Presidential Directives and Cybersecurity

Concerning the use of Presidential Directives in Cybersecurity Policy

Latest News

  • EPIC Presses House Leaders on "Data Protection": At a symposium organized by the Council on Foreign Relations, EPIC President Marc Rotenberg asked Republican leaders in the U.S. Congress whether "data protection" should be a campaign issue in 2016. Rep. Goodlatte, who chairs the House Judiciary Committee, responded "I very much believe it should be and is an issue in this election." He pointed to his own work to update the Electronic Communication Privacy Act (ECPA), "because that is an enhancement of the protection of people's privacy that I think they want and expect." Rep. McCaul, who chairs the House Homeland Security Committee, noted "in the cybersecurity bill we passed we met very closely with the privacy advocates. That was very important to me that we protect personally identifying information as we try to share these malicious codes." EPIC has launched a non-partisan campaign to make Data Protection a campaign issue in 2016. (Jun. 10, 2016)
  • New Congressional Report Explores Legal Issues Regarding Compelled Decryption: "Encryption: Selected Legal Issues," a new report from the Congressional Research Service, explores two important legal questions that arise from government requests for compelled decryption: the Fifth Amendment right agains self-incrimination and the scope of the All Writs Act, the federal statute at issue in Apple v. FBI. EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case, pointing to the increased risk of cell phone theft and financial fraud that would result from compelled encryption. (Mar. 8, 2016)
  • EPIC Files Brief in Support of Apple and Consumers in FBI iPhone Case: Today EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case. In Apple v. FBI, EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues. EPIC has filed two briefs in the United States Supreme Court in the past year in cases concerning consumer privacy and also the Fourth Amendment. (Mar. 3, 2016)
  • Bill to Establish Digital Security Commission Introduced in House: Rep. Lieu (D-CA) has cosponsored bipartisan legislation to create a Digital Security Commission that will explore how law enforcement should pursue investigations without undermining constitutional privacy protections or American competitiveness. Rep. Lieu emphasized, "strong national security and a strong economy requires strong encryption." The legislation comes as Apple opposes a court order to compromise iPhone security to allow government access. Congressman Lieu called upon "the FBI and DOJ to withdraw their coercive demands of Apple and allow the democratic process to work." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Mar. 2, 2016)
  • Apple Opposes FBI Decryption Order: Today Apple filed a "motion to vacate" a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. In its brief, Apple asserts that this case is about "the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe." Apple argued that the FBI's requested court order violates the First and Fifth Amendments. Consumer Reports found that more than 3.1 million cellphones were stolen in 2013, and noted that "efforts by the telecom industry to reduce thefts don't seem to be helping matters." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption. (Feb. 25, 2016)
  • President Announces $19 billion Cybersecurity Plan: President Obama has proposed a $19 billion Cybersecurity National Action Plan that aims to modernize government IT and improve Americans' cybersecurity. The government will reduce reliance on social security numbers and promote increased use of multi-factor authentication. The plan will also establish a Commission on Enhancing National Cybersecurity. A Federal Privacy Council will coordinate federal privacy guidelines but lacks authority to enforce Privacy Act obligations. EPIC has repeatedly urged federal agencies to uphold Privacy Act protections. (Feb. 23, 2016)
  • Apple Opposes FBI Decryption Order: Apple has opposed a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. The order followed an FBI application under the All Writs Act, a law from 1789. Apple CEO Tim Cook wrote in response that the government's action "would undermine the very freedoms and liberty our government is meant to protect." In 2015, EPIC gave the Champion of Freedom Award to Mr. Cook for his work protecting privacy and promoting encryption. The EPIC 2016 Awards dinner will be held June 6 in Washington, DC. (Feb. 17, 2016)
  • House Adds Cyber Surveillance to Budget Bill: Today, the House added the Cybersecurity Act of 2015 to an expansive appropriations bill. The Cybersecurity Act was negotiated behind closed doors and represents a new version of the Cybersecurity Information Sharing Act (CISA). Previous versions of CISA have been opposed by a broad coalition of organizations. The current bill, like previous ones, would allow the government to obtain personal information from private companies without judicial oversight. The Act would also expand government secrecy. EPIC previously won a five-year court battle to obtain NSPD 54, a foundational legal document for U.S. cybersecurity policies that revealed the government's interest in enlisting the private sector to monitor user activity. (Dec. 16, 2015)
  • Senator Leahy Opposes FOIA Exemptions in Cyber Security Bill: Senator Patrick Leahy (D-VT) urged fellow Senators to remove a proposed open government exemption in a pending cybersecurity bill. The Cybersecurity Information Sharing Act (CISA), said Sen. Leahy, "contains an overly broad new FOIA exemption that is both unnecessary and harmful." Sen. Leahy called the FOIA "our nation's premier transparency law," and said that any modifications must go through the Senate Judiciary Committee. "The Senate must have an open and honest debate about the Senate Intelligence Committee's bill and its implications for Americans' privacy and government transparency," remarked the Senator. Last year, EPIC won a five-year court battle against the NSA for NSPD 54, the foundational legal document for U.S. cybersecurity policies. EPIC has also set out recommendations for FOIA reform. (Oct. 27, 2015)

