyber-operations--actions taken outside U.S. networks.
Freedom of Information Request for NSPD 54
EPIC submitted a FOIA request in June 2009 directed at the NSA requesting copies of the directive along with copies of any initiatives or privacy policies associated with the directive. The NSA initially made no substantive determination regarding EPIC's FOIA request. EPIC subsequently filed an administrative appeal and then the NSA released two documents that had previously been made public. Eventually, NSA also identified three relevant documents that it refused to disclose. EPIC appealed the NSA's determination and after receiving no response filed a lawsuit against the NSA.
The NSA eventually released heavily redacted versions of two of the three documents identified by the NSA as responsive to EPIC's request. EPIC appealed this decision in Federal Court, but the District Court ruled that NSPD 54 was not an agency record discoverable under FOIA. However, after EPIC appealed this decision to the D.C. Circuit Court, the NSA released the document to EPIC with minor redactions. EPIC has released NSPD 54, allowing the public to review the government’s foundational cybersecurity policy for the first time.
Freedom of Information Request for PPD 20Immediately after the news broke that President Obama had signed a new cybersecurity directive, EPIC submitted a FOIA request directed at the NSA requesting the release of the directive. The NSA denied EPIC's request. PPD 20 became public after it was leaked to the Guardian by NSA whistleblower Edward Snowden. The directive orders the creation of potential targets for Offensive Cyber Effects Operations by the National Security Agency. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ."
- Coalition Letter Outlining Concerns Regarding Lack of Civil Society Presence in Decision Making
- White House Cybersecurity Memo Title: FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, April 21, 2010
- Advance Senate Armed Services Confirmation Hearing Questions for Lieutenant General Keith Alexander, USA Nominee for Commander, United States Cyber Command (Hearing Date April 15, 2010
- Remarks on Internet Freedom, Hillary Rodham Clinton, Secretary of State at The Newseum, Washington, DC, January 21, 2010
- Privacy and Technology Experts Reply to Clinton's Remarks by Urging Ratification of the Council of Europe Convention on Privacy, January 28, 2010
- EPIC FOIA for National Security Presidential Directive 54
- Obama Administration: Cyberspace Policy Review
- Critical Infrastructure Protection and the Endangerment of Civil Liberties
- DHS Cybersecurity Documents
- DHS: A Road Map to Cybersecurity
- CRS Analysis of the US PATRIOT Act
- White House Cyberspace Policy Review (May 29, 2009)
- President Obama's Speech on Cyber-security (May 29, 2009)
- EPIC's Testimony to the House Subcommittee on Oversight and Investigations on "Creating the Department of Homeland Security: Consideration of the Administration's Proposal" (July 9, 2002)
- EPIC's Testimony to the Senate Committee on Governmental Affairs on "Securing Our Infrastructure: Private/Public Information Sharing" (May 8, 2002)
- EPIC's Letter to the House Judiciary Committee, Subcommittee on Crime, on H.R. 3482, The Cyber Security Enhancement Act of 2002(February 26, 2002)
- EPIC's Testimony to the House Government Reform Committee on H.R. 4246, The Cyber Security Information Act (June 22, 2000)
- EPIC's Testimony to the Senate Judiciary Committee on "CyberAttack: The National Protection Plan and its Privacy Implications" (PDF, 128K) (February 1, 2000)
- EPIC Press Release on "National Plan for Information Systems Protection" (February 1, 2000)
- Memo from Ronald D. Lee, Associate Deputy Attorney General, Department of Justice to Jeffrey Hunker, Director, Critical Infrastructure Assurance Office regading the National Information Systems Protection Plan, March 8, 1999. Obtained by EPIC under the Freedom of Information Act.
- Memo from Jeffrey Hunker, CIAO to CICG Members regarding "Offsite Materials." Obtained by EPIC under the Freedom of Information Act.
- White House "National Plan for Information Systems Protection" (PDF, 912K) (January 7, 2000)
- Executive Summary of "National Plan for Information Systems Protection" (PDF, 664K) (January 7, 2000)
- White House Press Release on "Cyber-Security" (January 7, 2000)
- Transcript of White House Press Briefing on "Cyber-Security" (January 7, 2000)
- European Parliament: Report ont he existence of a global system for interception of privacy and commercial communications(ECHELON intercept system) (2001/2098(INI))
- EPIC FOIA for disclosure of National Security Presidential Directive 54
- NSA FOIA Request for Classified Supplement from Cyber Command Nominee Alexander
- E-Deceptive Campaign Practices: Internet Technology and Democracy 2.0
- Critical Infrastructure Protection and the Endangerment of Civil Liberties (October 1998)
- Surfer Beware: Notice is Not Enough (1998)
- Surfer Beware I (1997)
- EPIC Privacy Guidelines National Information Infrastructure (1994)
- Federal Bureau of Investigation
- United States Department of Defense
- United States Department of the Treasury
- Department of Commerce
- Department of Homeland Security
- Department of Energy
- Defense Information Systems Agency
- The Defense Intelligence Agency
- National Institute of Standards and Technology
- The National Security Institute
- Terrorism Research Center
- American Bar Association Standing Committee On Law and National Security
- National Telecommunications and Information Administration
- Infrastructure Assurance Center
- Office of the Director of National Intelligence
- Federation of American ScientistsComprehensive Guide to Information Warfare Resources
- The Institute for Advanced Study of Information Warfare
- National Archives and Records Administration
- The Government Printing Office (Research site)
- Institute for Telecommunication Science (ITS is the research and engineering branch of the National Telecommunications and Information Administration, which is part of the U.S. Department of Commerce.)
- White House cyber security plan to cite e-health, Health IT, By Mary Mosquera, Wednesday, May 12, 2010
- A House insider's view of U.S. cybersecurity policy, Federal Computer Week, Ben Bain, May 6, 2010
- Summit in Dallas targets cybercrime, Dallas Morning News, By VICTOR GODINEZ, May 3, 2010
- Whitehouse: Congress needs clarity on who handles cybersecurity, the Hill, By Tony Romm - May 3, 2010
- Cyber-Security Survey Shows Distrust Between Public and Private Sectors, Government Technology, May 3, 2010
- FBI Names Cybersecurity Division Chief, Elizabeth Montalbano, InformationWeek, April 26, 2010
- Meeting of the Minds Over Fed Cybersecurity, Government Info Security
- Politicians jockey for cybersecurity positioning, Federal Computer Week, Ben Bain, April 23, 2010
- FCC launches NOI on voluntary cybersecurity certification program - NOI seeks to implement National Broadband Plan information security recommendation, Association of Corporate Council, April 22, 20101
- DHS Fills 2 Key Cybersecurity Posts, Government Info Security, April 21, 2010
- Cyber Command nominee lays out rules of engagement, Ben Bain, Federal Computer Week, April 16, 2010
- Pick to lead cyber command lays out battle plans, Ben Bain, Federal Computer Week, April 15, 2010
- Computer Security Review Due This Week, Helene Cooper, N.Y. Times, May 26, 2009.
- Cyber Terror Arsenal Grows. Niall McKay, Wired News, October 16, 1998.
- An Electronic Pearl Harbor? Not Likely. George Smith, Issues in Science and Technology, Fall 1998.
- American Military Intervention: A User's Guide. The Heritage Foundation's look at military intervention.
- Protecting America's Critical Infrastructures. Critical Infrastructure Assurance Office factsheet on PDD 63.
- White House Fact Sheet: Protecting America's Critical Infrastructures: PDD 63. May 22, 1998.
- President Clinton's speech on infrastructure protection at the U.S. Naval Academy, May 22, 1998.
- Statement of Dr. Jeffrey A. Hunker (Director, Critical Infrastructure Assurance Office).
- Is Cyberterrorism a Real Threat?. Reuters.
- Reno Unveils Center to Protect Infrastructure. Heather Harreld and Torsten Busse, Federal Computer Week.
- Hearing Before the House Science Subcommittee on H.R. 1903, The Computer Security Enhancement Act of 1997.. Testimony of Willis H. Ware, Chairman, Computer System Security and Privacy Advisory Board, June 19, 1997.
- Report to the President's Commission on Critical Infrastructure Protection. James Ellis, David Fisher, Thomas Longstaff, Linda Pesante, and Richard Pethia, CERT Coordination Center Software Engineering Institute, Carnegie Mellon University, January 1997.
- Reflections on the 1997 Commission on Critical Infrastructure Protection (PCCIP) Report. Clark Staten, The Emergency Responce and Research Institute.
- Report of the Defense Science Board Task Force on Information Warfare. November 1996.
- What is Information Warfare?. Martin C. Libicki, March 1996.
- Papers on Network Centric Warfare.
- EPIC: The Clipper Chip.
- Overview of the Defense Intelligence Agency (DIA).
- List of websites related to the Department of Defense Advanced Research Projects Agency.
Cybersecurity Infrastructure Surveillance Laws
- US PATRIOT ACT
- Foreign Intelligence Surveillance Act
- Electronic Communications Privacy Act
- Federally Funded State Managed Fusion Centers
- Office of National Intelligence Director's Information Sharing Environment
- DHS Einstein Program (I, II, III)
- National Security Presidential Directive 54 (Amended by George Bush)
Cybersecurity Legislation in the 111th Congress
- H.R.2165: Bulk Power System Protection Act of 2009 (Barrow)
- S. 3193: International Cyberspace and Cybersecurity Coordination Act of 2010 (Kerry)
- Cybersecurity Enhancement Act of 2010, (Lipinski)
- S. 773: Cybersecurity Act of 2009 (Rockefeller)
- S. 778: To establish, within the Executive Office of the President, the Office of the National Cybersecurity Advisor (Rockefeller)
- S. 1438: Fostering a Global Response to Cyber Attacks Act (Gillibrand)
- S. 921: U.S. ICE Act of 2009 (Carper)
- H.R. 1319: Informed P2P User Act (Bono Mack)
- Cyberwar Commander Survives Senate Hearing, Wired Magazine, Threat Level Blog, April 15, 2010
- DHS Announces National Cybersecurity Awareness Campaign Challenge Deadline April 30, 2010
- U.S. to Reveal Rules on Internet Security, By JOHN MARKOFF, New York Times, March 1, 2010
- Google Asks Spy Agency for Help With Inquiry Into Cyberattacks, By JOHN MARKOFF, New York Times, February 4, 2010
- Privacy experts see room for improvement from Obama, By Andrew Noyes, CongressDaily, September 9, 2009
- Cybersecurity Plan Doesn't Breach Employee Privacy, Administration Says, By Ellen Nakashima, Washington Post, September 19, 2009
- Obama Set to Create A Cybersecurity Czar With Broad Mandate, Ellen Nakashima, Washington Post, May 26, 2009
- National Cyber Security Czar Steps Down, March 9, 2009
- Cybersecurity Plan to Involve NSA, Telecoms DHS Officials Debating The Privacy Implications, By Ellen Nakashima, Washington Post Staff Writer, July 3, 2009
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,