Cybersecurity Privacy Practical Implications
Concerning Privacy and Cybersecurity Policy
Introduction
Cybersecurity encompasses an array of challenges to protect digital information and the systems they depend upon to affect communication. The interconnected world of computers forms the Internet, which offers new challenges for nations because regional or national borders do not control the flow of information as it is currently managed. The Internet, in the most basic sense, works like any other remote addressing system, for example, a telephone number corresponds to a particular device, a home or building address corresponds to a particular geographic location. The Internet's addressing system is called the Internet Protocol (IP).
Each computer network and computing device designed to communicate over the Internet must have a unique address to send or receive messages. The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for the task of managing these addresses so that each unique Internet device (computer, cell phone, personal digital device) has a unique IP number designation. This Internet addressing system translates these numbers into World Wide Web addresses best known by the extensions .com, .edu, .net, and .org. This addressing system makes it very easy for people to find the people and Web addresses they are seeking. IP registration information or WHOIS data on Internet address holders is a source of contention between privacy/free speech/human rights advocates and law enforcement and commercial and government interests.
Latest News
- EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public: EPIC has filed an amicus brief in a case concerning the privacy and public safety risks of “connected” cars. EPIC warned that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury.” EPIC said a lower court was wrong to dismiss the case. EPIC urged a federal appeals court to allow consumers to "the opportunity to present legal claims stemming from the defendants’ sale of vehicles that place them at risk." This week researchers at Black Hat revealed new vulnerabilities in networked vehicles as Senators Blumenthal and Markey urged the FCC to establish “robust safety, cybersecurity, and privacy protections before automakers deploy vehicle-2-vehicle . . . communication technologies.” EPIC has filed several amicus briefs defending consumers' rights to enforce their privacy rights. (Aug. 5, 2016)
- EPIC Presses House Leaders on "Data Protection": At a symposium organized by the Council on Foreign Relations, EPIC President Marc Rotenberg asked Republican leaders in the U.S. Congress whether "data protection" should be a campaign issue in 2016. Rep. Goodlatte, who chairs the House Judiciary Committee, responded "I very much believe it should be and is an issue in this election." He pointed to his own work to update the Electronic Communication Privacy Act (ECPA), "because that is an enhancement of the protection of people's privacy that I think they want and expect." Rep. McCaul, who chairs the House Homeland Security Committee, noted "in the cybersecurity bill we passed we met very closely with the privacy advocates. That was very important to me that we protect personally identifying information as we try to share these malicious codes." EPIC has launched a non-partisan campaign to make Data Protection a campaign issue in 2016. (Jun. 10, 2016)
More top news »
- New Congressional Report Explores Legal Issues Regarding Compelled Decryption » (Mar. 8, 2016)
"Encryption: Selected Legal Issues," a new
report from the Congressional Research Service, explores two important legal questions that arise from government requests for compelled decryption: the Fifth Amendment right agains self-incrimination and the scope of the All Writs Act, the federal statute at issue in
Apple v. FBI. EPIC filed a
"friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case, pointing to the increased risk of cell phone theft and financial fraud that would result from compelled encryption.
- EPIC Files Brief in Support of Apple and Consumers in FBI iPhone Case » (Mar. 3, 2016)
Today EPIC filed a
"friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's
challenge in the FBI iPhone case. In
Apple v. FBI, EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC routinely files
amicus briefs in cases that raise novel privacy and civil liberties issues. EPIC has filed two briefs in the United States Supreme Court in the past year in cases concerning
consumer privacy and also
the Fourth Amendment.
- Bill to Establish Digital Security Commission Introduced in House » (Mar. 2, 2016)
Rep. Lieu (D-CA) has cosponsored bipartisan
legislation to create a Digital Security Commission that will explore how law enforcement should pursue investigations without undermining constitutional privacy protections or American competitiveness. Rep. Lieu emphasized, "strong national security and a strong economy requires strong encryption." The legislation comes as Apple
opposes a
court order to compromise iPhone security to allow government access. Congressman Lieu called upon "the FBI and DOJ
to withdraw their coercive demands of Apple and allow the democratic process to work." In 2015, EPIC gave the
Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption.
- Apple Opposes FBI Decryption Order » (Feb. 25, 2016)
Today Apple filed a
"motion to vacate" a
court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. In its brief, Apple asserts that
this case is about "the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe." Apple argued that the FBI's requested court order violates the First and Fifth Amendments. Consumer Reports
found that more than 3.1 million cellphones were stolen in 2013, and noted that "efforts by the telecom industry to reduce thefts don't seem to be helping matters." In 2015, EPIC gave the
Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption.
- Writers Side with Apple in Encryption Fight with FBI » (Feb. 24, 2016)
In a
letter to the Attorney General, leading writers and artists protested the FBI's
"efforts to force Apple to create software that could effectively enable the U.S. government to unlock any iPhone." The letter from the
PEN America Center highlights how "intrusions on privacy damage creative expression and free speech." EPIC has long supported
strong encryption as key to the future of privacy and security. EPIC recently gave the
2015 Champion of Freedom Award to Apple CEO Tim Cook for his work in promoting encryption and protecting privacy and security. The
2016 EPIC Awards dinner will be held on June 6th in Washington, DC.
- President Announces $19 billion Cybersecurity Plan » (Feb. 23, 2016)
President Obama has proposed a $19 billion
Cybersecurity National Action Plan that aims to
modernize government IT and improve Americans' cybersecurity. The government will reduce reliance on social security numbers and promote increased use of multi-factor authentication. The plan will also establish a Commission on Enhancing National Cybersecurity. A
Federal Privacy Council will coordinate federal privacy guidelines but lacks authority to enforce Privacy Act obligations. EPIC has
repeatedly urged federal agencies to uphold
Privacy Act protections.
- Apple Opposes FBI Decryption Order » (Feb. 17, 2016)
Apple has opposed a
court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. The order followed an FBI
application under the All Writs Act, a law from 1789. Apple CEO Tim Cook
wrote in response that the government's action "would undermine the very freedoms and liberty our government is meant to protect." In 2015, EPIC gave the
Champion of Freedom Award to Mr. Cook for his work protecting privacy and promoting encryption. The
EPIC 2016 Awards dinner will be held June 6 in Washington, DC.
- House Adds Cyber Surveillance to Budget Bill » (Dec. 16, 2015)
Today, the House added the
Cybersecurity Act of 2015 to an expansive
appropriations bill. The Cybersecurity Act was negotiated behind closed doors and represents a new version of the
Cybersecurity Information Sharing Act (CISA). Previous versions of CISA have been
opposed by a broad coalition of organizations. The current bill, like
previous ones, would allow the government to obtain personal information from private companies without judicial oversight. The Act would also
expand government secrecy. EPIC previously won a five-year court battle to obtain
NSPD 54, a foundational legal document for U.S. cybersecurity policies that revealed the government's interest in enlisting the private sector to monitor user activity.
- Senator Leahy Opposes FOIA Exemptions in Cyber Security Bill » (Oct. 27, 2015)
Senator Patrick Leahy (D-VT)
urged fellow Senators to remove a proposed open government exemption in a pending
cybersecurity bill. The Cybersecurity Information Sharing Act (CISA), said Sen. Leahy, "contains an overly broad new FOIA exemption that is both unnecessary and harmful." Sen. Leahy called the FOIA "our nation's premier transparency law," and said that any modifications must go through the Senate Judiciary Committee. "The Senate must have an open and honest debate about the Senate Intelligence Committee's bill and its implications for Americans' privacy and government transparency," remarked the Senator. Last year, EPIC won a five-year court battle against the NSA for
NSPD 54, the foundational legal document for U.S.
cybersecurity policies. EPIC has also set out
recommendations for
FOIA reform.
- Obama Drops Plan to Regulate Crypto » (Oct. 11, 2015)
According to the New York Times, President Obama has concluded that "it is not possible to give American law enforcement and intelligence agencies access to that information without also creating an opening that China, Russia, cybercriminals and terrorists could exploit." Earlier this year Apple CEO Tim Cook said at the
EPIC Champions of Freedom dinner, "Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it." EPIC
launched the public campaign for the freedom to use encryption in 1994 and several of the world's leading cryptographers are members of the
EPIC Advisory Board. Tim Cook received the 2015 EPIC Champion of Freedom Award. Past recipients include Max Schrems and Edward Snowden.
- California Rejects Warrantless Surveillance, Enacts "CalECPA" » (Oct. 9, 2015)
California Governor Jerry Brown has signed the
California Electronic Communications Privacy Act (CalECPA). CalECPA requires law enforcement to obtain a warrant before accessing digital data including metadata, location data, emails, and text messages. The warrant requirement applies to searches of electronic devices themselves and to content stored by an online service provider. In response to requests from the US Congress, EPIC has made
several recommendations regarding updates to the
federal ECPA. EPIC has also
obtained documents from the FBI concerning Stingray surveillance technology, which is now prohibited under the California bill.
- OECD Finalizes Risk Management Guidelines » (Oct. 9, 2015)
The OECD has published the new
Recommendation on Digital Security Risk Management a revision of the
2002 OECD Security Guidelines.
Science, Technology and Innovation Director Andrew Wyckoff said that
"a totally secure digital environment is impossible". EPIC supports the Recommendations which emphasize digital security risk management "in a transparent manner and consistently with human rights and fundamental values." EPIC has long been
engaged with the work of OECD and supports
civil society participation at the
2016 OECD Ministerial Meeting on the Digital Economy.
- Federal Appeals Court Recognizes "Substantial Risk of Future Harm" » (Jul. 29, 2015)
In a landmark opinion, the Seventh Circuit Court of Appeals has
ruled that a class action lawsuit against Neiman Marcus may continue because of the ongoing risk to customers whose personal information was compromised in a data breach. The case stems from a
breach of the Neiman Marcus customer database that led to the release of 350,000 credit cards and exposed more than 9,200 customers to fraud. A
lower court ruled that since the identified fraud victims had been reimbursed, Neiman Marcus was off the hook for future claims. However, the Seventh Circuit ruled that the plaintiffs, customers who were not yet aware of fraud, faced a "substantial risk of future harm," and that risk was enough to allow the class action to continue. According to the Federal Trade Commission,
identity theft remains the top concern of American consumers.
- Congress to Hold Hearing on Encryption and Privacy » (Jul. 8, 2015)
Today the Senate is holding a hearing on
"Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy." FBI Director Comey, testifying today, has
advocated for broken encryption to enable law enforcement access to private communications. Despite
claims of "going dark" because of new encryption technologies, law enforcement encountered encryption in only 25
wiretap cases in 2014. Of those cases, non-encrypted text was obtained in all but four cases. EPIC has
advocated for strong encryption and
urged President Obama to reject proposals to weaken encryption. EPIC published the first
comprehensive survey of encryption use around the world. And earlier this year, EPIC gave a
Champion of Freedom Award to Apple CEO Tim Cook, who warned that "Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it."
- Leading Security Experts Oppose Government Encryption Plan » (Jul. 7, 2015)
Several members of the EPIC Advisory Board, leading experts in security technology, have
warned that a
government plan to weaken encryption threatens the nation's critical infrastructure and puts at risk confidential personal information. Recalling a
similar report from 1997, the researchers concluded that "the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. Recent reports from the US courts,
available from EPIC, show that encryption has not been an obstacle to law enforcement investigations. A
1994 Internet petition led to the
demise of "Clipper," the original government plan for escrowed encryption.
- Massive Government Data Breach Even Worse than Reported » (Jun. 25, 2015)
A Congressional
hearing on the Office of Personnel Management data breach has now revealed one of the worst data breaches in US history. The agency initially
reported that the personal information of 4 million government employees was obtained, but
news reports suggest the breach was much larger--exposing the social security numbers of more than 18 million people. EPIC has
urged the White House and
Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also testified in
Congress and the
Senate in support of stronger security measures to protect personal data.
- Senate Rejects User Surveillance Proposal » (Jun. 17, 2015)
The Senate has
rejected an
amendment to the
National Defense Authorization Act for 2016 that would transfer user data from private companies to government agencies without judicial oversight. Senator Patrick Leahy (D-Vt)
urged Senators to oppose the amendment, stating "we need a cyber-security bill, not a cyber-surveillance bill." Last year, EPIC won a five-year court battle against the NSA for
NSPD 54-the foundational legal document for U.S.
cybersecurity policies. The Directive reveals the NSA's interest in enlisting companies to monitor user activity in the United States.
- Massive Breach Impacts Millions of Government Employees » (Jun. 10, 2015)
The Office of Personnel Management
has announced a massive data breach in the federal government's employee database. According to the agency, the breach exposed the sensitive personal information - including home addresses, SSNs, and financial information - of 4 million government employees. Although
432 million online accounts were hacked in 2014, Congress has failed to update US privacy laws or pass cybersecurity legislation. EPIC has
urged the White House and
Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information.
- EPIC, Coalition to President: No Encryption Backdoors » (May. 20, 2015)
EPIC and a coalition of civil society organizations and security experts
urged President Obama to reject proposal to weaken encryption used in U.S. products. Administration officials, including FBI Director Comey, have
advocated for broken encryption to enable law enforcement access to private communications. The letter details how weakened encryption undermines cybersecurity and economic security. EPIC previously led the effort to oppose the "
Clipper Chip," the NSA's proposal for key escrow encryption that would have severely crippled the privacy and security of online communication. EPIC also recently expressed support for encryption and anonymity in a
letter to a UN Rapporteur.
- Senate Committee Approves Cyber Surveillance Bill » (Mar. 14, 2015)
In a closed-door meeting, the Senate Select Committee on Intelligence approved the
"Cyber Information Sharing Act of 2015". The bill would allow the government to obtain user information from private companies without judicial oversight. Companies would receive immunity for their disregard of existing privacy law. Senator Wyden, who opposed the measure,
stated, "If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill - it's a surveillance bill by another name." Last year, EPIC won a five-year court battle against the NSA for
NSPD 54—the foundational legal document for U.S.
cybersecurity policies. The Directive reveals the government's long-standing interest in enlisting private sector companies to monitor user activity.
- Executive Order Calls for More Cybersecurity Info "Sharing" » (Feb. 13, 2015)
President Obama announced today an
Executive Order to promote collaboration between the private sector and the government to counter cyber threats. The Order encourages the companies to disclose user data to the federal government outside any judicial process. The Order also promotes compliance with Fair Information Practices and adoption of such Privacy Enhancing Techniques as data minimization. The Executive Order is one of several
cybersecurity initiatives announced by the President. In EPIC v. NSA, after a five-year court battle, EPIC obtained
National Security Presidential Directive 54 which revealed the NSA's role in domestic cyber security.
- President Obama Announces New Cybersecurity Initiatives » (Jan. 13, 2015)
Today the President
announced several
cybersecurity initiatives, including a proposal to facilitate private sector threat information disclosures. The White House proposal requires the removal of personal information prior to data transfers but privacy concerns remain. The President
threatened to veto a previous
bill that lacked privacy and civil liberties safeguards. A
2013 expert report set out 46 proposals for strengthening cyber security that the White House said it would adopt. EPIC supported these recommendations and has also
recommended civilian leadership on cybersecurity.
- Senate Cybersecurity Information Sharing Bill Proposed » (Jun. 20, 2014)
Senators Dianne Feinstein and Saxby Chambliss have proposed the
Cybersecurity Information Sharing Act of 2014. The Senate bill is similar to the House
Cyber Intelligence Sharing and Protection Act (CISPA), which was opposed by civil liberties organizations and would have been
vetoed by the White House if enacted. Like CISPA, the Senate bill allows companies to monitor private communications on their networks and to disclose user activity to the government. The bill would also exempt companies from liability for monitoring communications or disclosing user information. However, the Senate bill makes some attempt to limit the collection of personally identifiable information. EPIC recently won a five-year court battle with the NSA and obtained
National Security Presidential Directive 54. The directive was issued by President Bush in 2008 and is the foundational legal document for U.S. cybersecurity policies. The Presidential Directive reveals the government’s long-standing interest in enlisting private sector companies to monitor user activity. For more information, see
EPIC: Cybersecurity.
- EPIC v. NSA: EPIC Obtains Presidential Directive for Cybersecurity » (Jun. 6, 2014)
After almost five years, EPIC has obtained
National Security Presidential Directive 54. The previously classified Presidential Directive contains the full text of the Comprehensive National Cybersecurity Initiative and "establishes United States policy, strategy, guidelines, and implementation actions to secure cyberspace." This Directive, which is the foundational legal document for all cybersecurity policies in the United States, evidences government efforts to enlist private sector companies, more broadly monitor Internet activity, and develop offensive cybersecurity capability. EPIC first sought public release of NSPD-54 with
a Freedom of Information Act request, submitted to NSA in June 2009. After the agency failed to disclose the document, EPIC filed suit. When a federal district court ruled in 2013 that the Presidential Directive was not subject to the Freedom of Information Act, EPIC then filed an appeal with the DC Circuit Court of Appeals. The document has now been disclosed to EPIC. The case is
EPIC v. NSA, a Freedom of Information Act lawsuit in D.C. Circuit Court. EPIC has several related FOIA cases with the NSA pending in federal court. For more information see
EPIC - EPIC v. NSA (Cybersecurity Authority).
- New Documents Reveal Close Ties Between NSA and Tech Companies, PBS Special to Air » (May. 12, 2014)
New
e-mails obtained under the Freedom of Information Act reveal former NSA Director Keith Alexander's close communication with technology companies regarding emerging cybersecurity threats. The CEOs of Google, Apple, Microsoft, and other technology companies were invited to classified briefings as part of the "Enduring Security Framework," a government initiative focused on
sharing "cyber threat information with the private sector." EPIC previously
sued the NSA to obtain records about the agency's collaboration with Google on cybersecurity, following the China hack in January 2010. In that case, the NSA
refused to confirm or deny the existence of any records responsive to EPIC's request. EPIC had previously
urged Google to routinely encrypt cloud-based services. PBS Frontline begins a
two-part special this week that explores NSA surveillance and the role of tech companies. For more information, see
EPIC v. NSA: Google/NSA Relationship and
EPIC: Cybersecurity.
- DHS Releases Cybersecurity Report, NSA Role Remains Murky » (Apr. 25, 2014)
The Department of Homeland Security had published the first
Privacy and Civil Liberties Assessment Report. The report examined several federal agencies, including the Department of Defense and the Office of the Director of National Intelligence, regarding cybersecurity activities.
Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," requires the reports as well as the creation of a cybersecurity framework. Last year, EPIC
recommended civilian control of domestic Cybersecurity and clarification of the NSA's involvement. The Privacy and Civil Liberties Assessment Report and the cybersecurity framework both fail to clarify the NSA's role in cybersecurity. For more information, see
EPIC: Cybersecurity Privacy Practical Implications.
- EPIC v. NSA: EPIC Appeals Lower Court Decision on Presidential Directive » (Apr. 1, 2014)
EPIC has filed its
opening brief in
EPIC v. NSA. EPIC is seeking to obtain NSPD-54, a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a
Freedom of Information Act request to the NSA for NSPD-54 and several related documents. The NSA turned over some of the materials to EPIC but withheld the Directive. EPIC then sued the agency to force disclosure of the document but a court
ruled sue sponte that the NSA did not have control over NSPD-54, and thus it was not an "agency record" subject to release. It was the first time a federal court had ruled that a Presidential Directive was not subject to FOIA. In the appeal, EPIC argued that the agency has the document and therefore bears the burden of proving it is not an "agency record." EPIC also pointed out that the lower court failed to apply the control test followed by other courts, and that the NSA itself never claimed that NSPD-54 was not an agency record. For more information, see
EPIC: Presidential Directives and Cybersecurity and
EPIC v. NSA: NSPD-54 Appeal.
- EPIC Accepts NSA's Settlement Offer, Receives Attorneys Fees » (Feb. 11, 2014)
EPIC has accepted the NSA's
offer to settle a Freedom of Information Act case
EPIC v. NSA. EPIC sought both National Security Presidential Directive 54, a
Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States, as well as documents related to NSPD 54. EPIC received some of the
documents as a result of the lawsuit, "substantially prevailing" under the FOIA, and prompting the NSA to make a settlement offer to EPIC. As a consequence, EPIC will receive attorneys fees from the NSA. EPIC is simultaneously appealing the
lower court's determination that NSPD-54 is not an "agency record" subject to the FOIA. It was the first time a federal court has ruled that a Presidential Directive is not subject to the Freedom of Information Act. For the appeal, EPIC has already filed a
Statement of the Issue, and the parties are waiting for the D.C. Circuit Court of Appeals to set a briefing schedule. For more information, see
EPIC v. NSA - Cybersecurity Authority.
- EPIC Files Appeal, Challenging Secrecy of Presidential Directives » (Jan. 22, 2014)
EPIC has filed
a Statement of the Issue Presented with the D.C. Circuit Court of Appeals. EPIC is appealing
a lower court decision that NSPD 54 -- a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States -- is not subject to disclosure under the Freedom of Information Act. EPIC sought the Presidential Directive, signed by President Bush in January 2008, from the National Security Agency after the White House
disclosed the existence of the Directive but not the substance. After the agency failed to respond to
EPIC's FOIA request, EPIC filed an administrative appeal, and then a lawsuit. The lower court ruled in
EPIC v. NSA that the Presidential Directive is not subject to the FOIA because it was not under "the control" of the NSA. It was the first time a federal court has ruled that an Presidential Directive is not subject to the Freedom of Information Act. EPIC is now
asking the Court of Appeals to determine, "Whether the district court erred in holding that a Presidential Directive in the possession of a federal agency is not an agency record subject to the FOIA." For more information, see
EPIC v. NSA: Cybersecurity Authority.
- Federal Appeals Court Rules that Legal Policy Memos Can Be Withheld From the Public » (Jan. 3, 2014)
The Court of Appeals for the D.C. Circuit has
ruled that the FBI may withhold a memo prepared by the Office of Legal Counsel concerning the law governing "exigent letter" requests to telephone companies for call records. The decision affirmed an earlier
opinion that the memo was privileged advice, and exempt from disclosure under the Freedom information Act. The Electronic Frontier Foundation argued that the memo was "working law" and not simply advice from government lawyers. However, the Court of Appeals found that the FBI had not itself adopted the advice of government lawyers. In a different case where the Department of State followed the guidance of Justice Department lawyers, EPIC filed a
"friend" of the court brief in support of the New York Times and the ACLU and argued for the release of opinions of the Office of Legal Counsel. For more information, see
EPIC v. NSA: Cybersecurity Authority and
EPIC: New York Times v. DOJ.
- EPIC Appeals Secrecy of Presidential Cybersecurity Directive » (Dec. 17, 2013)
EPIC has filed a
notice of appeal with the D.C. Circuit Court of Appeals in EPIC v. NSA. In that case,
EPIC sought NSPD 54, a presidential policy directive outlining the scope of the NSA's authority over computer networks in the United States. A federal district court
ruled that the directive is not subject to the Freedom of Information Act because it was not under "the control" of the federal agencies and officials who received it. It is the only time a federal court has ruled that presidential directives in the possession of federal agencies are not subject to the FOIA. EPIC is appealing the decision. For more information, see
EPIC v. NSA: Cybersecurity Authority
- EPIC Urges Clarification of NSA's Role in Cybersecurity » (Dec. 13, 2013)
EPIC has submitted
comments on the National Institute of Standards and Technology's
cybersecurity policy proposal. Pursuant to an
Executive Order, the federal agency is charged with defining a "cybersecurity framework" for the federal government. EPIC reiterated
previous comments that emphasized civilian control, adherence to the Fair Information Practices, and compliance with the Privacy Act and Freedom of Information Act. In light of
revelations that the National Security Agency's has weakened key security standards, EPIC urged NIST to clarify the NSA's involvement in the development of the federal policy. For more information, see
EPIC: Cybersecurity Practical Implications and
EPIC: EPIC v. NSA (Cybersecurity Authority).
- NIST Releases Cybersecurity Framework, Silent on NSA's Role » (Nov. 1, 2013)
The
National Institute for Standards and Technologies has
released the
Preliminary Cybersecurity Framework. Earlier this year, President Obama directed NIST to develop a Framework for Cybersecurity. In
Executive Order 13636, the President said the NIST Framework should protect individual privacy and civil liberties. EPIC submitted
comments to the NIST supporting the protections for civil liberties, recommending separate treatment for computer crimes and "cyberterrorism" and official acknowledgement of the
1992 OECD Security Guidelines. In September 2013, the
Guardian, the
New York Times, and
ProPublica reported that the National Security Agency directed NIST to reduce a key security standard. NIST has not commented on any involvement that NSA had in the development of the Framework. For more information see
EPIC: Cybersecurity Privacy Practical Implications.
- Classified NSA Cybersecurity Directive Sought by EPIC Establishes NSA Cyberattack Authority » (Jun. 8, 2013)
Presidential Policy Directive 20 orders the creation of potential targets for Offensive Cyber Effects Operations by the NSA. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ." The Directive was signed last October and EPIC immediately filed a Freedom of Information
request seeking public release of the policy as it implicates the privacy of domestic communications. The NSA refused to release the Directive. The White House released a
summary of the Directive, but failed to disclose information about the NSA's proposed cyberattacks. PPD-20 was made available to the public in a
post to the Guardian by Glenn Greenwald. For more information, see
EPIC: Presidential Directives and Cybersecurity,
EPIC: EPIC v. NSA - Cybersecurity Authority and
EPIC: Cybersecurity Privacy Practical Implications.
- DHS Releases Revises Privacy Impact Assessment on Internet Monitoring Program » (Apr. 24, 2013)
The Department of Homeland Security has released a
Privacy Impact Assessment for Einstein 3 - Accelerated. Einstein 3 is a government cybersecurity program that monitors Internet traffic. The monitoring includes scanning email destined for .gov networks for malicious attachments and URLs. According to DHS, the basis of the government’s authority to perform the monitoring is
National Security Presidential Directive 54. EPIC is pursuing FOIA litigation to force the government to release the Directive to the public. For more information, see
EPIC v. NSA - Cybersecurity Authority.
- EPIC FOIA Request Reveals Details About Government Cybersecurity Program » (Apr. 24, 2013)
New documents obtained by EPIC in a
Freedom of Information Act lawsuit reveal that the Department of Defense
advised private industry on how to best circumvent federal wiretap law. The
documents concern a collaboration between the Defense Department, the Department of Homeland Security, and private companies to allow government monitoring of private Internet networks. Though the program initially only applied to defense contractors, an
Executive Order issued by the Obama administration earlier this year expanded it to include other "critical infrastructure" industries. The documents obtained by EPIC also
cited NSPD 54 as one source of authority for the program. NSPD 54 is a presidential directive issued under President Bush that EPIC is
pursuing in separate FOIA litigation. For more information, see
EPIC: EPIC v. DHS (Defense Contractor Monitoring), and
EPIC: EPIC v. NSA - Cybersecurity Authority.
- White House Releases Unclassified Summary of Presidential Cybersecurity Directive » (Apr. 19, 2013)
The White House has released an
unclassified summary of Presidential Policy Directive 20. The Policy Directive sets out the cybersecurity authority of the National Security Agency in the United States and has raised concerns about government surveillance of the Internet. The existence of the Directive was detailed in a story in the
Washington Post in 2012, and EPIC immediately
pursued the public release of the document. According to the White House, PPD-20 "established principles and processes for the use of cyber operations so that cyber tools are integrated with the full array of national security tools." EPIC is still
pursuing the release of the full document. For more information see
EPIC: Cybersecurity Privacy Practical Implications and
EPIC: EPIC v. NSA (NSPD 54).
- White House Threatens to Veto CISPA Unless Privacy Protections Improved » (Apr. 16, 2013)
In a
Statement of Administration Policy, the White House threaten to veto the controversial
Cyber Intelligence Sharing and Protection Act (CISPA) unless more robust privacy and civil liberties protections are added and newly authorized information sharing goes through a civilian agency. EPIC joined a
letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process for CISPA. The markup for CISPA remained closed, and currently as drafted, CISPA would allow companies to disclose vast amounts of customer and client information to other companies and the government, including the National Security Agency, for "cybersecurity purposes." EPIC favors government transparency and is currently pursuing a
lawsuit against the NSA stemming from a
FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see
EPIC: EPIC v. NSA - Cybersecurity Authority.
- EPIC Comments on Federal Cybersecurity Framework » (Apr. 12, 2013)
In response to a
request for comments, EPIC submitted
comments on the National Institute of Standards and Technology’s review to develop a cybersecurity framework. Pursuant to
Executive Order 13636, the agency is charged with defining a cybersecurity framework for the federal government. EPIC supports civilian control of cybersecurity and privacy protections based on the Fair Information Practices. In the comments to NIST, EPIC emphasized the need for all federal agencies to comply with the Privacy Act and the Freedom of Information Act. For more information, see
EPIC: Cybersecurity Practical Implications and
EPIC: EPIC v. NSA (Cybersecurity Authority).
- EPIC Supports Public Mark Up for Controversial Cyber Security Bill » (Apr. 4, 2013)
EPIC joined a
letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process of the
Cyber Intelligence Sharing and Protection Act (CISPA) to the public. CISPA suspends privacy safeguards so that companies can disclose vast amounts of customer and client information to the government, including the National Security Agency, for "cybersecurity purposes." Some in Congress believe that the proposal should be adopted in a secret committee meeting. EPIC favors government transparency and is currently pursuing
a lawsuit against the NSA stemming from a
FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see
EPIC: EPIC v. NSA - Cybersecurity Authority.
- White House Issues New Executive Order, Presidential Directive on Cybersecurity » (Feb. 13, 2013)
In conjunction with the 2013 State of the Union, President Obama has signed a public
Executive Order on cybersecurity and "critical infrastructure." The Order grants new powers to federal agencies to share cybersecurity information with private companies. Affected federal agencies will "conduct regular assessments of privacy and civil liberties impacts." The President also issued
Presidential Policy Directive 21, which directs the Secretary of the Department of Homeland Security to take specific, discrete actions regarding cybersecurity practices. EPIC is currently pursuing a
Freedom of Information Act request with the National Security Agency for Presidential Policy Directive 20, a secret directive that grants cybersecurity authority to the National Security Agency. For more information, see
EPIC: Cybersecurity Privacy Practical Implications and
EPIC: EPIC v. NSA (Cybersecurity Authority).
- Obama Talks Cybersecurity at 2013 State of the Union » (Feb. 13, 2013)
At the
2013 State of the Union, President Obama announced an
Executive Order that grants new authority to federal agencies to share information with private companies. President Obama further urged Congress to act to "pass legislation to give our government a greater capacity to secure our networks and deter attacks." A new
Presidential Directive was also published today, directing the Secretary of the Department of Homeland Security to take specific, discrete actions regarding cybersecurity practices. EPIC is currently pursuing a
Freedom of Information Act request with the National Security Agency for Presidential Policy Directive 20, a prior directive that grants additional, secret cybersecurity authority to the National Security Agency. For more information, see
EPIC: Cybersecurity Privacy Practical Implications and
EPIC: EPIC v. NSA (Cybersecurity Authority).
- EPIC Comments on Federal Cybersecurity Plan » (Dec. 20, 2012)
In response to a
request for comments, EPIC submitted
comments on the
Federal Cybersecurity Research and Development Strategic Plan. The cybersecurity strategic plan calls for a coordinated research strategy across federal agencies including the Department of Homeland Security and the National Security Agency. EPIC supported the call for privacy safeguards and anonymous web access, and recommended the further integration of genuine privacy-enhancing techniques. EPIC also emphasized the need for all federal agencies to comply with the Privacy Act and the Freedom of Information Act as the plan progresses. EPIC previously submitted
comments to the Department of Defense regarding Cyber Security and Information Assurance Activities. For more information, see
EPIC: Cybersecurity Privacy Practical Implications and
EPIC: EPIC v. NSA - Cybersecurity Authority.
- UPDATED: EPIC Appeals NSA's Withholding of Cybersecurity Directive » (Nov. 27, 2012)
EPIC has
appealed a
decision by the National Security Agency to deny EPIC's
Freedom of Information Act Request for the public release of Presidential Policy Directive 20. The Policy Directive expands the NSA's cybersecurity authority and has raised concerns about government surveillance of the Internet. EPIC's FOIA appeal points to numerous substantive and procedural defects in the NSA's response, and highlights the importance of public discussion of cyber security authority. The NSA has ten days to respond to EPIC's appeal. For more information, see
EPIC: Cybersecurity Privacy Practical Implications,
EPIC: EPIC v. NSA - Cybersecurity Authority.
- NSA Withholds Cybersecurity Directive, EPIC to Appeal » (Nov. 20, 2012)
The National Security Agency has
responded to a
Freedom of Information Act Request from EPIC, seeking the public release of Presidential Policy Directive 20. The Directive, first reported by the
Washington Post, is believed to expand the NSA's cybersecurity authority. In response to EPIC, the NSA argued that the Agency does not have to release the document because it is a confidential presidential communication and it is classified by the NSA. EPIC is
litigating similar claims against the NSA, including the release of NSPD 54, a 2008 presidential directive setting out the NSA’s cybersecurity authority. In an official
statement to Congress earlier this year, EPIC explained that the NSA was a “black hole for public information about cybersecurity.” EPIC plans to appeal the NSA's determination. For more information, see
EPIC: Cybersecurity Privacy Practical Implications,
EPIC: EPIC v. NSA - Cybersecurity Authority.
- President Issues Secret Cybersecurity Directive, EPIC Seeks Public Release » (Nov. 14, 2012)
Following a
Washington Post report of a new cyber security directive, EPIC has filed a
Freedom of Information Act request for the release of
Presidential Policy Directive 20. The Directive is believed to expand cyber security authority for the National Security Agency. EPIC is pursuing several FOIA cases, including the
release of NSPD-54, an earlier Directive that gave NSA authority to conduct surveillance within the United States. EPIC has also sought public release of the technical arrangement between the NSA and Google that was adopted in January 2010. Federal
law prevents the National Security Agency, a component of the Department of Defense, from conducting operations within the United States. For more information, see
EPIC: Cybersecurity Privacy Practical Implications,
EPIC: EPIC v. NSA - Cybersecurity Authority, and
EPIC v. NSA: Google / NSA Relationship.
- 2012 Democrat Platform Endorses Internet Privacy » (Sep. 4, 2012)
- 2012 Republican Platform Addresses Privacy and Government Surveillance » (Aug. 29, 2012)
The
2012 Republican Party Platform calls for strong Constitutional protections for privacy and new safeguards for personal data held by businesses. "We will ensure that personal data receives full constitutional protection from government overreach and that individuals retain the right to control the use of their data by third parties," the platform
states. The platform also criticizes
TSA screening procedures and calls for
warrant requirements for most law enforcement-operated drones. However, other provisions
endorse voter identification laws and increased disclosure of personal information to the government for
cyber security. For more information, see
EPIC: Privacy and Consumer Profiling,
EPIC: Whole Body Imaging Technology and Body Scanners,
EPIC: Unmanned Aerial Vehicles (UAVs) and Drones,
EPIC: Voter Photo ID and Privacy, and
EPIC: Cybersecurity Privacy Practical Implications.
- Franken Amendment Seeks to Protect Cybersecurity Privacy » (Jul. 30, 2012)
The Senate is expected to consider the
Cybersecurity Act of 2012 prior to the August recess. Unlike the Secure IT Act, the Cybersecurity Act would avoid the NSA takeover of the Internet. However, privacy concerns remain about the broad authority of Internet companies to monitoring Internet users and turn information to the government. An
amendment sponsored by Senator Al Franken (D-Minn) would limit this surveillance. A provision that limits the disclosure of cybersecurity threat information remains in the Act. Earlier this year, EPIC
recommended to the
Senate that the Freedom of Information Act limitation be removed. For more information, see
EPIC: Cybersecurity Privacy Practical Implications.
- EPIC Urges Privacy Safeguards for Defense Department Cybersecurity Program » (Jul. 11, 2012)
EPIC has submitted
comments to the Department of Defense, urging the agency to protect individual privacy when it obtains detailed information about Internet users from the private sector. Under current Department
regulations, companies are encouraged to provide information about Internet users that may relate to "cyber incidents" and cyber "threats."This is similar to a controversial provision in
Cyber Intelligence Information Protection Act ("CISPA"). EPIC recommended that the agency revise the regulations for the "Cyber Security and Information Assurance" program so that: (1) the program remain voluntary, (2) "cyber incident" and "threat" are narrowly defined, (3) liability is imposed on private companies for disclosing excess user information, (4) the Attorney General conduct annual audits, and (5) the agency adheres to federal privacy laws. EPIC also warned the agency to fully comply with the Freedom of Information Act, which has provided the public with important information about network security. For more information, see
EPIC: Cybersecurity and
EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and
EPIC: EPIC v. NSA (FOIA for Google/NSA Relationship).
- Executive Order Grants Authority to Seize Private Communications Facilities » (Jul. 9, 2012)
The White House has released a new
Executive Order seeking to ensure the continuity of government communications during a national emergency. The Executive Order grants new powers to the
Department of Homeland Security, including the ability to collect certain public communications information. Under the Executive Order the White House has also granted the Department the authority to seize private facilities when necessary, effectively shutting down or limiting civilian communications. In 2011, Congress
considered similar provisions in cybersecurity legislation, which would have allowed the government to disconnect communications traffic in times of national security. Following public protest, congress abandoned the proposal. For more information, see
EPIC: Cybersecurity Privacy Practical Implications.
- LinkedIn Breach Leads to 6.5 Million Stolen Passwords » (Jun. 7, 2012)
The professional social network LinkedIn suffered a
security breach that exposed the passwords of over 6 million users. A user on a Russian Web forum reported downloading 6 million LinkedIn passwords. LinkedIn later confirmed that some of the passwords corresponded to LinkedIn accounts, deactivated those passwords, and advised all users to update their passwords. EPIC testified about the growing problem of data breaches in 2011 before the
House Financial Services Committee and the
Senate Banking Committee. For more information, see
EPIC: Cybersecurity and Privacy.
- Privacy Board Approved by Judiciary Committee, Vote Moves to Senate » (May. 17, 2012)
The
Senate Committee on the Judiciary has
approved President Obama's five nominees for the
Privacy and Civil Liberties Oversight Board. The Board is an independent entity charged with ensuring that fundamental rights are protected in the implementation of government programs, including cybersecurity. Originally convened in 2004, the five seats on the Board have remained
vacant for the past five years. Senator Leahy, the Chairman of the Judiciary Committee,
said, "When we worked to create this board, we did so to ensure that our fundamental rights and liberties would be preserved…The Senate should move quickly to confirm the nominees to the board so that they can get to their important work." For more information, see
EPIC: 9/11 Commission Report and
"The Sui Generis Privacy Agency: How the United States Institutionalized Privacy Oversight After 9-11."
- Flawed Cybersecurity Bill Passes House, Headed for Senate without Privacy, FOIA Safeguards » (Apr. 27, 2012)
The House of Representatives
passed the
Cyber Intelligence Information Protection Act ("CISPA"), a cybersecurity bill that allows the government to obtain detailed information about Internet users from the private sector. The bill preempts established privacy protections in other federal laws and opens the door for increased surveillance of individuals in the United States. The bill also creates a new
Freedom of Information Act exemption, which will reduce government transparency and accountability. Earlier this year, EPIC said in a
statement to the
Senate that the Freedom of Information Act provides the public important information about network security, and warned that the National Security Agency has become a “black hole” for public information about cybersecurity. For more information, see EPIC:
Cybersecurity and
EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and
EPIC: EPIC v. NSA (FOIA for Google/NSA Relatioship).
- Coalition Urges Congress to Remove Cybersecurity FOIA Limitations » (Apr. 18, 2012)
An open government coalition has
asked House lawmakers to oppose provisions in
"CISPA" that would cut off public access to information held by federal agencies. The Cyber Intelligence Sharing and Protection Act would allow the government to refuse to disclose broad swaths of information, otherwise subject to FOIA, that companies provide to the government. More than three dozen groups have signed the petition - including Openthegovernment.org, the Sunlight Foundation, Project On Government Oversight, and EFF. The groups have asserted that the legislation "constitutes a wholesale attack on public access to information under the Freedom of Information Act" and would impede the public's ability to evaluate whether the government is adequately combating cybersecurity threats. In a
statement for a
hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information see
EPIC: Cybersecurity, EPIC: EPIC v. NSA,
Litigation Under the Federal Open Government Laws 2010.
- Open Government Groups Oppose Cyber Security FOIA Exemption » (Mar. 14, 2012)
Open government organizations have sent a
letter to Senator John McCain, opposing specific provisions in a cybersecurity bill he introduced. The
SECURE IT Act would create a new Freedom of Information Act exemptions for "cyber threat information" as well as for all information shared with a cybersecurity center. FOIA exemptions limit public access to government information. The organizations stated, "Unnecessarily wide-ranging exemptions of this type have the potential to harm public safety and the national defense more than they enhance those interests." In a
statement for a
hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information, see
EPIC: Cybersecurity.
- EPIC Urges Senate to Safeguard FOIA for Cybersecurity » (Mar. 12, 2012)
In a detailed
statement to the Senate for a hearing on the
"Freedom of Information Act: Safeguarding Critical Infrastructure and the Public's Right to Know," EPIC said that safeguarding FOIA was critical to ensure government oversight and accountability. EPIC described how the FOIA provides the public important information about safety and security, but also warned that the National Security Agency has become a "black hole" for public information about cyber security. EPIC described several NSA programs, including "Perfect Citizen," Internet wiretapping, and even the NSA's own legal authority which the agency has refused to release to the public.
EPIC v. NSA, a challenge to the agency's "neither confirm nor deny" response to an EPIC FOIA request will be heard next week by the DC Circuit Court of Appeals. For more information, see
EPIC: Cybersecurity.
- EPIC Warns Congress of Cybersecurity Risks to Consumers » (Sep. 14, 2011)
EPIC Executive Director Marc Rotenberg
testified today before the
House Subcommittee on Financial Institutions and Consumer Credit. EPIC highlighted several recent high-profile data breaches, including those involving the digital security certificates used to authenticate websites, that have compromised the private data of thousands of consumers. Citing reports from the
Privacy Rights Clearinghouse, EPIC's Rotenberg said "These attacks on financial institutions produce both direct and indirect costs for consumers who must contend with the risk of identity theft and financial fraud." EPIC previously
testified before the Senate Banking Committee on cybersecurity in the financial sector and the growing threat to consumer data. For more information, see
EPIC: Cybersecurity and Privacy.
Webcast.
- Commerce Department Releases Cybersecurity Report, Seeks Comments » (Jun. 8, 2011)
The U.S. Department of Commerce has released a green paper on
"Cybersecurity, Innovation, and the Internet Economy." The paper is the latest deliverable published by Secretary Locke's
Internet Policy Task Force, established in April 2010 as collaboration between technical, policy, trade, and legal experts. The Department’s goal is to provide voluntary standards and incentives for Internet stakeholders who fall outside of the scope of "critical infrastructure." The White House released
draft cybersecurity legislation in May 2011 that would designate the Department of Homeland Security as the lead administrative agency for critical infrastructures. The Department of Commerce poses several questions in the green paper, and is encouraging stakeholders to submit comments, which are due in 45 days. For more information, see
EPIC: Cybersecurity and Privacy.
- House Examines White House Cybersecurity Proposal » (May. 26, 2011)
The House of Representatives has held two hearings on the
White House legislative plan for cybersecurity. The
House Oversight and
House Judiciary Committees questioned government officials and members of private industry on the proposal. Committee members showed particular interest in provisions that pre-empted stronger state laws and those that offered immunity to private industry for complying with government requests for information on data breaches. Rep. Watt (D-NC) asked how the proposal was unlike the controversial telecom immunity contained in the
Patriot Act. The White House proposal is part of a series of initiatives driven by the
2009 Cyberspace Policy Review. EPIC has
called for cybersecurity legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. For more information, see
EPIC: Cybersecurity and Privacy and
EPIC: National Strategy for Trusted Identities in Cyberspace.
- White Houses Releases International Cyberspace Plan » (May. 17, 2011)
Following the release of
proposed cyber security legislation last week, the White House today unveiled
"International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World." The
Strategy is ambitious and far-reaching, covering economic policy, foreign affairs, homeland security, and defense. The Strategy also emphasizes the need to safeguard fundamental freedom and privacy rights. To address growing concerns about online privacy, EPIC has
recommended that the United States begin the process of ratifying the
International Privacy Convention, which has been adopted by more than 40 countries. For more information see,
EPIC - Privacy Convention.
- White House Sets Out Cyber Security Plan » (May. 13, 2011)
The White House has
announced a far-reaching
legislative proposal for cyber security. The plan proposal would standardize data breach reporting requirements, clarify penalties for computer crime, and create a regulatory framework for critical infrastructure. However, the plan also enables greater data collection across the federal government and expanded electronic surveillance. EPIC has previously
called for cyber security legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. EPIC has several pending FOIA lawsuits concerning the Administration's cyber security programs, including the
Google/NSA collaboration. For more information, see
EPIC: Cybersecurity and Privacy.
- Senate Commerce Committee to Explore Internet Privacy, Airport Screening, Cybersecurity » (Jan. 21, 2011)
Chairman Rockefeller's (D-WV) priorities for the Senate Commerce Committee in the new Congress will include consumer privacy, oversight of the Federal Trade Commission, airport screening, and cybersecurity, according a recent
statement. Senator Rockefeller has specifically
called for strong Internet privacy laws. "There are no baseline privacy protections for most consumer online activity," he stated. "Industry self-regulation has largely failed, and I hope that the Department of Commerce . . .will reach the conclusion that legislation is necessary to protect consumers." EPIC has testified previously before the Committee on the
Childrens' Online Privacy Protection Act (COPPA),
protecting consumers' phone records, and
spam e-mail. For more information, see
EPIC: Online Tracking and Behavioral Profiling and
EPIC: Cybersecurity Privacy Practical Implications.
- EPIC, Joined by 13 Organizations, Sends Statement on NSTIC » (Oct. 1, 2010)
EPIC, joined by the
American Library Association,
Liberty Coalition,
Bill of
Rights Defense Committee, and the
Center for Media and Democracy, among
others, sent a
statement to the
Department of Homeland Security responding to the Administration's call for comments regarding its
National Strategy for Trusted Identities in Cyberspace Creating Options for Enhanced Online Security and Privacy (NSTIC) draft policy. The coalition's comments press the Administration for a clearer definition of the problems that the policy intends to solve. The coalition further advocates for the maintenance of a free and open Internet that protects the creative content of users, assures privacy, and creates accountability and oversight of government activity, especially as it relates to law enforcement and surveillance. For more, see EPIC's
Cybersecurity and Privacy.
- EPIC Seeks Details on New Government Crypto Regulations » (Sep. 29, 2010)
EPIC has sent
Freedom of Information Act (FOIA) requests to the Department of Justice, the Federal Bureau of Investigation, and the National Security Agency for information about a
proposal to expand Internet surveillance and deploy weakened security standards. The proposal would require Internet companies to develop network services to enable government access to private communications, including those on peer-to-peer networks. In 1996, the National Resource Council
concluded that such technical standards make network communications more vulnerable to cyber attack. For more information, see
EPIC: Cryptography Policy.
- DHS Privacy Office Releases 2010 Annual Report » (Sep. 24, 2010)
The Department of Homeland Security has released the
Privacy Office 2010 Annual Report. The Agency's Chief Privacy Officer must prepare an annual report to Congress that details activities of the Department that affect privacy, including complaints of privacy violations, and DHS compliance with the Privacy Act of 1974. This year’s report details the establishment of privacy officers within each component of the Agency. The report also provides updates on
Fusion Centers,
Cybersecurity, and
Cloud Computing activities of the agency. For more information, see
EPIC: DHS Privacy Office.
- EPIC FOIAs NSA for Details of "Perfect Citizen" » (Jul. 16, 2010)
EPIC has filed a
Freedom of Information Act request with the
National Security Agency regarding the new secret cybersecurity program known as "Perfect Citizen." According to the
Wall Street Journal, the program "would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack," although the agency
has claimed that there "is no monitoring activity involved, and no sensors are employed in this endeavor" but has refused to release the details of the program. In its request, EPIC has sought contracts, memoranda, and other records relating to "Perfect Citizen." For more information, see
EPIC Cybersecurity and Privacy.
- EPIC Testifies in Congress on Cybersecurity and Privacy » (Jul. 15, 2010)
EPIC Executive Director Marc Rotenberg testified today before the
House Committee on Science and Technology regarding
Planning for the Future of Cyber Attack Attribution. In
his prepared statement, Mr. Rotenberg discussed "the risks and limitations of a mandatory Internet ID that may be favored by some as a way to address the risk of cyber attack." He explained how such a proposal would implicate human rights and online freedom, and questioned the constitutionality of such a measure. EPIC recommended that efforts continue to focus on improving security standards, deploying encryption, and requiring federal agencies to remain transparent as they develop cyber security policies. For more information, see
EPIC Cybersecurity and Privacy.
- Cybersecurity Legislation Moves Forward in Congress » (Jun. 25, 2010)
The Senate Homeland Security Committee voted unanimously to report favorably the
Protecting Cyberspace as a National Asset Act of 2010 to the Senate at a markup session (
video) on June 24th. An earlier version of the bill was
introduced on June 10th and a hearing (
video) was held on June 15th. The bill would establish a National Center for Cybersecurity and Communications at the Department of Homeland Security. Critics' had said that the bill would also give the President an "internet kill switch" to take over private networks. Before committee passage, the bill was amended to include limitations on the proposed Presidential powers to declare a "cybersecurity emergency" and to better define what parts of critical infrastructure are covered by the bill. For more information, see
EPIC Cybersecurity and Privacy.
- EPIC's Coney Leads Cybersecurity Panel at Computers, Freedom, Privacy Conference » (Jun. 18, 2010)
EPIC Associate Director Lillie Coney leads a panel discussion today on "Cybersecurity Policy and the Role of .Orgs" at the annual conference on
Computers, Freedom, and Privacy. The
panel features top government decision makers and leading experts in cybersecurity. The panel will be
cybercast June 18 at 2 pm ET. The discussion builds on a
letter to White House Cyber Security Director Howard Schmidt, organized by EPIC and endorsed by 30 organizations, which states that US cybersecurity policy "must incorporate protections of our basic freedoms and constitutional rights." Ms. Coney will co-chair the 2011 CFP Conference, which will be held in Washington DC. For more information, see
EPIC-Cybersecurity Privacy Practical Implications.
- Senate Committee Holds Hearing on Cybersecurity Bill » (Jun. 16, 2010)
The Senate Homeland Security Committee held a first hearing on the
recently introduced cybersecurity bill, the
Protecting Cyberspace as a National Asset Act of 2010. The
hearing (
video) featured testimony from Philip Reitinger at the Department of Homeland Security, as well as several industry representatives. Many of the committee's questions focused on whether authority over civilian cybersecurity should be concentrated in the Department of Homeland Security or in the Department of Defense, a question on which EPIC has
repeatedly sought information. For more information, see
EPIC Cybersecurity and Privacy.
- New Cybersecurity Legislation Introduced » (Jun. 11, 2010)
Senators Lieberman, Collins, and Carper of the Senate Homeland Security & Governmental Affairs Committee have
introduced the
Protecting Cyberspace as a National Asset Act of 2010. The bill would establish a White House Office of Cyberspace Policy and a National Center for Cybersecurity and Communications. The bill would allow the President to declare a "national cyber emergency" and implement emergency measures, although it would not allow these measures to set aside requirements of the
Wiretap Act, the
Electronic Communications Privacy Act, or the
Foreign Intelligence Surveillance Act. The bill would also make certain changes to the Federal Information Security Management Act. The Committee released a
summary of the bill. EPIC is currently seeking to make public the NSA's authority for cyber security. For more information, see
EPIC Cybersecurity and Privacy.
- Coalition Letter Results in Meeting with White House Cybersecurity Coordinator » (May. 12, 2010)
EPIC, joined by over 30 organizations, launched a campaign to obtain a meeting with Howard Schmidt, the White House Cybersecurity Coordinator. Groups joining the
letter included the ACLU, American Library Association, Bill of Rights Defense Committee, Liberty Coalition, NAACP, OpenTheGovernment.org, and the Lawyers Committee for Civil Rights Under Law. The White House has agreed to the meeting, which follows Senate
confirmation of Keith B. Alexander, director of the National Security Agency, to lead the U.S Cyber Command. Civil society organizations have expressed concern about the growing role of the NSA in cyber security. EPIC is currently in litigation with the NSA to obtain the secret policy for NSA surveillance authority. For more information, see
EPIC Sues NSA to Force Disclosure of Cybersecurity Authority, and
EPIC - Cybersecurity Privacy: Practical Implications.
- White House Issues Rules for Security Reporting » (Apr. 26, 2010)
A new
White House memo sets out the Federal Information Security Management Act of 2002 (FISMA) standards for federal agencies. All agencies must comply with the FISMA standard and report security practices for information under agency control. The standard also extends obligations to agency contractors. By November 15, 2010, all agencies must be capable of monitoring all information traffic on their networks; and make reports to
CyberScope, a platform launched last year to provide a single government-wide security management tool for FISMA reports. The Memorandum included requirements to respond to breaches of personal information. Agency Inspectors General will provide oversight of agency FISMA compliance. For more information, see
EPIC's Cybersecurity page.
- EPIC Demands Release of Classified Answers on Privacy and Internet Standards from Cyber Command Nominee » (Apr. 19, 2010)
EPIC has filed a
Freedom of Information Act (FOIA) request with the National Security Agency (NSA) seeking the "classified supplement" that Director Lt. Gen. Keith Alexander filed with his
answers to questions from the Senate Armed Services Committee regarding his
nomination to be the Commander of the newly formed United States Cyber Command. Several of Lt. Gen. Alexander's classified responses were to questions regarding the privacy of Americans' communications, and EPIC's request urges the Agency to make the full responses public. EPIC is currently in litigation with the NSA to obtain the secret policy for NSA surveillance authority. For more information, see
EPIC Sues NSA to Force Disclosure of Cybersecurity Authority.
- Congress Considers Nomination of NSA Director to US Cyber Command, Concerns Remain » (Apr. 15, 2010)
The
Senate Armed Services Committee will hold a hearing on April 15, to consider the nomination NSA Director
Lt. Gen Keith B. Alexander to be the Commander of the
US Cyber Command. EPIC has expressed concern about the expanded authority of the NSA within the United States and has specifically requested the public release of
NSPD-54, the secret Presidential Directive that allows the NSA to conduct electronic surveillance against US citizens within the United States, prior to the confirmation of Lt. Gen. Alexander. EPIC is seeking this and related document in a Freedom of Information Act lawsuit. For more information, see
EPIC Sues NSA to Force Disclosure of Cyber Security Authority.
- Congressional Leaders Press Obama on Privacy Board » (Mar. 30, 2010)
Chairman Bennie Thompson and twenty members of the House of Representatives sent a
letter to President Obama seeking the immediate nomination of members to the Privacy and Civil Liberties Oversight Board. The Privacy Board was active during the Bush Administration, but the Obama administration has moved slowly to
reconstitute the advisory body. No hearings have been held and no reports have been issued. The board is intended to provide advice on the civil liberty implications of programs that effect the rights of citizens, such as the use of
Whole Body Scanners by the TSA,
biometic identifiers, and
cyber security policy.
- White House Publishes Outline of Cyber Security Policies » (Mar. 2, 2010)
The White House
announced today that it has made a
description of the Comprehensive National Cybersecurity Initiative (CNCI) available online for public viewing. The12 CNCI initiatives cover a wide range of government activity, from cyber education to intrusion detection. However, the text of the underlying legal authority for cybersecurity still remains secret. EPIC has been involved in ongoing
litigation regarding a
Freedom of Information Act request for the text of the critical cybersecurity document NSPD 54 that President Bush signed in 2008. For more information, see
EPIC: EPIC Sues NSA to Force Disclosure of Cyber Security Authority and
EPIC: EPIC Seeks Records on Google-NSA Relationship.
- EPIC Statement to Congress on Google, NSA, and Cybersecurity » (Feb. 9, 2010)
EPIC has submitted a
statement for the record for a
House Foreign Affairs Committee hearing on Google and U.S. Cyberspace Policy. EPIC's statement recommends investigation into the newly-announced partnership between Google and the National Security Agency and the public release of the secret document that grants the NSA broad surveillance authority in cyberspace. The EPIC statement also urges the Congressional Committee to support US ratification of the
Council of Europe privacy convention. For more information, see
EPIC Critical Infrastructure Protection,
Experts' Letter to Secretary Clinton on the Council of Europe Convention.
- FCC Commits to Protecting Consumers in FY 2011 Performance Plan » (Feb. 4, 2010)
The
Federal Communications Commission (FCC) released its FY 2011
budget request and performance plan. The FCC requests funding for furthering cybersecurity, implementing the
National Broadband Plan, revamping the FCC's data systems and processes, and modernizing the agency's communications tools and expertise. The FCC prioritizes implementation of the National Broadband Plan and protection of consumers in the agency's performance goals. Objectives with respect to consumers include addressing 100% of complaints filed with the Commission alleging violations of the
Communications Act and taking appropriate action within 15 months, rigorously enforcing the
Telephone Consumer Protection Act, and ensuring "through litigation where necessary, that consumers are protected from anticompetitive practices."
- EPIC Sues NSA to Force Disclosure of Cyber Security Authority » (Feb. 4, 2010)
EPIC has filed a
lawsuit against the
National Security Agency and the
National Security Council, seeking a key document governing national cybersecurity policy. The document, National Security Presidential Directive 54 grants the NSA broad authority over the security of American computer networks. The agencies violated the Freedom of Information Act by failing to make public the Directive and related records in response to
EPIC's request. EPIC's suit asks a federal judge to require the release of the documents. Congress is currently debating cyber security policy. For more information, see
EPIC FOIA Litigation,
EPIC Critical Infrastructure Protection.
- New Cybersecurity Legislation Introduced in Congress » (Jul. 23, 2009)
Senator Patrick Leahy (D-Vt)
introduced The Personal Data Privacy and Security Act of 2009. The statute requires data brokers, business entities and federal agencies to create and implement data privacy and security practices. The bill requires data breach notification, enforces disclosure and accuracy requirements, and
establishes an Office of Federal Identity Protection within the
FTC. However, the bill preemepts stronger state privacy laws and fails to provide a right of private action for consumers. For more information, see
EPIC Identity Theft,
EPIC Personal Data and Privacy Protection, and
EPIC Preemption Page.
Privacy
What Privacy Rights May be Involved with Cybersecurity?
Privacy interest in cybersecurity involves establishing protocols and effective oversight regarding when, why, and how government agencies may gain access to personal information that is collected, retained, used, or shared. U.S. businesses and government share responsibility for the insecurity of consumer online personal information. There is no single federal minimum standard for data protection that enforces fair information practices (FIPs). Fair information practices regulate and enforce consumer privacy rights regarding data collection, retention, use, and sharing of personal information. The federal approach has focused not on the protection of personal information, but on the purpose of the information collection.
The history of U.S. government agencies conducting sanctioned and unsanctioned surveillance of domestic communication by colluding with telecommunications and wire communication companies is well known. (The Puzzle Palace, Inside the National Security Agency America's Most Secret Intelligence Organization (1983)- James Bamford) Domestic surveillance first began as a means of acquiring information on criminal activities and quickly moved to documenting people's engagement in social or political activities and their exercise of constitutionally protected rights to expression and assembly. Fundamentally, control of society is, in large part, about the ability of government to control communications.
One key challenge facing digital communications users is that this medium suits those inclined to spy unlike any other form of surveillance because the intruder can hide the fact that a communication has been compromised. The National Security Agency is no amateur at delving into personal communications that are secured by law or design from snooping.
Cybersecurity Interests
Consumer Cybersecurity Interest
Online consumers have been victimized by cyber-threats in the form of spyware; malicious computer viruses, worrms, or malware; and fraud or abusive sales tactics that lure consumers to invest in bogus products or services. Online consumers routinely fall victim to identity theft, as well as spam, phishing or pharming attacks.
Consumers are also facing the challenge of determining which products or services to trust to provide goods and services as advertised.
Political Advocacy and Academic Cybersecurity Interest
For individuals and organizations that rely on the Internet for research, access to information, collaboration, political participation, fundraising, coalition building, campaigns, advocacy, organized dissent, political speech, watchdog actions against government and businesses, freedom of expression, dissemination of information or for outreach to constituencies--cybersecurity does matter a great deal.
Threats posed to political activity include deceptive campaign tactics that deface Websites, target donations for theft, create denial of service attacks on Websites, or send messages that are deceptive or misleading regarding the rules for voter participation on election day. If responses to cyber-attacks deny advocates access to the Internet and/or advanced communications networks, this would deny them the means to engage in a wide range of activities that could include election protection efforts during public elections, mobilize supporters for public protests, educate consumers, or empower constituencies to know and understand policy that impacts their lives. Academics and researchers must have a trustworthy and reliable means of exchanging ideas, participating in discussions, and collaborating on projects that advance their areas of research interest.
Business Cybersecurity Interest
Large and small companies have cyber-threats within and outside of their control such as data breaches, theft of company secrets, spying, attacks on computer networks, and damage to critical systems. Many companies are considering the challenges of cybersecurity and looking to new business applications such as cloud computing to secure data. However, cloud computing has enormous security and privacy risks relating to dependence on untrustworthy or unevaluated third parties.
New business and government services such as electronic health records and development and updating of critical infrastructure such as the Smart Grid each offer new cybersecurity privacy challenges for consumers.
National Security Cybersecurity Interest
The cyber-threats to any nation can range from disruption of an agency's networks or information services to the public to cyber-warfare. Depending on the agency, type of cyber-attack, its scope, duration, and effectiveness, the consequences for the online and offline operation of local, federal, or state government components can range from annoying delays in communications to serious damage to infrastructure threatening life or property.
Cyber-attacks or incidents that threaten the command and control structure of the national government or its assets including national defense, emergency response, and economic systems are of growing concern. The digital infrastructure of the nation must be treated as a strategic national asset. The new mission is to deter, detect, and defend against disruptions and attacks of all descriptions.
Policy
Introduction
Cyberspace is global, but the freedoms that are protected by constitutional rights, human rights norms, and legal institutions are defined by treaty or geography. Cybersecurity may be defined by governments, but will have a lasting impact on many rights and civil liberties enjoyed by free people throughout the world who engage in cyber-communications. Freedom of expression, freedom of association, economic opportunity, and political discourse may be redefined by the course the United States charts for cybersecurity.
Decisions about how to define cybersecurity and who will define it may affect Internet anonymous speech, freedom of expression, free speech, and access to information. Those who have worked on Network Neutrality understand what manipulation of communications over the Internet might mean. However, in the realm of federal cybersecurity, transparency and oversight might not be part of the process.
The Obama Administration has engaged agencies of the federal government, large corporations, technology companies, technologists, legal scholars, and policy experts in the deliberative process related to establishing policy to secure cyberspace.
On May 29, 2009, President Barack Obama announced the Administration's plan to address the growing issue of digital information insecurity. The Administration engaged multiple participants to develop this plan.
Much of the nation's critical infrastructure is connected in some way to computer networks. Addressing digital communication system vulnerabilities touches on important privacy and security questions that must be answered. The President began this discussion on cybersecurity by stating:
It is now clear that this cyber-threat is one of the most serious economic and national security challenges we face as a nation. It's also clear that we are not as prepared as we should be as a government or as a country. In recent years some progress has been made at the federal level, but just as we failed in the past to invest in our physical infrastructure: our roads, our bridges, and rails. We failed to invest in the security of our digital infrastructure. No single official oversees cybersecurity policy across the federal government and no single agency has the responsibility or authority to match the scope and scale of the challenge...
The Obama Administration is challenging federal government agencies, large technology companies, corporate America, academics and digital media users to join efforts to secure the Internet and telecommunications systems from every form of cyber-threat or menace.
The goal of the Administration is to pursue a new aggressive and comprehensive approach to cybersecurity that would address all forms of cyber-based threats. The category of threats will include those faced by consumers, corporations, critical infrastructure, and networked local, state, and federal government agencies. Internet or networked computer based communications have moved beyond an option to a necessary tool for a highly interconnected world. The Internet has fundamentally changed the social, cultural, business, political, and educational experiences of people.
The Cyberspace Policy Review set out 10 near-term actions. According the Whitehouse.gov Cybersecurity Factsheet, the Administration has completed or will soon complete all of those items:
- Appoint a cybersecurity policy official responsible for coordinating the Nation's cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy. ◊ Complete. Howard A. Schmidt has been appointed as the Cybersecurity Coordinator.
- Prepare for the President's approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCIactivities and, where appropriate, build on its successes. ◊ Complete. The direction and needs highlighted in the Cyberspace Policy Review and previous national cybersecurity strategy are still relevant, and we have updated that strategy on targeted cyber issues, such as identity management and international engagement.
- Designate cybersecurity as one of the President's key management prioritiesand establish performance metrics. ◊ Complete. All senior executives and senior leadership have been informed that cybersecurity is one of the President's key management priorities for the Federal Government. We have established metrics through the CyberStats program, and we have also worked with the Office of Management and Budget (OMB) to update the Federal Information Security Management Act (FISMA) metrics by which departments and agencies are graded on their cybersecurity. Together, we are shifting the Federal Government's approach to cybersecurity from a static, paper-based certification and accreditation to a dynamic, relevant process based upon continuous monitoring and risk assessment.
- Designate a privacy and civil liberties official to the NSC cybersecurity directorate. ◊ Complete. Our second Director for Privacy and Civil Liberties official joined us from the Federal Trade Commission in December 2010.
- Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government. ◊ Complete. We have developed a formal interagency process as we continue to address policy and legal issues. As part of that process, we identified additional authorities that the executive branch needs to fulfill its mission, and we have requested those authorities as part of our legislative package.
- Initiate a national public awareness and education campaign to promote cybersecurity. ◊ Complete. We have created the National Initiative for Cybersecurity Education (NICE) with the dual goals of a cyber-savvy citizenry and a cyber-capable workforce, including raising awareness for consumers, enhancing cybersecurity education, and improving the structure, preparation, and training of the cybersecurity workforce. After the 2010 National Cyber Security Awareness Month, DHS launched a year-round national awareness campaign, which has held events around the country.
- Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity. ◊ Complete. We have finished and will soon release the International Strategy for Cyberspace, which provides a unified foundation for the nation's international engagement on cyberspace issues.
- Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement. ◊ Complete. The National Cyber Incident Response Plan (NCIRP) was developed and tested during a national cyber exercise, Cyber Storm III. It is now in the final stages of being updated, based upon our experience using the plan in different cyber exercises.
- In collaboration with other EOPentities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions. ◊ Complete. The White House Office of Science and Technology Policy has finalized a Cyber Research and Development Framework. Public release of the plan is expected to occur in May 2011.
- Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation. ◊ Complete. The National Strategy for Trusted Identities in Cyberspace (NSTIC) was released on April 15, 2011. The Department of Commerce will stand up a program office to coordinate the federal government and private sector in implementing this effort.
Legislative Proposals
The White House proposed cybersecurity legislation in May 2011. According to the White House, the proposed legislation will help safeguard personal data, help protect our national security by addressing threats to critical infrastructure, and help the government protect federal networks while at the same time creating stronger privacy and civil liberties protections. The Whitehouse.gov Fact Sheet on the Proposal highlights the following features of the legislation:
National Data Breach Reporting
Penalties for Computer Criminals
Voluntary Government Assistance to Industry, States, and Local Governments
Voluntary Information Sharing with Industry, States, and Local Governments
Critical Infrastructure Cybersecurity Plans
Increase of Effort and Resources to Protect the Federal Network
On January 5, 2011, Representative Bennie Thompson (D-MS) sponsored H.R. 174, the Homeland Security Cyber and Physical Infrastructure Protection Act of 2011. H.R. 174 "seeks to enhance DHS' cybersecurity capacity by authorizing the DHS Office of Cybersecurity and Communications and creating a new Cybersecurity Compliance Division to oversee the establishment of performance-based standards responsive to the particular risks to the (1) .gov domain and (2) critical infrastructure networks, respectively." (Source: Press Release). It was referred to the House Committee of Homeland Security's Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.
The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies has held several hearings on the issue of cybersecurity. On June 24, 2011, the subsommittee held a hearing entitled "Examining the Homeland Security Impact of the Obama Administration's Cybersecurity Proposal." (http://homeland.house.gov/hearing/subcommittee-hearing-examining-homeland-security-impact-obamaadministrations-cybersecurity). On April 15, 2011, the subcommittee held a hearing entitled "The DHS Cybersecurity Mission: Promoting Innovation and Securing Critical Infrastructure." On March 16, 2011, the subsommittee held a hearing entitled "Examining the Cyber Threat to Critical Infrastructure and the American Economy."
National Strategy for Trusted Identities in Cyberspace (NSTIC)
One objective of the White House's Cyberspace Policy Review was to develop a national plan for a public secure Internet identification program:
"The Federal government - in collaboration with industry and the civil liberties and privacy communities - should build a cyber security-based identity management vision and strategy for the Nation that considers an array of approaches, including privacy-enhancing technologies. The Federal government must interact with citizens through a myriad of information, services and benefit programs and thus has no interest in the protection of the public's private information as well."
Based on the White House's recommendations, an inter-agency writing team developed and released a Draft plan of the
National Strategy for Trusted Identities in Cyberspace (NSTIC) in June 2010. NSTIC is seen as an acceleration and expansion of the initiatives developed by ICAM to the public domain. The Draft identified what it called the
Identity Ecosystem - "a user-centric online environment, a set of technologies, policies, and agreed upon standards that securely supports transactions ranging from anonymous to fully authenticated and from low to high value." The Draft was published on IdeaScale, and was open for the public to submit comments. (The page has since been removed, though MSNBC has maintained a
screenshot.)
EPIC responded to the Draft NSTIC with a formal statement on the unique challenges the proposal presented for the continued protection of privacy and consumer rights. EPIC emphasized the need for:
- A complete enumeration of the sources of the problems identified in the draft
- A clear plan for privacy protection
- A strategy for the protection of private communications by fair information practices
- The assignment of responsibility of government agencies to oversee authorities, courts, and credential users regarding constitutional rights
- The assurance that Internet users can continue to create, control, and own web content.
EPIC also emphasized the importance of applying Fair Information Practices to all personally identifiable information that is collected, retained or used, and recommended an explicit statutory provision that would apply protections in the Federal Privacy Act to all credential-related information.
On January 7, 2011, White House Cybersecurity Coordinator, Howard Schmidt and Commerce Secretary Gary Locke appeared at an event at Stanford University in California. In his speech, Locke detailed many potential threats on the Internet, claiming that the "cyber threat" was "one of the most serious economic and national security challenges we face as a nation." In order to lead the government's efforts on digital identity, Locke announced the creation of a National Program Office at the Department of Commerce, housed under the National Institute for Standards and Technology (NIST), that would be responsible for a digital identity framework.
As described by Secretary Locke in his announcement: The new Program Office would spearhead the development of NSTIC, though implementation would be outsourced to the private market, eliminating the need for a single overseer or a central database. (However, because the federal government will not be maintaining the databases of information, they will not be subject to the protections provided in the Federal Privacy Act of 1974). The digital identity program is also designed to be entirely voluntary to users. In addition to private industry, the General Services Administration and the Department of Homeland Security were also slated to assist with development of the new programs.
For the full NSTIC page, see EPIC: NSTIC
International Strategy for Cyberspace
On May 16, 2011, the White House announced the International Strategy for Cyberspace (ISC). The ISC outlines the United States' approach to cyber issues. The ISC states the goal of a "future for cyberspace that is open, interoperable, secure, and reliable." Policy priorities include:
- Promoting International Standards and Innovative, Open Markets
- Protecting Our Networks: Enhancing Security, Reliability, and Resiliency
- Internet Governance: Promoting Effective and Inclusive Structures
- Internet Freedom: Supporting Fundamental Freedoms and Privacy
Department of Commerce's Cybersecurity Policy Framework
On June 8, 2011, The Department of Commerce announced a new policy framework for cybersecurity and businesses online. The Department of Commerce Green Paper proposes voluntary codes of conduct for companies that do business online but are not part of the critical infrastructure sector. The framework makes specific policy recommendations, including:
- Establish nationally recognized but voluntary codes of conduct to minimize cybersecurity vulnerabilities. For example, the report recommends that businesses employ present-day best practices, such as automated security, to combat cybersecurity threats and that they implement the Domain Name System Security (DNSSEC) protocol extensions on the domains that host key Web sites. DNSSEC provides a way to ensure that users are validly delivered to the web addresses they request and are not hijacked.
- Developing incentives to combat cybersecurity threats. The report also recommends exploring and identifying incentives that could include reducing "cyberinsurance" premiums for companies that adopt best practices and openly share details about cyberattacks for the benefit of other businesses.
- Improve public understanding of cybersecurity vulnerabilities through education and research. Programs like the National Initiative for Cybersecurity Education should target awareness and training to the I3S and develop methods for cost/benefit analyses for cybersecurity expenditures.
- Enhance international collaboration on cybersecurity best practices to support expanded global markets for U.S. products. This should include enhanced sharing of research and development goals, standards, and policies that support innovation and economic growth.
The Green Paper was the product of the Internet Policy Task Force. The Department of Commerce launched the Internet Policy Task Force in April 2010. The Department of Commerce is seeking public comment on the Green Paper.
Resources
- Coalition Letter Outlining Concerns Regarding Lack of Civil Society Presence in Decision Making
- White House Cybersecurity Memo Title: FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, April 21, 2010
- Advance Senate Armed Services Confirmation Hearing Questions for Lieutenant General Keith Alexander, USA Nominee for Commander, United States Cyber Command (Hearing Date April 15, 2010
- Remarks on Internet Freedom, Hillary Rodham Clinton, Secretary of State at The Newseum, Washington, DC, January 21, 2010
- Privacy and Technology Experts Reply to Clinton's Remarks by Urging Ratification of the Council of Europe Convention on Privacy, January 28, 2010
- EPIC FOIA for National Security Presidential Directive 54
- Obama Administration: Cyberspace Policy Review
- Critical Infrastructure Protection and the Endangerment of Civil Liberties
- DHS Cybersecurity Documents
- DHS: A Road Map to Cybersecurity
- CRS Analysis of the US PATRIOT Act
- White House Cyberspace Policy Review (May 29, 2009)
- President Obama's Speech on Cyber-security (May 29, 2009)
- EPIC's Testimony to the House Subcommittee on Oversight and Investigations on "Creating the Department of Homeland Security: Consideration of the Administration's Proposal" (July 9, 2002)
- EPIC's Testimony to the Senate Committee on Governmental Affairs on "Securing Our Infrastructure: Private/Public Information Sharing" (May 8, 2002)
- EPIC's Letter to the House Judiciary Committee, Subcommittee on Crime, on H.R. 3482, The Cyber Security Enhancement Act of 2002(February 26, 2002)
- EPIC's Testimony to the House Government Reform Committee on H.R. 4246, The Cyber Security Information Act (June 22, 2000)
- EPIC's Testimony to the Senate Judiciary Committee on "CyberAttack: The National Protection Plan and its Privacy Implications" (PDF, 128K) (February 1, 2000)
- EPIC Press Release on "National Plan for Information Systems Protection" (February 1, 2000)
- Memo from Ronald D. Lee, Associate Deputy Attorney General, Department of Justice to Jeffrey Hunker, Director, Critical Infrastructure Assurance Office regading the National Information Systems Protection Plan, March 8, 1999. Obtained by EPIC under the Freedom of Information Act.
- Memo from Jeffrey Hunker, CIAO to CICG Members regarding "Offsite Materials." Obtained by EPIC under the Freedom of Information Act.
- White House "National Plan for Information Systems Protection" (PDF, 912K) (January 7, 2000)
- Executive Summary of "National Plan for Information Systems Protection" (PDF, 664K) (January 7, 2000)
- White House Press Release on "Cyber-Security" (January 7, 2000)
- Transcript of White House Press Briefing on "Cyber-Security" (January 7, 2000)
- European Parliament: Report ont he existence of a global system for interception of privacy and commercial communications(ECHELON intercept system) (2001/2098(INI))
EPIC Reports, FOIA and Testimony
Organizations Working on Cybesecurity
Papers and Articles
- White House cyber security plan to cite e-health", Health IT, By Mary Mosquera, Wednesday, May 12, 2010
- A House insider's view of U.S. cybersecurity policy, Federal Computer Week, Ben Bain, May 6, 2010
- Summit in Dallas targets cybercrime, Dallas Morning News, By VICTOR GODINEZ, May 3, 2010
- Whitehouse: Congress needs clarity on who handles cybersecurity, the Hill, By Tony Romm - May 3, 2010
- Cyber-Security Survey Shows Distrust Between Public and Private Sectors, Government Technology, May 3, 2010
- FBI Names Cybersecurity Division Chief, Elizabeth Montalbano, InformationWeek, April 26, 2010
- Meeting of the Minds Over Fed Cybersecurity, Government Info Security
- Politicians jockey for cybersecurity positioning, Federal Computer Week, Ben Bain, April 23, 2010
- FCC launches NOI on voluntary cybersecurity certification program - NOI seeks to implement National Broadband Plan information security recommendation, Association of Corporate Council, April 22, 20101
- Politicians jockey over cybersecurity positioning, By Ben Bain, Federal Computer Week, April 21, 2010
- DHS Fills 2 Key Cybersecurity Posts, Government Info Security, April 21, 2010
- Four myths about cyber-security, Sync-blog.com, April 20
- Cyber Command nominee lays out rules of engagement, Ben Bain, Federal Computer Week, April 16, 2010
- Pick to lead cyber command lays out battle plans, Ben Bain, Federal Computer Week, April 15, 2010
- Cyber security, FEMA meeting on Obama's agenda, Washington Post, May 29, 2009.
- Computer Security Review Due This Week, Helene Cooper, N.Y. Times, May 26, 2009.
- Cyber Terror Arsenal Grows. Niall McKay, Wired News, October 16, 1998.
- An Electronic Pearl Harbor? Not Likely. George Smith, Issues in Science and Technology, Fall 1998.
- American Military Intervention: A User's Guide. The Heritage Foundation's look at military intervention.
- Protecting America's Critical Infrastructures. Critical Infrastructure Assurance Office factsheet on PDD 63.
- White House Fact Sheet: Protecting America's Critical Infrastructures: PDD 63. May 22, 1998.
- The President's speech on infrastructure protection at the U.S. Naval Academy.
- Statement of Dr. Jeffrey A. Hunker (Director, Critical Infrastructure Assurance Office).
- Is Cyberterrorism a Real Threat?. Reuters.
- Reno Unveils Center to Protect Infrastructure. Heather Harreld and Torsten Busse, Federal Computer Week.
- Networks: DOD's First Line Of Defense. George Leopold, Electronic Engineering Times, October 13, 1997.
- Testimony Before the House Science Subcommittee in behalf of the Computer System Security and Privacy Advisory Board. Willis H. Ware, Chairman, June 19, 1997.
- Report to the President's Commission on Critical Infrastructure Protection. James Ellis, David Fisher, Thomas Longstaff, Linda Pesante, and Richard Pethia, CERT Coordination Center Software Engineering Institute, Carnegie Mellon University, January 1997.
- Press Release ñ House Science Committee Chairman F. James Sensenbrenner, Jr. (R-WI) introduced H.R. 1903, the Computer Security Enhancement Act of 1997, legislation aimed at strengthening computer security throughout the federal government.
- Reflections on the 1997 Commission on Critical Infrastructure Protection (PCCIP) Report. Clark Staten, The Emergency Responce and Research Institute.
- The Information Warfare Challenges of a National Information Infrastructure. Ronald Knecht and Ronald A. Gove.
- Report of the Defense Science Board Task Force on Information Warfare. November 1996.
- Security and the National Infrastructure in the Computer Age. Judith Nocella, University of Buffalo, Fall 1996.
- What is Information Warfare?. Martin C. Libicki, March 1996.
- Papers on Network Centric Warfare.
- The Clipper Chip: Frequently Asked Questions (FAQ).
- Overview of the Defense Intelligence Agency (DIA).
- List of websites related to the Department of Defense Advanced Research Projects Agency.
Cybersecurity Infrastructure Surveillance Laws
Cybersecurity Legislation in the 111th Congress
News Articles
- Opponents focus on defeating CISA cyberthreat info-sharing bill, Computer World, July 30, 2015
- Cyber bill opponents fight CISA with the power of fax, The Washington Times, July 27, 2015
- CISA: New “Cybersecurity” Bill Is About Surveillance, Not Security. The Christian Post, April 8, 2015
- Congress' Fix for Cyberattacks May Hand the Government More of Your Data. Mother Jones, June 17, 2015
- Cyberwar Commander Survives Senate Hearing, Wired Magazine, Threat Level Blog, April 15, 2010
- DHS Announces National Cybersecurity Awareness Campaign Challenge Deadline April 30, 2010
- U.S. to Reveal Rules on Internet Security, By JOHN MARKOFF, New York Times, March 1, 2010
- Google Asks Spy Agency for Help With Inquiry Into Cyberattacks, By JOHN MARKOFF, New York Times, February 4, 2010
- Privacy experts see room for improvement from Obama, By Andrew Noyes, CongressDaily, September 9, 2009
- Cybersecurity Plan Doesn't Breach Employee Privacy, Administration Says, By Ellen Nakashima, Washington Post, September 19, 2009
- Obama Set to Create A Cybersecurity Czar With Broad Mandate, Ellen Nakashima, Washington Post, May 26, 2009
- National Cyber Security Czar Steps Down, March 9, 2009
- Cybersecurity Plan to Involve NSA, Telecoms DHS Officials Debating The Privacy Implications, By Ellen Nakashima, Washington Post Staff Writer, July 3, 2009