Introduction

Cybersecurity encompasses an array of challenges to protect cyberspace. Cyberspace as defined by the Cyberspace Policy Review is the "interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries." The policy review goes on to define Cybersecurity policy to include "strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities." Cyberspace has become a common feature of modern society and touches almost every citizen in a number of different areas including online commerce, healthcare, financial services, and social media.

The ubiquity of cyberspace and its importance in our lives puts cybersecurity front and center as one of the more important policy issues going forward. The public deserves a debate about appropriate cybersecurity measures that includes clear and accessible explanations of the Whitehouse's cybersecurity policy. Too often cybersecurity policy is set by presidential directives that are not available to the public.

Presidential directives are similar to Executive Orders--they have the same substantive legal effect. Just like executive orders, presidential directives do not lose their legal effectiveness upon a change of administration. Presidential directives are used as an instrument of national security to affect policy in this area and generally derive from the policy papers produced by the National Security Council (NSC) that advises the president on national security issues. They are not required to be published in the Federal Register and are often highly classified. This has been the case for presidential directives pertaining to cybersecurity. The secrecy surrounding cybersecurity policy has hindered the ongoing public debate in this area.

Presidential Directives

National Security Decision Directive 145 (NSDD 145)

NSDD 145 was issued by President Reagan in 1984. The directive gave the NSA control over all government computer systems containing "sensitive but unclassified" information. NSDD 145 was followed by a second directive issued by National Security Advisor John Poindexter that extended NSA authority over non-government computer systems. In response to these directives, Congress passed the Computer Security Act of 1987 (CSA). The Act reaffirmed that the National Institute for Standards and Technology (NIST) was responsible for the security of unclassified, non-military government computer systems. CSA limited the National Security Agency to providing technical assistance in the civilian security realm.

National Security Presidential Directive 38 (NSPD 38)

NSPD 38 was issued on July 7, 2004, as the National Strategy to Secure Cyberspace. The contents of this classified directive have never been released, but prior to the issuance of NSPD 38, the Whitehouse released a different document also entitled "National Strategy to Secure Cyberspace" that detailed five priorities to secure cyberspace:

  1. A National Cyberspace Security Response System.
  2. A National Cyberspace Security Threat and Vulnerability Reduction Program.
  3. A National Cyberspace Security Awareness and Training Program.
  4. Securing Governments' Cyberspace
  5. National Security and International Cyberspace Security Cooperation
National Security Presidential Directive 54 (NSPD 54)

NSPD 54 was implemented by President George W. Bush in January 2008. NSPD 54 was issued concurrently as Homeland Security Presidential Directive 23. The NSPD 54/HSPD 23 authorized the DHS (together with OMB) to set minimum operational standards for Federal Executive Branch civilian networks, and it empowers DHS to lead and coordinate the national cybersecurity effort to protect cyberspace and the computers connected to it. The directive also contains the Comprehensive National Cybersecurity Initiative (CNCI). The broad scheme of CNCI was described in a publicly-released 20009 document which included 12 initiatives:

  • Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections.
  • Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
  • Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
  • Initiative #4. Coordinate and redirect research (R&D) and development efforts.
  • Initiative #5. Connect current cyber ops centers to enhance situational awareness.
  • Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
  • Initiative #7. Increase the security of our classified networks.
  • Initiative #8. Expand cyber education.
  • Initiative #9. Define and develop enduring "leap-ahead" technology, strategies, and programs.
  • Initiative #10. Define and develop enduring deterrence strategies and programs.
  • Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
  • Initiative #12. Define the Federal role of extending cybersecurity into critical infrastructure domains.

On June 5, 2014, the NSA released National Security Presidential Directive 54 ("NSPD 54") to EPIC after nearly five years of FOIA litigation. NSPD 54 is the foundational legal document outlining the Comprehensive National Cybersecurity Initiative (CNCI), the federal government’s effort to coordinate cybersecurity policy across federal law enforcement, intelligence and executive agencies, as well as with other law enforcement agencies and the private sector. The previously-classified document reveals the underlying legal authority for sweeping changes to federal cybersecurity that have taken place over the last five years. Additionally, NSPD 54 contains significant differences from the previously-released description of the CNCI. For the first time, the public now has access to the document empowering federal agencies to share cybersecurity information, develop offensive cyber programs and improve automated and predictive cyber technologies. NSPD 54 provides the public with an explanation of the government's legal and policy choices regarding cybersecurity and reveals new information about the government's coordinated cybersecurity efforts.

Presidential Policy Directive 20 (PPD 20)

PPD 20 was implemented by President Obama in October 2012, but was not released to the public. However, on June 7, 2013, PPD 20 was released by The Guardian, which had received the document from NSA leaker Edward Snowden. The directive details government policy regarding offensive cyber action and instructions to compile a list of potential targets for such action. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk ..." According to news reports, the directive gives broader power to the military to block cyberattacks and discusses what constitutes an "offensive" verses a "defensive" action with respect to cyberwar and cyberterrorism. Additionally, the directive discusses the use of cyber-operations--actions taken outside U.S. networks.

EPIC's Efforts

Freedom of Information Request for NSPD 54

EPIC submitted a FOIA request in June 2009 directed at the NSA requesting copies of the directive along with copies of any initiatives or privacy policies associated with the directive. The NSA initially made no substantive determination regarding EPIC's FOIA request. EPIC subsequently filed an administrative appeal and then the NSA released two documents that had previously been made public. Eventually, NSA also identified three relevant documents that it refused to disclose. EPIC appealed the NSA's determination and after receiving no response filed a lawsuit against the NSA.

The NSA eventually released heavily redacted versions of two of the three documents identified by the NSA as responsive to EPIC's request. EPIC appealed this decision in Federal Court, but the District Court ruled that NSPD 54 was not an agency record discoverable under FOIA. However, after EPIC appealed this decision to the D.C. Circuit Court, the NSA released the document to EPIC with minor redactions. EPIC has released NSPD 54, allowing the public to review the government’s foundational cybersecurity policy for the first time.

Freedom of Information Request for PPD 20

Immediately after the news broke that President Obama had signed a new cybersecurity directive, EPIC submitted a FOIA request directed at the NSA requesting the release of the directive. The NSA denied EPIC's request. PPD 20 became public after it was leaked to the Guardian by NSA whistleblower Edward Snowden. The directive orders the creation of potential targets for Offensive Cyber Effects Operations by the National Security Agency. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ."

Resources

EPIC Reports, FOIA and Testimony

Organizations Working on Cybesecurity

Papers and Articles

Cybersecurity Infrastructure Surveillance Laws

Cybersecurity Legislation in the 111th Congress

News Articles

 

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy