Cybersecurity Privacy Practical Implications

Concerning Privacy and Cybersecurity Policy

• Latest News |
• Threats |
• Policy |
• Privacy |
• News |
• Resources

Introduction

Cybersecurity encompasses an array of challenges to protect digital information and the systems they depend upon to affect communication. The interconnected world of computers forms the Internet, which offers new challenges for nations because regional or national borders do not control the flow of information as it is currently managed. The Internet, in the most basic sense, works like any other remote addressing system, for example, a telephone number corresponds to a particular device, a home or building address corresponds to a particular geographic location. The Internet's addressing system is called the Internet Protocol (IP).

Each computer network and computing device designed to communicate over the Internet must have a unique address to send or receive messages. The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for the task of managing these addresses so that each unique Internet device (computer, cell phone, personal digital device) has a unique IP number designation. This Internet addressing system translates these numbers into World Wide Web addresses best known by the extensions .com, .edu, .net, and .org. This addressing system makes it very easy for people to find the people and Web addresses they are seeking. IP registration information or WHOIS data on Internet address holders is a source of contention between privacy/free speech/human rights advocates and law enforcement and commercial and government interests.

Latest News

• EPIC Signs on to Protect Encryption in the Brazilian Code of Criminal Procedure Updates: EPIC has joined other members of the Global Encryption Coalition in a letter urging Brazil to address proposed updates to the Brazilian Code of Criminal Procedure that would threaten encryption and data security in Brazil. The text as it stands could force companies using strong security protections - such as end-to-end encryption - to introduce security flaws into their systems to be used as backdoors for law enforcement. Such measures endanger users and encourage exploitation of these weaknesses. EPIC led the effort in the United States in the 1990s to support strong encryption tools and played a key role in the development of the international framework for cryptography policy that favored the deployment of strong security measures to safeguard personal information. EPIC also filed an amicus brief in Apple v. FBI in support of encryption. (Jun. 29, 2021)
• EPIC to Maryland Legislators: Security Questions Need Upgrade: EPIC Interim Associate Director and Policy DIrector Caitriona Fitzgerald will testify today before the Maryland Senate Committee on Finance in support of stronger authentication methods to protect consumers. Senate Bill 185 requires financial institutions who choose to use security questions as a authentication method to provide customers with more than one security question option. EPIC noted that there are plenty of alternative authentication methods available today and that financial institutions truly should no longer be using basic security questions. "The requirement that your password contain one uppercase letter, one lowercase letter, one symbol, and one number is meaningless if all that is required to bypass that password is your pet’s name," EPIC told the Committee. But, EPIC said, if security questions are going to be used, institutions should ensure that multiple question options are given, and that users are permitted to answer the questions with randomly-generated password-like answers rather than factual, semantic answers. (Feb. 9, 2021)
More top news »
Documents Obtained by EPIC Reveal DHS’s Slow Response to Election Cybersecurity Threats, Underscore Risks Posed by New Voting Technologies » (Aug. 19, 2020)
EPIC has obtained additional documents related to federal efforts to respond to election cybersecurity threats in its suit against the Department of Homeland Security. The documents include summaries of: the DHS's contacts with election officials, state reports of election security incidents going back to 2016, meeting minutes from the DHS Election Task Force in 2017, and a September 2016 Election Infrastructure Cyber Risk Characterization Report. The incident logs reveal difficulties contacting campaign officials in the lead up to the 2016 Election and concern voiced within the agency about "unbalanced" outreach. And DHS contacts with state election officials were somewhat limited as some were wary that the critical infrastructure designation "would at a later time lead to regulation on states." In the September 2016 Election Infrastructure Cyber Risk Characterization Report, the DHS Office of Cyber and Infrastructure Analysis found that compromises in voter registration databases resulted in the potential release of personally identifiable information but not the modification of the underlying records. The DHS determined that exposure of this information could undermine public confidence in election systems. The DHS also counseled strongly against untested voting technologies, finding that the "introduction of new technologies in the voting system will increase vulnerabilities to the election system in the future," particularly the implementation of internet-connected voting systems. The case is EPIC v. DHS, 17-2047 (D.D.C.).
EPIC to Congress: Strong Encryption Keeps Our Nation Secure » (Dec. 10, 2019)
In advance of a hearing on "Encryption on Lawful Access," EPIC wrote to the Senate Judiciary Committee "now is not the time to undermine the systems that we all rely upon to secure our data and communications." EPIC cited growing problems of data breach and cyber attack. Leading computer scientists and security experts, including members of the EPIC Advisory Board, have found that proposals to add "backdoors" for law enforcement are "unworkable in practice, raise enormous legal and ethical questions, and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm." EPIC previously filed an amicus brief in Apple v. FBI in support of robust security safeguards for cellphone users. EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC President Marc Rotenberg warned of the risk of NSA-mandated backdoors in a 1990 article, "The Only Locksmith in Town."
Report: FBI Victim Notification Procedures ‘Unreliable’ and ‘Incomplete’ » (Apr. 1, 2019)
The FBI’s system for notifying victims of cyberattacks is “unreliable” and “incomplete,” according to a report by the Inspector General for the Department of Justice. The IG report found that “not all victims were informed of their rights as required by” DOJ guidelines, which are “outdated since they do not consider the needs of victims of cybercrime.” In 2017, EPIC obtained through EPIC v. FBI, a FOIA lawsuit, the FBI Victim Notification Procedures that should have applied to Russian cyberattacks during the 2016 Presidential election. The FBI Notification Procedures made clear that notification should occur “even when it may interfere with another investigation or (intelligence) operation.” The records obtained by EPIC led to Associated Press investigation ("FBI gave heads-up to fraction of Russian hackers’ US targets”), which found that the FBI did not follow the Procedures and failed to notify U.S. officials that their email accounts were compromised. The EPIC Democracy and Cybersecurity Project has pursued multiple FOIA cases concerning Russian interference with the 2016 election, including EPIC v. DOJ (the Mueller Report), EPIC v. ODNI (Russian hacking), EPIC v. IRS I release of Trump's tax returns), EPIC v. IRS II (release of Trump business tax records), and EPIC v. DHS (election cybersecurity).
EPIC Files Brief on Government Hacking With Court of Human Rights » (Feb. 28, 2019)
EPIC has filed a brief with the European Court of Human Rights detailing the public safety and privacy risks of government hacking. Privacy International v. United Kingdom asks whether remote hacking by UK intelligence services violates the European Charter of Fundamental Rights. The Court recently granted EPIC's request to intervene in the case. "Hacking tools stockpiled by governments could be used by criminals to mount cyberattacks," EPIC's brief states. EPIC also explained that "Government hacking weakens security safeguards." EPIC has long advocated for strong cybersecurity policies.
EPIC, Coalition Ask Australia to Amend "Assistance and Access" Law » (Feb. 25, 2019)
EPIC and a coalition of civil society organizations told the Australian Parliament that a law allowing police to require weak security for tech products should be amended. The Parliament reopened debate over the "Assistance and Access" law, broadly denounced as a threat to security and freedom of expression. Following earlier comments, the coalition has now called on the Australian Parliament to narrow the law. EPIC has long advocated for strong encryption, led the campaign against the Clipper Chip, and published the first global survey on Cryptography and Liberty. And when the FBI sued Apple in 2016 for refusing to allow law enforcement access to iPhones, EPIC filed an amicus brief in support of Apple arguing the FBI's demand "places at risk millions of cell phone users across the United States."
EPIC Commends FAA Comment Opportunity on Aircraft Security, Urges More Public Reporting » (Jan. 8, 2019)
In comments to the Federal Aviation Administration, EPIC praised the agency for inviting public input on technology that exposes aircraft control networks to remote hacking. EPIC previously warned the FAA that, "hackers can exploit weaknesses in drone software to gain control of a drone's movement and other features." EPIC has also called attention to the potential for connected cars and Internet of Things devices to be hacked. EPIC recommended that the FAA routinely report on the growing risks of cyber attack.
EPIC, Coalition Call for Investigation into FBI's Inflated Encryption Statistic » (Jun. 5, 2018)
EPIC and a coalition of twenty organizations called for the Department of Justice Inspector General to investigate the FBI's "grossly inflated" statistic of encrypted devices inaccessible to law enforcement in 2017. The Washington Post reported that the FBI repeatedly stated it was locked out of 7,800 devices, but subsequent review suggested the actual number is about 1,200. The coalition wrote to the IG asking him to investigate the error, why DOJ officials used the data point after it was discovered to be incorrect, and what measures were taken to inform Congress and the public of the FBI's miscalculation. EPIC President Marc Rotenberg previously told POLITICO that the revelation was "a very serious matter" that "calls into question" the FBI's other statements about "the scope of electronic surveillance in the United States."
EPIC to Senate: Weaknesses in Cybersecurity Threaten Both Consumers and Democratic Institutions » (Apr. 24, 2018)
EPIC submitted a statement to the Senate Homeland Security Committee in advance of a hearing on "Cyber Threats Facing America." Last year, the White House National Security Strategy report set out the administration's goals for global policy. EPIC supports several of the goals in the National Strategy report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the Senate Committee to seek assurances that those goals will remain priorities for this administration. Quoting former world chess champion Garry Kasparov, EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time."
FEC Proposes Regulation of Internet Political Ads » (Mar. 14, 2018)
Today the Federal Election Commission voted unanimously, at a public meeting, to publish a proposed rule concerning transparency requirements for online political ads. The FEC noted EPIC's comments—arguing that internet companies should be held to the same standard as broadcast companies—in its proposal. The FEC will publish the proposal in the Federal Register, accept comments from the public, and then hold a public hearing on June 27, 2018. After Russian interference in the 2016 election, EPIC launched the Democracy and Cybersecurity Project to preserve the integrity of elections and democratic institutions. In comments to the FEC in November 2017, EPIC explained the "need to protect democratic institutions from foreign adversaries has never been greater...To help ensure the integrity of U.S. elections, the Federal Election Commission should not exempt technology companies from notification requirements for Internet communications."
Senators Ask Director of National Intelligence About Russian Meddling » (Mar. 6, 2018)
Today the Senate Armed Services Committee held a hearing that addressed concerns about Russian interference in upcoming elections. In his opening statement, the Director of National Intelligence Daniel Coats stated that Russia views its influence on the 2016 election as successful and emphasized the threat that Russian cyberattacks pose to U.S. democracy. Coats testified that the U.S.'s response has not been sufficient to deter Russia from interfering in the 2018 midterm elections, agreeing with testimony of Admiral Michael Rogers, the Commander of U.S. Cyber Command, in a hearing last week. Coats called the U.S.'s strategy to combat Russian interference a "whole government approach," but it concerned some Senators that there was no lead agency in charge of this effort, including Senator Mazie Hirono (D-HI) who said that it caused her to conclude that it is "not a top priority" for the President. EPIC launched a project on Democracy and Cybersecurity in response to Russian interference in the 2016 presidential election.
SEC Issues Guidance on Cybersecurity Disclosures » (Mar. 5, 2018)
The Securities and Exchange Commission has released guidance for cybersecurity risks and incidents. The SEC stated that "in light of the increasing significance of cybersecurity incidents," it is "critical" for companies to routinely report cybersecurity threats. The Commission also emphasized that corporate officers must not trade on nonpublic information. Equifax waited six weeks to notify the public of its data breach, and its executives were accused of insider trading after it was revealed that they sold Equifax stock prior to informing the public of the breach. EPIC has long advocated for mandatory breach notification. EPIC President Marc Rotenberg recently testified on data security and breach notification before the House and Senate, explaining that companies' failure to protect data threatens not only consumers but also national security.
Senate Holds Hearing on National Security Strategy » (Jan. 24, 2018)
EPIC submitted a statement to the Senate Armed Services Committee in advance of a hearing on "Global Challenges and U.S. National Security Strategy." Last year, the White House released a National Security Strategy report that laid out the administration's goals. EPIC supports many of the goals stated in the report, including enhanced cybersecurity, support for democratic institutions, and protection of human rights. EPIC wrote to the committee to seek assurances that those goals will remain priorities for this administration. EPIC also said "perhaps it is a firewall and not a border wall that the United States needs to safeguard our national interests at this moment in time."
National Security Strategy Acknowledges Importance of Democratic Institutions, Privacy » (Dec. 21, 2017)
The White House has released the 2017 National Security Strategy. The report underscores the importance of democratic institutions and the rule of law. The report states the “government must do a better job of protecting data to safeguard information and the privacy of the American people,” and calls out "actors such as Russia [who] are using information tools in an attempt to undermine the legitimacy of democracies.” The report also cautions that cyber policy must be pursued "In accordance with the protection of civil liberties and privacy.” EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. FBI (cyberattack victim notification), EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity).
D.C. Circuit Sets Schedule for EPIC Case to Obtain Trump Tax Returns » (Dec. 19, 2017)
The D.C. Circuit Court of Appeals has set a schedule in EPIC’s case to obtain President Trump’s tax returns. EPIC previously argued that the IRS has the authority to release the records to correct numerous misstatements of fact concerning financial ties to Russia, such as President Trump’s tweet "Russia has never tried to use leverage over me. I HAVE NOTHING TO DO WITH RUSSIA - NO DEALS, NO LOANS, NO NOTHING." The IRS recently admitted to EPIC that it has used this authority at least 10 times in one year. The schedule for the appeal was announced the same week that Congress considers sweeping tax legislation, but Congress and the public remain in the dark about the consequences of the legislation on the President’s personal finances. According to CNN, 73% of Americans favor release of the President’s tax returns. EPIC v. IRS is one of several FOIA cases concerning Russian interference in the 2016 Presidential election, including EPIC v. ODNI (scope of Russian interference), EPIC v. FBI (response to Russian cyber attack), and EPIC v. DHS (election cybersecurity). EPIC’s opening brief in EPIC v. IRS is due January 24, 2018.
EPIC Urges House Judiciary to Examine FBI Response to Russian Cyber Attacks » (Dec. 12, 2017)
EPIC has sent a statement to the House Judiciary Committee ahead of Wednesday's DOJ Oversight hearing. EPIC urged the Committee to question Deputy Attorney General Rosenstein about the FBI's ability to respond to future cyberattacks concerning the 2018 elections. A recent Associated Press investigation found that the FBI, the lead agency for cyber response, did not notify U.S. officials that their email accounts were compromised during the 2016 election. According to documents obtained by EPIC, the FBI is to notify victims of cyberattacks "even when it may interfere with another investigation or (intelligence) operation." EPIC obtained the FBI's Victim Notification Procedures through a Freedom of Information Act lawsuit, EPIC v. FBI, filed earlier this year. EPIC is currently pursuing several related FOIA cases about Russian interference in the 2016 Presidential election, including EPIC v. ODNI (Russian hacking), EPIC v. IRS (Release of Trump Tax Returns), and EPIC v. DHS (election cybersecurity).
EPIC to House Committee: Privacy Safeguards Apply to Personal Data Sent to Government » (Nov. 15, 2017)
In advance of a hearing on "Cyber Threat Information Sharing," EPIC has sent a statement to the House Homeland Security Committee. EPIC urged the Committee to determine whether there are sufficient protections for personal data sent to government agencies. Private companies now have legal authority to transfer data to government agencies outside traditional privacy procedures following passage of the Cybersecurity Information Sharing Act. EPIC and a broad coalition warned that the law will increase monitoring of Internet users and government secrecy. EPIC urged the Congressional committee to carefully examine the "scrubbing" techniques that are intended to remove personally identifiable information before data is transferred to federal agencies.
White House Vulnerability Review Charter Provides Process for Disclosing Tech Flaws » (Nov. 15, 2017)
The White House has released the "Vulnerabilities Equities Policy and Process," describing how the U.S. Government will make decisions regarding disclosure of "Zero-day vulnerabilities." At issue are vulnerabilities in software and consumer products that can be exploited by intelligence agencies and malicious hackers. If the VEP review board — comprised of agency representatives such as the DHS, ODNI, CIA, FBI, OMB, Commerce Department, and NSA — votes for disclosure, the tech company will be notified "when possible" within 7 business days. The charter requires the NSA, serving as the board's secretariat, to produce an annual public report on VEP decisions. In extensive comments on surveillance reform, EPIC supported the recommendations of the Obama Review Group, which included a recommendation for an interagency process to review "Zero-day vulnerabilities." In a letter to the Senate Committee on Homeland Security earlier this year, EPIC stated that "data protection and privacy should remain a central focus of the cyber security policy of the United States."
Senators Urge FEC to Promote Transparency in Online Ads » (Nov. 13, 2017)
A group of 15 Senators led by Mark Warner (D-VA), Amy Klobuchar, (D-MN) and Claire McCaskell, (D-MO) have urged the Federal Election Commission to improve transparency for online political ads. The Senators stated that, "the FEC can and should take immediate and decisive action to ensure parity between ads seen on the internet and those on television and radio." The Senators emphasized how "Russian operatives used advertisements on social media platforms to sow division and discord" during the 2016 election. EPIC provided comments to the FEC calling for "algorithmic transparency" and the disclosure of who paid for online ads. Senators Klobuchar, Warner, and McCain (R-AZ) have also introduced a bipartisan bill that would require the same disclosures for online political advertisements as for those on television and radio. EPIC's Project on Democracy and Cybersecurity, established after the 2016 presidential election, seeks to promote election integrity and safeguard democratic institutions from various forms of cyber attack.
EPIC Sues Department of Homeland Security for Release of Russian Interference Records » (Oct. 4, 2017)
EPIC has filed a Freedom of Information Act lawsuit against the Department of Homeland Security to obtain records related to Russian interference in the 2016 U.S. Presidential Election. Earlier this year, the DHS has designated state election systems as critical infrastructure and published a Joint Analysis Report acknowledging Russian interference with U.S. election systems. However, DHS has not provided any significant new information to the American public about the extent of the Russian interference. EPIC now seeks disclosure of the agency's "research, integration, analysis" related to the scope of Russian interference. EPIC's FOIA lawsuit follows H.Res. 235, a bill sponsored by Rep. Thompson (D-MS) that would have directed the DHS to provide this information to Congress, but was blocked by the House Homeland Security Committee. EPIC has filed several FOIA lawsuits to determine the scope of Russian interference. The cases include: EPIC v. FBI (Russian Hacking), EPIC v. ODNI (Russian Hacking), and EPIC v. IRS (Donald Trump's Tax Records).
EPIC Obtains Documents about DARPA's "Brandeis" Program » (Oct. 2, 2017)
EPIC has received documents about the Defense Advanced Research Projects Agency's (DARPA) Brandeis Program, following a 2015 FOIA request. According to the agency, the program is intended to "research and develop tools for online privacy." EPIC obtained over 1,100 pages of documents about the Program. The documents include email communications (parts 1, 2, 3), budget appropriation justifications for fiscal year’s 2015 (parts 1, 2) and 2016 (parts 1, 2), as well as the names of contract awardees. According to the documents obtained by EPIC, the $75 million program provided $75 million over 4.5 years. Contract recipients include UC Berkley, UC Irvine, MIT, Carnegie Mellon University, Raytheon, SRI International, Stealth Software Technologies, and Galois.
EPIC Awarded Nearly $100,000 in Internet Surveillance Case » (Jun. 5, 2017)
A federal judge in Washington, DC has issued a final order granting EPIC substantial attorney's fees in a long-running case against the Department of Homeland Security. EPIC sued the DHS in 2012 for information about a secret program to monitor Internet traffic. The "Cyber Pilot" program applied originally to defense contractors, but an executive order dramatically expanded the program, raising concerns about violations of federal wiretap law. EPIC's lawsuit produced the release of several thousand pages on the program. EPIC sought attorneys fees for the successful litigation, which the DHS opposed. In November, Judge Gladys Kessler ruled that EPIC was entitled to attorney's fees because it "substantially prevailed in [the] litigation" and added "to the fund of information that citizens may use in making vital political choices." On Monday, Judge Kessler confirmed that decision and awarded EPIC nearly $100,000 in fees—the largest such award in EPIC's history.
Executive Order on Cybersecurity Finally Released » (May. 12, 2017)
A long delayed Executive Order on cybersecurity was released this week. The Order continues many of the cybersecurity policies of the Obama and Bush administrations. The Executive Order requires agency heads to use the NIST Framework to manage cybersecurity risk, and to provide a risk management report. The Order also requires Cabinet officials to devise a strategy for international cooperation in cybersecurity. However, the Order does not address Russia's cyber interference with the 2016 Presidential Election. EPIC, and a group of forty leading experts in law and technology, had urged the White House to strengthen privacy and data protection, and support strong encryption. The EPIC Cybersecurity and Democracy Project focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
On Cyber Policy, EPIC Urges Senate to Protect Consumers, Democratic Institutions » (May. 8, 2017)
In advance of a hearing on "Cyber Threats Facing America: An Overview of the Cybersecurity Threat Landscape," EPIC has sent a statement to a Senate Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project that will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
EPIC To Senate Judiciary - "Public Has Right to Know About Russia Ties" » (May. 5, 2017)
EPIC has sent a statement to the Senate Judiciary Committee for a hearing on "Russian Interference in the 2016 United States Election." EPIC described its Freedom of Information Act cases against the FBI and the ODNI to obtain records about activities aimed at undermining democratic institutions. EPIC is also pursuing the release of any FISA orders for Trump Tower, as well as Donald Trump's tax returns. EPIC wrote the "need to understand Russian efforts to influence democratic elections cannot be overstated.”
Intelligence Agency Provides Non-Responsive Response in EPIC Lawsuit for Russia Report » (May. 3, 2017)
The Director of National Intelligence has failed to provide a sufficient response in EPIC v. ODNI, concerning release of the report on the Russian interference in the 2016 Presidential election. The intelligence agency was required to release all “non-exempt portions" of the report to EPIC on May 3, 2017. However the agency withheld the entire document, refusing to provide even partial information that should have been released to EPIC under the Freedom of Information Act. As EPIC made clear in the complaint, “There is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks on democratic institutions.” EPIC will challenge the agency’s response as the litigation continues in federal district court in Washington, DC. EPIC v. ODNI is a part of the EPIC Cybersecurity and Democracy Project, which focuses on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
Pew Survey Finds Varying Cybersecurity Knowledge Among the Public » (Mar. 22, 2017)
The Pew Research Center has released a report on "What the Public Knows About Cybersecurity." According to the Pew survey, 75% of respondents could identify the strongest password out of four options. About half of the people who took the survey could identify a phishing attack; a similar number knew what ransomware is. Only 16% answered that "a group of computers that is networked together and used by hackers to steal information" is called a "botnet." EPIC maintains an Online Guide to Practical Privacy Tools and resources on Public Opinion and Privacy.
EPIC Urges House Committee to Protect Consumers, Democratic Institutions with Strong Cyber Security Measures » (Feb. 28, 2017)
In advance of a hearing on "Cyber Warfare in the 21st Century: Threats, Challenges, and Opportunities," EPIC has sent a letter to the House Armed Services Committee urging Congress to protect democratic institutions, following the Russian interference with the 2016 presidential election. EPIC explained that "data protection and privacy should remain a central focus" of cyber security policy. EPIC also recommended that Congress strengthen the federal Privacy Act and establish a U.S. data protection agency. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
FBI Responds to EPIC FOIA Suit for Details of Russian Interference with 2016 Election » (Feb. 23, 2017)
The FBI has filed an answer to EPIC's Freedom of Information Act lawsuit for records pertaining to the Russian interference with the 2016 Presidential election. In the answer, the FBI acknowledged receipt of EPIC's FOIA request. EPIC filed suit against the FBI in federal district court after the agency failed to make a timely decision concerning EPIC's request for expedited processing of the FOIA request. The parties will next confer to set a schedule for production of documents and briefing, if necessary. EPIC has also filed suit against the ODNI for public release of the Complete ODNI Assessment of the Russian interference in the 2016 election. EPIC recently launched the EPIC Cybersecurity and Democracy Project, which will focus on US cyber policies, threats to election systems and foreign attempts to influence American policymaking.
EPIC Seeks Public Release of Secret Directive on Cybersecurity » (Jan. 28, 2017)
EPIC has filed an urgent FOIA request with the DHS, the Department of Justice, and the NSA, seeking the expedited release of NSPD-1. The National Security Presidential Directive sets out procedures for cybersecurity "policy coordination, guidance, dispute resolution, and periodic in-progress review." EPIC has previously litigated, and successfully obtained, NSPD-54, a Presidential Directive concerning the NSA's authority to conduct surveillance within the United States.
EPIC Sues for Release of Complete Report on Russian Interference with 2016 Election » (Jan. 26, 2017)
EPIC has filed a Freedom of Information Act lawsuit against the Office of the Director of National Intelligence in federal district court in Washington, DC. The case is designated EPIC v. ODNI, No. 17-163 (D.D.C. filed Jan. 25, 2017). As EPIC makes clear in the complaint, "there is an urgent need to make available to the public the Complete ODNI Assessment to fully assess the Russian interference with the 2016 Presidential election and to prevent future attacks in democratic institutions." More details in the press release. Last week EPIC sued the FBI to uncover details of the Bureau's response to Russian interference.
NEWS UPDATE - EPIC Sues FBI for Details of Russian Interference with 2016 Election » (Jan. 18, 2017)
EPIC today filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation in federal district court in Washington, DC. The case is designated EPIC v. FBI, No. 17-127 (D.D.C. filed Jan. 18, 2017). The complaint states “EPIC challenges the FBI’s failure to make a timely decision concerning EPIC’s request for expedited processing of the FOIA request for records about the Russian interference with the 2016 Presidential Election.” A press conference will be held at the Fund for Constitutional Government on Capitol Hill on Thursday, January 19, 2017 at 1 pm. Media Advisory
Senate Intelligence Committee Presses FBI to Reveal Russia Investigation » (Jan. 16, 2017)
Senator Richard Burr (R-NC) and Senator Mark Warner (D-VA), the Chairman and Ranking Member of the Senate Intelligence Committee, have announced a bipartisan inquiry into the Russian interference with the 2016 Presidential Election. Democratic members of the House Judiciary Committee have also pressed the FBI to confirm its investigation of President-elect Trump's ties to Russia. In a letter to FBI Director James Comey, Committee Members requested "all documentation relevant to this investigation" be provided to the Committee "as soon as possible." EPIC has filed two urgent Freedom of Information Act requests concerning Russian interference: one for records about the FBI's lax response to the foreign cyber threat, the other for the report "Russian Activities and Intentions in Recent US Elections". This week EPIC also urged the Senate Armed Services Committee to pursue an investigation.
EPIC, Technology Experts Urge Senate Committee to Monitor President’s Homeland Security Advisor » (Jan. 10, 2017)
In a letter to the Senate Committee on Homeland Security, EPIC and leading experts urged Congress to keep a close eye on the White House Homeland Security Advisor. EPIC explained that the position, equal in power to the National Security Advisor, carries "significant implications for the safety and security of the American people." EPIC said that the Homeland Security Advisor should ensure "the Russian government poses no further threats to the United States electoral system or to other democratic governments." EPIC also said that "data protection and privacy should remain a central focus" of U.S. cyber security policy. The EPIC letter was signed by distinguished experts in cyber security, information technology, encryption, and human rights law.
EPIC Seeks Expedited Release of Report on Russian Interference in 2016 Election » (Jan. 10, 2017)
EPIC has submitted an urgent Freedom of Information Act request to the Office of the Director of National Intelligence (ODNI) seeking the complete report on the Russian interference in the 2016 Presidential Election. On January 6, the ODNI released a public summary on the Russian interference, but withheld important information. EPIC is seeking expedited release of the complete, unreacted report. EPIC is also seeking records from the FBI about the agency's lax response to the foreign cyber threat. EPIC submitted a statement to the Senate Armed Services Committee hearing on Russian interference. Congress will hold a second hearing today, and a bill initiating new sanctions against Russia is expected this week. EPIC will continue to press the ODNI for prompt release of the report.
Senate Armed Services Committee to Examine Foreign Cyber Threats » (Jan. 4, 2017)
The Senate Armed Services Committee will hold a hearing on "Foreign Cyber Threats to the United States" on January 5, 2016. EPIC submitted a statement to the Committee to alert Senators about a pending Freedom of Information Act request. The EPIC FOIA request concerns the lax response of the FBI to the Russian interference with the 2016 Presidential election. EPIC wrote “we believe that the information that we are seeking from the FBI will also be helpful to the Senate Armed Services Committee as you investigate foreign cyber threats to the United States.”“Director of National Intelligence James Clapper, National Security Agency and Cyber Command Chief Adm. Mike Rogers and Undersecretary of Defense for Intelligence Marcel Lettre are scheduled to testify.
Obama Orders Review of Hacking During 2016 Election » (Dec. 9, 2016)
President Obama's top homeland security advisor Lisa Monaco announced today that the Administration has asked the intelligence community to conduct a "full review" of cyber activity during the 2016 election. In 2016, EPIC urged candidates for office to focus on data protection, calling it "the most important, least well understood issue" of the 2016 election. EPIC also published a report on the importance of the secret ballot for democratic decision making. EPIC's Freedom of Information Act litigation uncovered flaws in online voting reported by the Department of Defense just prior to the 2012 election.
EPIC Prevails in Internet Surveillance Case » (Nov. 21, 2016)
A federal judge in Washington, DC has granted EPIC attorney's fees in a long-running case against the Department of Homeland Security. In 2012 EPIC sued the DHS for information about a secret program to monitor Internet traffic. The "Cyber Pilot" program applied originally to defense contractors, but a 2012 Executive Order dramatically expanded the program, raising concerns about violations of federal wiretap law. EPICs lawsuit produced the release of several thousand pages on the program. In today's extensive opinion, Judge Gladys Kessler concluded that EPIC "substantially prevailed in this litigation" and that EPIC had added "to the fund of information that citizens may use in making vital political choices." The Court awarded EPIC substantial attorneys fees for its work in the case.
EPIC Defends Drivers’ Right to Sue for Safety, Privacy Risks As Congress Warns of Risks to Public » (Aug. 5, 2016)
EPIC has filed an amicus brief in a case concerning the privacy and public safety risks of “connected” cars. EPIC warned that connected cars "expose American drivers to the risks of data breach, auto theft, and physical injury.” EPIC said a lower court was wrong to dismiss the case. EPIC urged a federal appeals court to allow consumers to "the opportunity to present legal claims stemming from the defendants’ sale of vehicles that place them at risk." This week researchers at Black Hat revealed new vulnerabilities in networked vehicles as Senators Blumenthal and Markey urged the FCC to establish “robust safety, cybersecurity, and privacy protections  before automakers deploy vehicle-2-vehicle . . . communication technologies.” EPIC has filed several amicus briefs defending consumers' rights to enforce their privacy rights.
EPIC Presses House Leaders on "Data Protection" » (Jun. 10, 2016)
At a symposium organized by the Council on Foreign Relations, EPIC President Marc Rotenberg asked Republican leaders in the U.S. Congress whether "data protection" should be a campaign issue in 2016. Rep. Goodlatte, who chairs the House Judiciary Committee, responded "I very much believe it should be and is an issue in this election." He pointed to his own work to update the Electronic Communication Privacy Act (ECPA), "because that is an enhancement of the protection of people's privacy that I think they want and expect." Rep. McCaul, who chairs the House Homeland Security Committee, noted "in the cybersecurity bill we passed we met very closely with the privacy advocates. That was very important to me that we protect personally identifying information as we try to share these malicious codes." EPIC has launched a non-partisan campaign to make Data Protection a campaign issue in 2016.
New Congressional Report Explores Legal Issues Regarding Compelled Decryption » (Mar. 8, 2016)
"Encryption: Selected Legal Issues," a new report from the Congressional Research Service, explores two important legal questions that arise from government requests for compelled decryption: the Fifth Amendment right agains self-incrimination and the scope of the All Writs Act, the federal statute at issue in Apple v. FBI. EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case, pointing to the increased risk of cell phone theft and financial fraud that would result from compelled encryption.
EPIC Files Brief in Support of Apple and Consumers in FBI iPhone Case » (Mar. 3, 2016)
Today EPIC filed a "friend of the court" brief, joined by eight other consumer privacy organizations, in support of Apple's challenge in the FBI iPhone case. In Apple v. FBI, EPIC argued that the "security features in dispute in this case were adopted to protect consumers from crime." EPIC explained that an order to compel Apple to take extraordinary measures to undo these features places at risk millions of cell phone users across the United States. EPIC routinely files amicus briefs in cases that raise novel privacy and civil liberties issues. EPIC has filed two briefs in the United States Supreme Court in the past year in cases concerning consumer privacy and also the Fourth Amendment.
Bill to Establish Digital Security Commission Introduced in House » (Mar. 2, 2016)
Rep. Lieu (D-CA) has cosponsored bipartisan legislation to create a Digital Security Commission that will explore how law enforcement should pursue investigations without undermining constitutional privacy protections or American competitiveness. Rep. Lieu emphasized, "strong national security and a strong economy requires strong encryption." The legislation comes as Apple opposes a court order to compromise iPhone security to allow government access. Congressman Lieu called upon "the FBI and DOJ to withdraw their coercive demands of Apple and allow the democratic process to work." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption.
Apple Opposes FBI Decryption Order » (Feb. 25, 2016)
Today Apple filed a "motion to vacate" a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. In its brief, Apple asserts that this case is about "the ability to force companies like Apple to undermine the basic security and privacy interests of hundreds of millions of individuals around the globe." Apple argued that the FBI's requested court order violates the First and Fifth Amendments. Consumer Reports found that more than 3.1 million cellphones were stolen in 2013, and noted that "efforts by the telecom industry to reduce thefts don't seem to be helping matters." In 2015, EPIC gave the Champion of Freedom Award to Apple CEO, Tim Cook, for his work protecting privacy and promoting encryption.
Writers Side with Apple in Encryption Fight with FBI » (Feb. 24, 2016)
In a letter to the Attorney General, leading writers and artists protested the FBI's "efforts to force Apple to create software that could effectively enable the U.S. government to unlock any iPhone." The letter from the PEN America Center highlights how "intrusions on privacy damage creative expression and free speech." EPIC has long supported strong encryption as key to the future of privacy and security. EPIC recently gave the 2015 Champion of Freedom Award to Apple CEO Tim Cook for his work in promoting encryption and protecting privacy and security. The 2016 EPIC Awards dinner will be held on June 6th in Washington, DC.
President Announces $19 billion Cybersecurity Plan » (Feb. 23, 2016)
President Obama has proposed a $19 billion Cybersecurity National Action Plan that aims to modernize government IT and improve Americans' cybersecurity. The government will reduce reliance on social security numbers and promote increased use of multi-factor authentication. The plan will also establish a Commission on Enhancing National Cybersecurity. A Federal Privacy Council will coordinate federal privacy guidelines but lacks authority to enforce Privacy Act obligations. EPIC has repeatedly urged federal agencies to uphold Privacy Act protections.
Apple Opposes FBI Decryption Order » (Feb. 17, 2016)
Apple has opposed a court order that would require the company to make changes to the iPhone to enable law enforcement access to personal information. The order followed an FBI application under the All Writs Act, a law from 1789. Apple CEO Tim Cook wrote in response that the government's action "would undermine the very freedoms and liberty our government is meant to protect." In 2015, EPIC gave the Champion of Freedom Award to Mr. Cook for his work protecting privacy and promoting encryption. The EPIC 2016 Awards dinner will be held June 6 in Washington, DC.
House Adds Cyber Surveillance to Budget Bill » (Dec. 16, 2015)
Today, the House added the Cybersecurity Act of 2015 to an expansive appropriations bill. The Cybersecurity Act was negotiated behind closed doors and represents a new version of the Cybersecurity Information Sharing Act (CISA). Previous versions of CISA have been opposed by a broad coalition of organizations. The current bill, like previous ones, would allow the government to obtain personal information from private companies without judicial oversight. The Act would also expand government secrecy. EPIC previously won a five-year court battle to obtain NSPD 54, a foundational legal document for U.S. cybersecurity policies that revealed the government's interest in enlisting the private sector to monitor user activity.
Senator Leahy Opposes FOIA Exemptions in Cyber Security Bill » (Oct. 27, 2015)
Senator Patrick Leahy (D-VT) urged fellow Senators to remove a proposed open government exemption in a pending cybersecurity bill. The Cybersecurity Information Sharing Act (CISA), said Sen. Leahy, "contains an overly broad new FOIA exemption that is both unnecessary and harmful." Sen. Leahy called the FOIA "our nation's premier transparency law," and said that any modifications must go through the Senate Judiciary Committee. "The Senate must have an open and honest debate about the Senate Intelligence Committee's bill and its implications for Americans' privacy and government transparency," remarked the Senator. Last year, EPIC won a five-year court battle against the NSA for NSPD 54, the foundational legal document for U.S. cybersecurity policies. EPIC has also set out recommendations for FOIA reform.
Obama Drops Plan to Regulate Crypto » (Oct. 11, 2015)
According to the New York Times, President Obama has concluded that "it is not possible to give American law enforcement and intelligence agencies access to that information without also creating an opening that China, Russia, cybercriminals and terrorists could exploit." Earlier this year Apple CEO Tim Cook said at the EPIC Champions of Freedom dinner, "Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it." EPIC launched the public campaign for the freedom to use encryption in 1994 and several of the world's leading cryptographers are members of the EPIC Advisory Board. Tim Cook received the 2015 EPIC Champion of Freedom Award. Past recipients include Max Schrems and Edward Snowden.
California Rejects Warrantless Surveillance, Enacts "CalECPA" » (Oct. 9, 2015)
California Governor Jerry Brown has signed the California Electronic Communications Privacy Act (CalECPA). CalECPA requires law enforcement to obtain a warrant before accessing digital data including metadata, location data, emails, and text messages. The warrant requirement applies to searches of electronic devices themselves and to content stored by an online service provider. In response to requests from the US Congress, EPIC has made several recommendations regarding updates to the federal ECPA. EPIC has also obtained documents from the FBI concerning Stingray surveillance technology, which is now prohibited under the California bill.
OECD Finalizes Risk Management Guidelines » (Oct. 9, 2015)
The OECD has published the new Recommendation on Digital Security Risk Management a revision of the 2002 OECD Security Guidelines. Science, Technology and Innovation Director Andrew Wyckoff said that "a totally secure digital environment is impossible". EPIC supports the Recommendations which emphasize digital security risk management "in a transparent manner and consistently with human rights and fundamental values." EPIC has long been engaged with the work of OECD and supports civil society participation at the 2016 OECD Ministerial Meeting on the Digital Economy.
Federal Appeals Court Recognizes "Substantial Risk of Future Harm" » (Jul. 29, 2015)
In a landmark opinion, the Seventh Circuit Court of Appeals has ruled that a class action lawsuit against Neiman Marcus may continue because of the ongoing risk to customers whose personal information was compromised in a data breach. The case stems from a breach of the Neiman Marcus customer database that led to the release of 350,000 credit cards and exposed more than 9,200 customers to fraud. A lower court ruled that since the identified fraud victims had been reimbursed, Neiman Marcus was off the hook for future claims. However, the Seventh Circuit ruled that the plaintiffs, customers who were not yet aware of fraud, faced a "substantial risk of future harm," and that risk was enough to allow the class action to continue. According to the Federal Trade Commission, identity theft remains the top concern of American consumers.
Congress to Hold Hearing on Encryption and Privacy » (Jul. 8, 2015)
Today the Senate is holding a hearing on "Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy." FBI Director Comey, testifying today, has advocated for broken encryption to enable law enforcement access to private communications. Despite claims of "going dark" because of new encryption technologies, law enforcement encountered encryption in only 25 wiretap cases in 2014. Of those cases, non-encrypted text was obtained in all but four cases. EPIC has advocated for strong encryption and urged President Obama to reject proposals to weaken encryption. EPIC published the first comprehensive survey of encryption use around the world. And earlier this year, EPIC gave a Champion of Freedom Award to Apple CEO Tim Cook, who warned that "Criminals are using every technology tool at their disposal to hack into people's accounts. If they know there's a key hidden somewhere, they won't stop until they find it."
Leading Security Experts Oppose Government Encryption Plan » (Jul. 7, 2015)
Several members of the EPIC Advisory Board, leading experts in security technology, have warned that a government plan to weaken encryption threatens the nation's critical infrastructure and puts at risk confidential personal information. Recalling a similar report from 1997, the researchers concluded that "the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. Recent reports from the US courts, available from EPIC, show that encryption has not been an obstacle to law enforcement investigations. A 1994 Internet petition led to the demise of "Clipper," the original government plan for escrowed encryption.
Massive Government Data Breach Even Worse than Reported » (Jun. 25, 2015)
A Congressional hearing on the Office of Personnel Management data breach has now revealed one of the worst data breaches in US history. The agency initially reported that the personal information of 4 million government employees was obtained, but news reports suggest the breach was much larger--exposing the social security numbers of more than 18 million people. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. EPIC has also testified in Congress and the Senate in support of stronger security measures to protect personal data.
Senate Rejects User Surveillance Proposal » (Jun. 17, 2015)
The Senate has rejected an amendment to the National Defense Authorization Act for 2016 that would transfer user data from private companies to government agencies without judicial oversight. Senator Patrick Leahy (D-Vt) urged Senators to oppose the amendment, stating "we need a cyber-security bill, not a cyber-surveillance bill." Last year, EPIC won a five-year court battle against the NSA for NSPD 54-the foundational legal document for U.S. cybersecurity policies. The Directive reveals the NSA's interest in enlisting companies to monitor user activity in the United States.
Massive Breach Impacts Millions of Government Employees » (Jun. 10, 2015)
The Office of Personnel Management has announced a massive data breach in the federal government's employee database. According to the agency, the breach exposed the sensitive personal information - including home addresses, SSNs, and financial information - of 4 million government employees. Although 432 million online accounts were hacked in 2014, Congress has failed to update US privacy laws or pass cybersecurity legislation. EPIC has urged the White House and Congress to promote Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information.
EPIC, Coalition to President: No Encryption Backdoors » (May. 20, 2015)
EPIC and a coalition of civil society organizations and security experts urged President Obama to reject proposal to weaken encryption used in U.S. products. Administration officials, including FBI Director Comey, have advocated for broken encryption to enable law enforcement access to private communications. The letter details how weakened encryption undermines cybersecurity and economic security. EPIC previously led the effort to oppose the "Clipper Chip," the NSA's proposal for key escrow encryption that would have severely crippled the privacy and security of online communication. EPIC also recently expressed support for encryption and anonymity in a letter to a UN Rapporteur.
Senate Committee Approves Cyber Surveillance Bill » (Mar. 14, 2015)
In a closed-door meeting, the Senate Select Committee on Intelligence approved the "Cyber Information Sharing Act of 2015". The bill would allow the government to obtain user information from private companies without judicial oversight. Companies would receive immunity for their disregard of existing privacy law. Senator Wyden, who opposed the measure, stated, "If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill - it's a surveillance bill by another name." Last year, EPIC won a five-year court battle against the NSA for NSPD 54—the foundational legal document for U.S. cybersecurity policies. The Directive reveals the government's long-standing interest in enlisting private sector companies to monitor user activity.
Executive Order Calls for More Cybersecurity Info "Sharing" » (Feb. 13, 2015)
President Obama announced today an Executive Order to promote collaboration between the private sector and the government to counter cyber threats. The Order encourages the companies to disclose user data to the federal government outside any judicial process. The Order also promotes compliance with Fair Information Practices and adoption of such Privacy Enhancing Techniques as data minimization. The Executive Order is one of several cybersecurity initiatives announced by the President. In EPIC v. NSA, after a five-year court battle, EPIC obtained National Security Presidential Directive 54 which revealed the NSA's role in domestic cyber security.
President Obama Announces New Cybersecurity Initiatives » (Jan. 13, 2015)
Today the President announced several cybersecurity initiatives, including a proposal to facilitate private sector threat information disclosures. The White House proposal requires the removal of personal information prior to data transfers but privacy concerns remain. The President threatened to veto a previous bill that lacked privacy and civil liberties safeguards. A 2013 expert report set out 46 proposals for strengthening cyber security that the White House said it would adopt. EPIC supported these recommendations and has also recommended civilian leadership on cybersecurity.
Senate Cybersecurity Information Sharing Bill Proposed » (Jun. 20, 2014)
Senators Dianne Feinstein and Saxby Chambliss have proposed the Cybersecurity Information Sharing Act of 2014. The Senate bill is similar to the House Cyber Intelligence Sharing and Protection Act (CISPA), which was opposed by civil liberties organizations and would have been vetoed by the White House if enacted. Like CISPA, the Senate bill allows companies to monitor private communications on their networks and to disclose user activity to the government. The bill would also exempt companies from liability for monitoring communications or disclosing user information. However, the Senate bill makes some attempt to limit the collection of personally identifiable information. EPIC recently won a five-year court battle with the NSA and obtained National Security Presidential Directive 54. The directive was issued by President Bush in 2008 and is the foundational legal document for U.S. cybersecurity policies. The Presidential Directive reveals the government’s long-standing interest in enlisting private sector companies to monitor user activity. For more information, see EPIC: Cybersecurity.
EPIC v. NSA: EPIC Obtains Presidential Directive for Cybersecurity » (Jun. 6, 2014)
After almost five years, EPIC has obtained National Security Presidential Directive 54. The previously classified Presidential Directive contains the full text of the Comprehensive National Cybersecurity Initiative and "establishes United States policy, strategy, guidelines, and implementation actions to secure cyberspace." This Directive, which is the foundational legal document for all cybersecurity policies in the United States, evidences government efforts to enlist private sector companies, more broadly monitor Internet activity, and develop offensive cybersecurity capability. EPIC first sought public release of NSPD-54 with a Freedom of Information Act request, submitted to NSA in June 2009. After the agency failed to disclose the document, EPIC filed suit. When a federal district court ruled in 2013 that the Presidential Directive was not subject to the Freedom of Information Act, EPIC then filed an appeal with the DC Circuit Court of Appeals. The document has now been disclosed to EPIC. The case is EPIC v. NSA, a Freedom of Information Act lawsuit in D.C. Circuit Court. EPIC has several related FOIA cases with the NSA pending in federal court. For more information see EPIC - EPIC v. NSA (Cybersecurity Authority).
New Documents Reveal Close Ties Between NSA and Tech Companies, PBS Special to Air » (May. 12, 2014)
New e-mails obtained under the Freedom of Information Act reveal former NSA Director Keith Alexander's close communication with technology companies regarding emerging cybersecurity threats. The CEOs of Google, Apple, Microsoft, and other technology companies were invited to classified briefings as part of the "Enduring Security Framework," a government initiative focused on sharing "cyber threat information with the private sector." EPIC previously sued the NSA to obtain records about the agency's collaboration with Google on cybersecurity, following the China hack in January 2010. In that case, the NSA refused to confirm or deny the existence of any records responsive to EPIC's request. EPIC had previously urged Google to routinely encrypt cloud-based services. PBS Frontline begins a two-part special this week that explores NSA surveillance and the role of tech companies. For more information, see EPIC v. NSA: Google/NSA Relationship and EPIC: Cybersecurity.
DHS Releases Cybersecurity Report, NSA Role Remains Murky » (Apr. 25, 2014)
The Department of Homeland Security had published the first Privacy and Civil Liberties Assessment Report. The report examined several federal agencies, including the Department of Defense and the Office of the Director of National Intelligence, regarding cybersecurity activities. Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," requires the reports as well as the creation of a cybersecurity framework. Last year, EPIC recommended civilian control of domestic Cybersecurity and clarification of the NSA's involvement. The Privacy and Civil Liberties Assessment Report and the cybersecurity framework both fail to clarify the NSA's role in cybersecurity. For more information, see EPIC: Cybersecurity Privacy Practical Implications.
EPIC v. NSA: EPIC Appeals Lower Court Decision on Presidential Directive » (Apr. 1, 2014)
EPIC has filed its opening brief in EPIC v. NSA. EPIC is seeking to obtain NSPD-54, a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act request to the NSA for NSPD-54 and several related documents. The NSA turned over some of the materials to EPIC but withheld the Directive. EPIC then sued the agency to force disclosure of the document but a court ruled sue sponte that the NSA did not have control over NSPD-54, and thus it was not an "agency record" subject to release. It was the first time a federal court had ruled that a Presidential Directive was not subject to FOIA. In the appeal, EPIC argued that the agency has the document and therefore bears the burden of proving it is not an "agency record." EPIC also pointed out that the lower court failed to apply the control test followed by other courts, and that the NSA itself never claimed that NSPD-54 was not an agency record. For more information, see EPIC: Presidential Directives and Cybersecurity and EPIC v. NSA: NSPD-54 Appeal.
EPIC Accepts NSA's Settlement Offer, Receives Attorneys Fees » (Feb. 11, 2014)
EPIC has accepted the NSA's offer to settle a Freedom of Information Act case EPIC v. NSA. EPIC sought both National Security Presidential Directive 54, a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States, as well as documents related to NSPD 54. EPIC received some of the documents as a result of the lawsuit, "substantially prevailing" under the FOIA, and prompting the NSA to make a settlement offer to EPIC. As a consequence, EPIC will receive attorneys fees from the NSA. EPIC is simultaneously appealing the lower court's determination that NSPD-54 is not an "agency record" subject to the FOIA. It was the first time a federal court has ruled that a Presidential Directive is not subject to the Freedom of Information Act. For the appeal, EPIC has already filed a Statement of the Issue, and the parties are waiting for the D.C. Circuit Court of Appeals to set a briefing schedule. For more information, see EPIC v. NSA - Cybersecurity Authority.
EPIC Files Appeal, Challenging Secrecy of Presidential Directives » (Jan. 22, 2014)
EPIC has filed a Statement of the Issue Presented with the D.C. Circuit Court of Appeals. EPIC is appealing a lower court decision that NSPD 54 -- a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States -- is not subject to disclosure under the Freedom of Information Act. EPIC sought the Presidential Directive, signed by President Bush in January 2008, from the National Security Agency after the White House disclosed the existence of the Directive but not the substance. After the agency failed to respond to EPIC's FOIA request, EPIC filed an administrative appeal, and then a lawsuit. The lower court ruled in EPIC v. NSA that the Presidential Directive is not subject to the FOIA because it was not under "the control" of the NSA. It was the first time a federal court has ruled that an Presidential Directive is not subject to the Freedom of Information Act. EPIC is now asking the Court of Appeals to determine, "Whether the district court erred in holding that a Presidential Directive in the possession of a federal agency is not an agency record subject to the FOIA." For more information, see EPIC v. NSA: Cybersecurity Authority.
Federal Appeals Court Rules that Legal Policy Memos Can Be Withheld From the Public » (Jan. 3, 2014)
The Court of Appeals for the D.C. Circuit has ruled that the FBI may withhold a memo prepared by the Office of Legal Counsel concerning the law governing "exigent letter" requests to telephone companies for call records. The decision affirmed an earlier opinion that the memo was privileged advice, and exempt from disclosure under the Freedom information Act. The Electronic Frontier Foundation argued that the memo was "working law" and not simply advice from government lawyers. However, the Court of Appeals found that the FBI had not itself adopted the advice of government lawyers. In a different case where the Department of State followed the guidance of Justice Department lawyers, EPIC filed a "friend" of the court brief in support of the New York Times and the ACLU and argued for the release of opinions of the Office of Legal Counsel. For more information, see EPIC v. NSA: Cybersecurity Authority and EPIC: New York Times v. DOJ.
EPIC Appeals Secrecy of Presidential Cybersecurity Directive » (Dec. 17, 2013)
EPIC has filed a notice of appeal with the D.C. Circuit Court of Appeals in EPIC v. NSA. In that case, EPIC sought NSPD 54, a presidential policy directive outlining the scope of the NSA's authority over computer networks in the United States. A federal district court ruled that the directive is not subject to the Freedom of Information Act because it was not under "the control" of the federal agencies and officials who received it. It is the only time a federal court has ruled that presidential directives in the possession of federal agencies are not subject to the FOIA. EPIC is appealing the decision. For more information, see EPIC v. NSA: Cybersecurity Authority
EPIC Urges Clarification of NSA's Role in Cybersecurity » (Dec. 13, 2013)
EPIC has submitted comments on the National Institute of Standards and Technology's cybersecurity policy proposal. Pursuant to an Executive Order, the federal agency is charged with defining a "cybersecurity framework" for the federal government. EPIC reiterated previous comments that emphasized civilian control, adherence to the Fair Information Practices, and compliance with the Privacy Act and Freedom of Information Act. In light of revelations that the National Security Agency's has weakened key security standards, EPIC urged NIST to clarify the NSA's involvement in the development of the federal policy. For more information, see EPIC: Cybersecurity Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
NIST Releases Cybersecurity Framework, Silent on NSA's Role » (Nov. 1, 2013)
The National Institute for Standards and Technologies has released the Preliminary Cybersecurity Framework. Earlier this year, President Obama directed NIST to develop a Framework for Cybersecurity. In Executive Order 13636, the President said the NIST Framework should protect individual privacy and civil liberties. EPIC submitted comments to the NIST supporting the protections for civil liberties, recommending separate treatment for computer crimes and "cyberterrorism" and official acknowledgement of the 1992 OECD Security Guidelines. In September 2013, the Guardian, the New York Times, and ProPublica reported that the National Security Agency directed NIST to reduce a key security standard. NIST has not commented on any involvement that NSA had in the development of the Framework. For more information see EPIC: Cybersecurity Privacy Practical Implications.
Classified NSA Cybersecurity Directive Sought by EPIC Establishes NSA Cyberattack Authority » (Jun. 8, 2013)
Presidential Policy Directive 20 orders the creation of potential targets for Offensive Cyber Effects Operations by the NSA. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ." The Directive was signed last October and EPIC immediately filed a Freedom of Information request seeking public release of the policy as it implicates the privacy of domestic communications. The NSA refused to release the Directive. The White House released a summary of the Directive, but failed to disclose information about the NSA's proposed cyberattacks. PPD-20 was made available to the public in a post to the Guardian by Glenn Greenwald. For more information, see EPIC: Presidential Directives and Cybersecurity, EPIC: EPIC v. NSA - Cybersecurity Authority and EPIC: Cybersecurity Privacy Practical Implications.
DHS Releases Revised Privacy Impact Assessment on Internet Monitoring Program » (Apr. 24, 2013)
The Department of Homeland Security has released a Privacy Impact Assessment for Einstein 3 - Accelerated. Einstein 3 is a government cybersecurity program that monitors Internet traffic. The monitoring includes scanning email destined for .gov networks for malicious attachments and URLs. According to DHS, the basis of the government’s authority to perform the monitoring is National Security Presidential Directive 54. EPIC is pursuing FOIA litigation to force the government to release the Directive to the public. For more information, see EPIC v. NSA - Cybersecurity Authority.
EPIC FOIA Request Reveals Details About Government Cybersecurity Program » (Apr. 24, 2013)
New documents obtained by EPIC in a Freedom of Information Act lawsuit reveal that the Department of Defense advised private industry on how to best circumvent federal wiretap law. The documents concern a collaboration between the Defense Department, the Department of Homeland Security, and private companies to allow government monitoring of private Internet networks. Though the program initially only applied to defense contractors, an Executive Order issued by the Obama administration earlier this year expanded it to include other "critical infrastructure" industries. The documents obtained by EPIC also cited NSPD 54 as one source of authority for the program. NSPD 54 is a presidential directive issued under President Bush that EPIC is pursuing in separate FOIA litigation. For more information, see EPIC: EPIC v. DHS (Defense Contractor Monitoring), and EPIC: EPIC v. NSA - Cybersecurity Authority.
White House Releases Unclassified Summary of Presidential Cybersecurity Directive » (Apr. 19, 2013)
The White House has released an unclassified summary of Presidential Policy Directive 20. The Policy Directive sets out the cybersecurity authority of the National Security Agency in the United States and has raised concerns about government surveillance of the Internet. The existence of the Directive was detailed in a story in the Washington Post in 2012, and EPIC immediately pursued the public release of the document. According to the White House, PPD-20 "established principles and processes for the use of cyber operations so that cyber tools are integrated with the full array of national security tools." EPIC is still pursuing the release of the full document. For more information see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (NSPD 54).
White House Threatens to Veto CISPA Unless Privacy Protections Improved » (Apr. 16, 2013)
In a Statement of Administration Policy, the White House threaten to veto the controversial Cyber Intelligence Sharing and Protection Act (CISPA) unless more robust privacy and civil liberties protections are added and newly authorized information sharing goes through a civilian agency. EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process for CISPA. The markup for CISPA remained closed, and currently as drafted, CISPA would allow companies to disclose vast amounts of customer and client information to other companies and the government, including the National Security Agency, for "cybersecurity purposes." EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority.
EPIC Comments on Federal Cybersecurity Framework » (Apr. 12, 2013)
In response to a request for comments, EPIC submitted comments on the National Institute of Standards and Technology’s review to develop a cybersecurity framework. Pursuant to Executive Order 13636, the agency is charged with defining a cybersecurity framework for the federal government. EPIC supports civilian control of cybersecurity and privacy protections based on the Fair Information Practices. In the comments to NIST, EPIC emphasized the need for all federal agencies to comply with the Privacy Act and the Freedom of Information Act. For more information, see EPIC: Cybersecurity Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
EPIC Supports Public Mark Up for Controversial Cyber Security Bill » (Apr. 4, 2013)
EPIC joined a letter signed by a coalition of privacy and civil liberty organizations to urge the House Permanent Select Committee on Intelligence to open the markup process of the Cyber Intelligence Sharing and Protection Act (CISPA) to the public. CISPA suspends privacy safeguards so that companies can disclose vast amounts of customer and client information to the government, including the National Security Agency, for "cybersecurity purposes." Some in Congress believe that the proposal should be adopted in a secret committee meeting. EPIC favors government transparency and is currently pursuing a lawsuit against the NSA stemming from a FOIA request for National Security Presidential Directive 54, which grants the NSA broad authority over computer networks in the United States. For more information, see EPIC: EPIC v. NSA - Cybersecurity Authority.
White House Issues New Executive Order, Presidential Directive on Cybersecurity » (Feb. 13, 2013)
In conjunction with the 2013 State of the Union, President Obama has signed a public Executive Order on cybersecurity and "critical infrastructure." The Order grants new powers to federal agencies to share cybersecurity information with private companies. Affected federal agencies will "conduct regular assessments of privacy and civil liberties impacts." The President also issued Presidential Policy Directive 21, which directs the Secretary of the Department of Homeland Security to take specific, discrete actions regarding cybersecurity practices. EPIC is currently pursuing a Freedom of Information Act request with the National Security Agency for Presidential Policy Directive 20, a secret directive that grants cybersecurity authority to the National Security Agency. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
Obama Talks Cybersecurity at 2013 State of the Union » (Feb. 13, 2013)
At the 2013 State of the Union, President Obama announced an Executive Order that grants new authority to federal agencies to share information with private companies. President Obama further urged Congress to act to "pass legislation to give our government a greater capacity to secure our networks and deter attacks." A new Presidential Directive was also published today, directing the Secretary of the Department of Homeland Security to take specific, discrete actions regarding cybersecurity practices. EPIC is currently pursuing a Freedom of Information Act request with the National Security Agency for Presidential Policy Directive 20, a prior directive that grants additional, secret cybersecurity authority to the National Security Agency. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA (Cybersecurity Authority).
EPIC Comments on Federal Cybersecurity Plan » (Dec. 20, 2012)
In response to a request for comments, EPIC submitted comments on the Federal Cybersecurity Research and Development Strategic Plan. The cybersecurity strategic plan calls for a coordinated research strategy across federal agencies including the Department of Homeland Security and the National Security Agency. EPIC supported the call for privacy safeguards and anonymous web access, and recommended the further integration of genuine privacy-enhancing techniques. EPIC also emphasized the need for all federal agencies to comply with the Privacy Act and the Freedom of Information Act as the plan progresses. EPIC previously submitted comments to the Department of Defense regarding Cyber Security and Information Assurance Activities. For more information, see EPIC: Cybersecurity Privacy Practical Implications and EPIC: EPIC v. NSA - Cybersecurity Authority.
UPDATED: EPIC Appeals NSA's Withholding of Cybersecurity Directive » (Nov. 27, 2012)
EPIC has appealed a decision by the National Security Agency to deny EPIC's Freedom of Information Act Request for the public release of Presidential Policy Directive 20. The Policy Directive expands the NSA's cybersecurity authority and has raised concerns about government surveillance of the Internet. EPIC's FOIA appeal points to numerous substantive and procedural defects in the NSA's response, and highlights the importance of public discussion of cyber security authority. The NSA has ten days to respond to EPIC's appeal. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority.
NSA Withholds Cybersecurity Directive, EPIC to Appeal » (Nov. 20, 2012)
The National Security Agency has responded to a Freedom of Information Act Request from EPIC, seeking the public release of Presidential Policy Directive 20. The Directive, first reported by the Washington Post, is believed to expand the NSA's cybersecurity authority. In response to EPIC, the NSA argued that the Agency does not have to release the document because it is a confidential presidential communication and it is classified by the NSA. EPIC is litigating similar claims against the NSA, including the release of NSPD 54, a 2008 presidential directive setting out the NSA’s cybersecurity authority. In an official statement to Congress earlier this year, EPIC explained that the NSA was a “black hole for public information about cybersecurity.” EPIC plans to appeal the NSA's determination. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority.
President Issues Secret Cybersecurity Directive, EPIC Seeks Public Release » (Nov. 14, 2012)
Following a Washington Post report of a new cyber security directive, EPIC has filed a Freedom of Information Act request for the release of Presidential Policy Directive 20. The Directive is believed to expand cyber security authority for the National Security Agency. EPIC is pursuing several FOIA cases, including the release of NSPD-54, an earlier Directive that gave NSA authority to conduct surveillance within the United States. EPIC has also sought public release of the technical arrangement between the NSA and Google that was adopted in January 2010. Federal law prevents the National Security Agency, a component of the Department of Defense, from conducting operations within the United States. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority, and EPIC v. NSA: Google / NSA Relationship.
2012 Democrat Platform Endorses Internet Privacy » (Sep. 4, 2012)
The 2012 Democratic National Platform supports the administration’s Internet Privacy Bill of Rights to protect consumer privacy. Separate provisions in the platform call for privacy protections for broadband deployment, intellectual property enforcement, and cybersecurity laws; the Democratic platform opposes voter identification laws. However, the platform is silent on the Fourth Amendment, and retreats from the 2008 Democratic platform that opposed surveillance of individuals that were not suspected of a crime. In 2008, Candidate Obama promised to "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy.” The 2012 Republican Platform was released last week. The Libertarian and Green Party platforms are also available. For more information, see EPIC: Privacy and Consumer Profiling, EPIC: Voter Photo ID and Privacy, EPIC: National Security Letters, and EPIC: Cybersecurity Privacy Practical Implications.
2012 Republican Platform Addresses Privacy and Government Surveillance » (Aug. 29, 2012)
The 2012 Republican Party Platform calls for strong Constitutional protections for privacy and new safeguards for personal data held by businesses. "We will ensure that personal data receives full constitutional protection from government overreach and that individuals retain the right to control the use of their data by third parties," the platform states. The platform also criticizes TSA screening procedures and calls for warrant requirements for most law enforcement-operated drones. However, other provisions endorse voter identification laws and increased disclosure of personal information to the government for cyber security. For more information, see EPIC: Privacy and Consumer Profiling, EPIC: Whole Body Imaging Technology and Body Scanners, EPIC: Unmanned Aerial Vehicles (UAVs) and Drones, EPIC: Voter Photo ID and Privacy, and EPIC: Cybersecurity Privacy Practical Implications.
Franken Amendment Seeks to Protect Cybersecurity Privacy » (Jul. 30, 2012)
The Senate is expected to consider the Cybersecurity Act of 2012 prior to the August recess. Unlike the Secure IT Act, the Cybersecurity Act would avoid the NSA takeover of the Internet. However, privacy concerns remain about the broad authority of Internet companies to monitoring Internet users and turn information to the government. An amendment sponsored by Senator Al Franken (D-Minn) would limit this surveillance. A provision that limits the disclosure of cybersecurity threat information remains in the Act. Earlier this year, EPIC recommended to the Senate that the Freedom of Information Act limitation be removed. For more information, see EPIC: Cybersecurity Privacy Practical Implications.
EPIC Urges Privacy Safeguards for Defense Department Cybersecurity Program » (Jul. 11, 2012)
EPIC has submitted comments to the Department of Defense, urging the agency to protect individual privacy when it obtains detailed information about Internet users from the private sector. Under current Department regulations, companies are encouraged to provide information about Internet users that may relate to "cyber incidents" and cyber "threats."This is similar to a controversial provision in Cyber Intelligence Information Protection Act ("CISPA"). EPIC recommended that the agency revise the regulations for the "Cyber Security and Information Assurance" program so that: (1) the program remain voluntary, (2) "cyber incident" and "threat" are narrowly defined, (3) liability is imposed on private companies for disclosing excess user information, (4) the Attorney General conduct annual audits, and (5) the agency adheres to federal privacy laws. EPIC also warned the agency to fully comply with the Freedom of Information Act, which has provided the public with important information about network security. For more information, see EPIC: Cybersecurity and EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and EPIC: EPIC v. NSA (FOIA for Google/NSA Relationship).
Executive Order Grants Authority to Seize Private Communications Facilities » (Jul. 9, 2012)
The White House has released a new Executive Order seeking to ensure the continuity of government communications during a national emergency. The Executive Order grants new powers to the Department of Homeland Security, including the ability to collect certain public communications information. Under the Executive Order the White House has also granted the Department the authority to seize private facilities when necessary, effectively shutting down or limiting civilian communications. In 2011, Congress considered similar provisions in cybersecurity legislation, which would have allowed the government to disconnect communications traffic in times of national security. Following public protest, congress abandoned the proposal. For more information, see EPIC: Cybersecurity Privacy Practical Implications.
LinkedIn Breach Leads to 6.5 Million Stolen Passwords » (Jun. 7, 2012)
The professional social network LinkedIn suffered a security breach that exposed the passwords of over 6 million users. A user on a Russian Web forum reported downloading 6 million LinkedIn passwords. LinkedIn later confirmed that some of the passwords corresponded to LinkedIn accounts, deactivated those passwords, and advised all users to update their passwords. EPIC testified about the growing problem of data breaches in 2011 before the House Financial Services Committee and the Senate Banking Committee. For more information, see EPIC: Cybersecurity and Privacy.
Privacy Board Approved by Judiciary Committee, Vote Moves to Senate » (May. 17, 2012)
The Senate Committee on the Judiciary has approved President Obama's five nominees for the Privacy and Civil Liberties Oversight Board. The Board is an independent entity charged with ensuring that fundamental rights are protected in the implementation of government programs, including cybersecurity. Originally convened in 2004, the five seats on the Board have remained vacant for the past five years. Senator Leahy, the Chairman of the Judiciary Committee, said, "When we worked to create this board, we did so to ensure that our fundamental rights and liberties would be preserved…The Senate should move quickly to confirm the nominees to the board so that they can get to their important work." For more information, see EPIC: 9/11 Commission Report and "The Sui Generis Privacy Agency: How the United States Institutionalized Privacy Oversight After 9-11."
Flawed Cybersecurity Bill Passes House, Headed for Senate without Privacy, FOIA Safeguards » (Apr. 27, 2012)
The House of Representatives passed the Cyber Intelligence Information Protection Act ("CISPA"), a cybersecurity bill that allows the government to obtain detailed information about Internet users from the private sector. The bill preempts established privacy protections in other federal laws and opens the door for increased surveillance of individuals in the United States. The bill also creates a new Freedom of Information Act exemption, which will reduce government transparency and accountability. Earlier this year, EPIC said in a statement to the Senate that the Freedom of Information Act provides the public important information about network security, and warned that the National Security Agency has become a “black hole” for public information about cybersecurity. For more information, see EPIC: Cybersecurity and EPIC: EPIC v. NSA (FOIA for NSA Cybersecurity Authority), and EPIC: EPIC v. NSA (FOIA for Google/NSA Relatioship).
Coalition Urges Congress to Remove Cybersecurity FOIA Limitations » (Apr. 18, 2012)
An open government coalition has asked House lawmakers to oppose provisions in "CISPA" that would cut off public access to information held by federal agencies. The Cyber Intelligence Sharing and Protection Act would allow the government to refuse to disclose broad swaths of information, otherwise subject to FOIA, that companies provide to the government. More than three dozen groups have signed the petition - including Openthegovernment.org, the Sunlight Foundation, Project On Government Oversight, and EFF. The groups have asserted that the legislation "constitutes a wholesale attack on public access to information under the Freedom of Information Act" and would impede the public's ability to evaluate whether the government is adequately combating cybersecurity threats. In a statement for a hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information see EPIC: Cybersecurity, EPIC: EPIC v. NSA, Litigation Under the Federal Open Government Laws 2010.
Open Government Groups Oppose Cyber Security FOIA Exemption » (Mar. 14, 2012)
Open government organizations have sent a letter to Senator John McCain, opposing specific provisions in a cybersecurity bill he introduced. The SECURE IT Act would create a new Freedom of Information Act exemptions for "cyber threat information" as well as for all information shared with a cybersecurity center. FOIA exemptions limit public access to government information. The organizations stated, "Unnecessarily wide-ranging exemptions of this type have the potential to harm public safety and the national defense more than they enhance those interests." In a statement for a hearing on the FOIA and critical infrastructure information, EPIC also warned against new FOIA exemptions and said that the National Security Agency has become a "black hole" for public information about cybersecurity. For more information, see EPIC: Cybersecurity.
EPIC Urges Senate to Safeguard FOIA for Cybersecurity » (Mar. 12, 2012)
In a detailed statement to the Senate for a hearing on the "Freedom of Information Act: Safeguarding Critical Infrastructure and the Public's Right to Know," EPIC said that safeguarding FOIA was critical to ensure government oversight and accountability. EPIC described how the FOIA provides the public important information about safety and security, but also warned that the National Security Agency has become a "black hole" for public information about cyber security. EPIC described several NSA programs, including "Perfect Citizen," Internet wiretapping, and even the NSA's own legal authority which the agency has refused to release to the public. EPIC v. NSA, a challenge to the agency's "neither confirm nor deny" response to an EPIC FOIA request will be heard next week by the DC Circuit Court of Appeals. For more information, see EPIC: Cybersecurity.
EPIC Warns Congress of Cybersecurity Risks to Consumers » (Sep. 14, 2011)
EPIC Executive Director Marc Rotenberg testified today before the House Subcommittee on Financial Institutions and Consumer Credit. EPIC highlighted several recent high-profile data breaches, including those involving the digital security certificates used to authenticate websites, that have compromised the private data of thousands of consumers. Citing reports from the Privacy Rights Clearinghouse, EPIC's Rotenberg said "These attacks on financial institutions produce both direct and indirect costs for consumers who must contend with the risk of identity theft and financial fraud." EPIC previously testified before the Senate Banking Committee on cybersecurity in the financial sector and the growing threat to consumer data. For more information, see EPIC: Cybersecurity and Privacy. Webcast.
Commerce Department Releases Cybersecurity Report, Seeks Comments » (Jun. 8, 2011)
The U.S. Department of Commerce has released a green paper on "Cybersecurity, Innovation, and the Internet Economy." The paper is the latest deliverable published by Secretary Locke's Internet Policy Task Force, established in April 2010 as collaboration between technical, policy, trade, and legal experts. The Department’s goal is to provide voluntary standards and incentives for Internet stakeholders who fall outside of the scope of "critical infrastructure." The White House released draft cybersecurity legislation in May 2011 that would designate the Department of Homeland Security as the lead administrative agency for critical infrastructures. The Department of Commerce poses several questions in the green paper, and is encouraging stakeholders to submit comments, which are due in 45 days. For more information, see EPIC: Cybersecurity and Privacy.
House Examines White House Cybersecurity Proposal » (May. 26, 2011)
The House of Representatives has held two hearings on the White House legislative plan for cybersecurity. The House Oversight and House Judiciary Committees questioned government officials and members of private industry on the proposal. Committee members showed particular interest in provisions that pre-empted stronger state laws and those that offered immunity to private industry for complying with government requests for information on data breaches. Rep. Watt (D-NC) asked how the proposal was unlike the controversial telecom immunity contained in the Patriot Act. The White House proposal is part of a series of initiatives driven by the 2009 Cyberspace Policy Review. EPIC has called for cybersecurity legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. For more information, see EPIC: Cybersecurity and Privacy and EPIC: National Strategy for Trusted Identities in Cyberspace.
White Houses Releases International Cyberspace Plan » (May. 17, 2011)
Following the release of proposed cyber security legislation last week, the White House today unveiled "International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World." The Strategy is ambitious and far-reaching, covering economic policy, foreign affairs, homeland security, and defense. The Strategy also emphasizes the need to safeguard fundamental freedom and privacy rights. To address growing concerns about online privacy, EPIC has recommended that the United States begin the process of ratifying the International Privacy Convention, which has been adopted by more than 40 countries. For more information see, EPIC - Privacy Convention.
White House Sets Out Cyber Security Plan » (May. 13, 2011)
The White House has announced a far-reaching legislative proposal for cyber security. The plan proposal would standardize data breach reporting requirements, clarify penalties for computer crime, and create a regulatory framework for critical infrastructure. However, the plan also enables greater data collection across the federal government and expanded electronic surveillance. EPIC has previously called for cyber security legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. EPIC has several pending FOIA lawsuits concerning the Administration's cyber security programs, including the Google/NSA collaboration. For more information, see EPIC: Cybersecurity and Privacy.
Senate Commerce Committee to Explore Internet Privacy, Airport Screening, Cybersecurity » (Jan. 21, 2011)
Chairman Rockefeller's (D-WV) priorities for the Senate Commerce Committee in the new Congress will include consumer privacy, oversight of the Federal Trade Commission, airport screening, and cybersecurity, according a recent statement. Senator Rockefeller has specifically called for strong Internet privacy laws. "There are no baseline privacy protections for most consumer online activity," he stated. "Industry self-regulation has largely failed, and I hope that the Department of Commerce . . .will reach the conclusion that legislation is necessary to protect consumers." EPIC has testified previously before the Committee on the Childrens' Online Privacy Protection Act (COPPA), protecting consumers' phone records, and spam e-mail. For more information, see EPIC: Online Tracking and Behavioral Profiling and EPIC: Cybersecurity Privacy Practical Implications.
EPIC, Joined by 13 Organizations, Sends Statement on NSTIC » (Oct. 1, 2010)
EPIC, joined by the American Library Association, Liberty Coalition, Bill of Rights Defense Committee, and the Center for Media and Democracy, among others, sent a statement to the Department of Homeland Security responding to the Administration's call for comments regarding its National Strategy for Trusted Identities in Cyberspace Creating Options for Enhanced Online Security and Privacy (NSTIC) draft policy. The coalition's comments press the Administration for a clearer definition of the problems that the policy intends to solve. The coalition further advocates for the maintenance of a free and open Internet that protects the creative content of users, assures privacy, and creates accountability and oversight of government activity, especially as it relates to law enforcement and surveillance. For more, see EPIC's Cybersecurity and Privacy.
EPIC Seeks Details on New Government Crypto Regulations » (Sep. 29, 2010)
EPIC has sent Freedom of Information Act (FOIA) requests to the Department of Justice, the Federal Bureau of Investigation, and the National Security Agency for information about a proposal to expand Internet surveillance and deploy weakened security standards. The proposal would require Internet companies to develop network services to enable government access to private communications, including those on peer-to-peer networks. In 1996, the National Resource Council concluded that such technical standards make network communications more vulnerable to cyber attack. For more information, see EPIC: Cryptography Policy.
DHS Privacy Office Releases 2010 Annual Report » (Sep. 24, 2010)
The Department of Homeland Security has released the Privacy Office 2010 Annual Report. The Agency's Chief Privacy Officer must prepare an annual report to Congress that details activities of the Department that affect privacy, including complaints of privacy violations, and DHS compliance with the Privacy Act of 1974. This year’s report details the establishment of privacy officers within each component of the Agency. The report also provides updates on Fusion Centers, Cybersecurity, and Cloud Computing activities of the agency. For more information, see EPIC: DHS Privacy Office.
EPIC FOIAs NSA for Details of "Perfect Citizen" » (Jul. 16, 2010)
EPIC has filed a Freedom of Information Act request with the National Security Agency regarding the new secret cybersecurity program known as "Perfect Citizen." According to the Wall Street Journal, the program "would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack," although the agency has claimed that there "is no monitoring activity involved, and no sensors are employed in this endeavor" but has refused to release the details of the program. In its request, EPIC has sought contracts, memoranda, and other records relating to "Perfect Citizen." For more information, see EPIC Cybersecurity and Privacy.
EPIC Testifies in Congress on Cybersecurity and Privacy » (Jul. 15, 2010)
EPIC Executive Director Marc Rotenberg testified today before the House Committee on Science and Technology regarding Planning for the Future of Cyber Attack Attribution. In his prepared statement, Mr. Rotenberg discussed "the risks and limitations of a mandatory Internet ID that may be favored by some as a way to address the risk of cyber attack." He explained how such a proposal would implicate human rights and online freedom, and questioned the constitutionality of such a measure. EPIC recommended that efforts continue to focus on improving security standards, deploying encryption, and requiring federal agencies to remain transparent as they develop cyber security policies. For more information, see EPIC Cybersecurity and Privacy.
Cybersecurity Legislation Moves Forward in Congress » (Jun. 25, 2010)
The Senate Homeland Security Committee voted unanimously to report favorably the Protecting Cyberspace as a National Asset Act of 2010 to the Senate at a markup session (video) on June 24th. An earlier version of the bill was introduced on June 10th and a hearing (video) was held on June 15th. The bill would establish a National Center for Cybersecurity and Communications at the Department of Homeland Security. Critics' had said that the bill would also give the President an "internet kill switch" to take over private networks. Before committee passage, the bill was amended to include limitations on the proposed Presidential powers to declare a "cybersecurity emergency" and to better define what parts of critical infrastructure are covered by the bill. For more information, see EPIC Cybersecurity and Privacy.
EPIC's Coney Leads Cybersecurity Panel at Computers, Freedom, Privacy Conference » (Jun. 18, 2010)
EPIC Associate Director Lillie Coney leads a panel discussion today on "Cybersecurity Policy and the Role of .Orgs" at the annual conference on Computers, Freedom, and Privacy. The panel features top government decision makers and leading experts in cybersecurity. The panel will be cybercast June 18 at 2 pm ET. The discussion builds on a letter to White House Cyber Security Director Howard Schmidt, organized by EPIC and endorsed by 30 organizations, which states that US cybersecurity policy "must incorporate protections of our basic freedoms and constitutional rights." Ms. Coney will co-chair the 2011 CFP Conference, which will be held in Washington DC. For more information, see EPIC-Cybersecurity Privacy Practical Implications.
Senate Committee Holds Hearing on Cybersecurity Bill » (Jun. 16, 2010)
The Senate Homeland Security Committee held a first hearing on the recently introduced cybersecurity bill, the Protecting Cyberspace as a National Asset Act of 2010. The hearing (video) featured testimony from Philip Reitinger at the Department of Homeland Security, as well as several industry representatives. Many of the committee's questions focused on whether authority over civilian cybersecurity should be concentrated in the Department of Homeland Security or in the Department of Defense, a question on which EPIC has repeatedly sought information. For more information, see EPIC Cybersecurity and Privacy.
New Cybersecurity Legislation Introduced » (Jun. 11, 2010)
Senators Lieberman, Collins, and Carper of the Senate Homeland Security & Governmental Affairs Committee have introduced the Protecting Cyberspace as a National Asset Act of 2010. The bill would establish a White House Office of Cyberspace Policy and a National Center for Cybersecurity and Communications. The bill would  allow the President to declare a "national cyber emergency" and implement emergency measures, although it would not allow these measures to set aside requirements of the Wiretap Act, the Electronic Communications Privacy Act, or the Foreign Intelligence Surveillance Act.  The bill would also make certain changes to the Federal Information Security Management Act. The Committee released a summary of the bill. EPIC is currently seeking to make public the NSA's authority for cyber security.  For more information, see EPIC Cybersecurity and Privacy.
Coalition Letter Results in Meeting with White House Cybersecurity Coordinator » (May. 12, 2010)
EPIC, joined by over 30 organizations, launched a campaign to obtain a meeting with Howard Schmidt, the White House Cybersecurity Coordinator. Groups joining the letter included the ACLU, American Library Association, Bill of Rights Defense Committee, Liberty Coalition, NAACP, OpenTheGovernment.org, and the Lawyers Committee for Civil Rights Under Law. The White House has agreed to the meeting, which follows Senate confirmation of Keith B. Alexander, director of the National Security Agency, to lead the U.S Cyber Command. Civil society organizations have expressed concern about the growing role of the NSA in cyber security. EPIC is currently in litigation with the NSA to obtain the secret policy for NSA surveillance authority. For more information, see EPIC Sues NSA to Force Disclosure of Cybersecurity Authority, and EPIC - Cybersecurity Privacy: Practical Implications.
White House Issues Rules for Security Reporting » (Apr. 26, 2010)
A new White House memo sets out the Federal Information Security Management Act of 2002 (FISMA) standards for federal agencies. All agencies must comply with the FISMA standard and report security practices for information under agency control. The standard also extends obligations to agency contractors. By November 15, 2010, all agencies must be capable of monitoring all information traffic on their networks; and make reports to CyberScope, a platform launched last year to provide a single government-wide security management tool for FISMA reports. The Memorandum included requirements to respond to breaches of personal information. Agency Inspectors General will provide oversight of agency FISMA compliance. For more information, see EPIC's Cybersecurity page.
EPIC Demands Release of Classified Answers on Privacy and Internet Standards from Cyber Command Nominee » (Apr. 19, 2010)
EPIC has filed a Freedom of Information Act (FOIA) request with the National Security Agency (NSA) seeking the "classified supplement" that Director Lt. Gen. Keith Alexander filed with his answers to questions from the Senate Armed Services Committee regarding his nomination to be the Commander of the newly formed United States Cyber Command. Several of Lt. Gen. Alexander's classified responses were to questions regarding the privacy of Americans' communications, and EPIC's request urges the Agency to make the full responses public. EPIC is currently in litigation with the NSA to obtain the secret policy for NSA surveillance authority. For more information, see EPIC Sues NSA to Force Disclosure of Cybersecurity Authority.
Congress Considers Nomination of NSA Director to US Cyber Command, Concerns Remain » (Apr. 15, 2010)
The Senate Armed Services Committee will hold a hearing on April 15, to consider the nomination NSA Director Lt. Gen Keith B. Alexander to be the Commander of the US Cyber Command. EPIC has expressed concern about the expanded authority of the NSA within the United States and has specifically requested the public release of NSPD-54, the secret Presidential Directive that allows the NSA to conduct electronic surveillance against US citizens within the United States, prior to the confirmation of Lt. Gen. Alexander. EPIC is seeking this and related document in a Freedom of Information Act lawsuit. For more information, see EPIC Sues NSA to Force Disclosure of Cyber Security Authority.
Congressional Leaders Press Obama on Privacy Board » (Mar. 30, 2010)
Chairman Bennie Thompson and twenty members of the House of Representatives sent a letter to President Obama seeking the immediate nomination of members to the Privacy and Civil Liberties Oversight Board. The Privacy Board was active during the Bush Administration, but the Obama administration has moved slowly to reconstitute the advisory body. No hearings have been held and no reports have been issued. The board is intended to provide advice on the civil liberty implications of programs that effect the rights of citizens, such as the use of Whole Body Scanners by the TSA, biometic identifiers, and cyber security policy.
White House Publishes Outline of Cyber Security Policies » (Mar. 2, 2010)
The White House announced today that it has made a description of the Comprehensive National Cybersecurity Initiative (CNCI) available online for public viewing. The12 CNCI initiatives cover a wide range of government activity, from cyber education to intrusion detection. However, the text of the underlying legal authority for cybersecurity still remains secret. EPIC has been involved in ongoing litigation regarding a Freedom of Information Act request for the text of the critical cybersecurity document NSPD 54 that President Bush signed in 2008. For more information, see EPIC: EPIC Sues NSA to Force Disclosure of Cyber Security Authority and EPIC: EPIC Seeks Records on Google-NSA Relationship.
EPIC Statement to Congress on Google, NSA, and Cybersecurity » (Feb. 9, 2010)
EPIC has submitted a statement for the record for a House Foreign Affairs Committee hearing on Google and U.S. Cyberspace Policy. EPIC's statement recommends investigation into the newly-announced partnership between Google and the National Security Agency and the public release of the secret document that grants the NSA broad surveillance authority in cyberspace. The EPIC statement also urges the Congressional Committee to support US ratification of the Council of Europe privacy convention. For more information, see EPIC Critical Infrastructure Protection, Experts' Letter to Secretary Clinton on the Council of Europe Convention.
FCC Commits to Protecting Consumers in FY 2011 Performance Plan » (Feb. 4, 2010)
The Federal Communications Commission (FCC) released its FY 2011 budget request and performance plan. The FCC requests funding for furthering cybersecurity, implementing the National Broadband Plan, revamping the FCC's data systems and processes, and modernizing the agency's communications tools and expertise. The FCC prioritizes implementation of the National Broadband Plan and protection of consumers in the agency's performance goals. Objectives with respect to consumers include addressing 100% of complaints filed with the Commission alleging violations of the Communications Act and taking appropriate action within 15 months, rigorously enforcing the Telephone Consumer Protection Act, and ensuring "through litigation where necessary, that consumers are protected from anticompetitive practices."
EPIC Sues NSA to Force Disclosure of Cyber Security Authority » (Feb. 4, 2010)
EPIC has filed a lawsuit against the National Security Agency and the National Security Council, seeking a key document governing national cybersecurity policy. The document, National Security Presidential Directive 54 grants the NSA broad authority over the security of American computer networks. The agencies violated the Freedom of Information Act by failing to make public the Directive and related records in response to EPIC's request. EPIC's suit asks a federal judge to require the release of the documents. Congress is currently debating cyber security policy. For more information, see EPIC FOIA Litigation, EPIC Critical Infrastructure Protection.
New Cybersecurity Legislation Introduced in Congress » (Jul. 23, 2009)
Senator Patrick Leahy (D-Vt) introduced The Personal Data Privacy and Security Act of 2009. The statute requires data brokers, business entities and federal agencies to create and implement data privacy and security practices. The bill requires data breach notification, enforces disclosure and accuracy requirements, and establishes an Office of Federal Identity Protection within the FTC. However, the bill preemepts stronger state privacy laws and fails to provide a right of private action for consumers. For more information, see EPIC Identity Theft, EPIC Personal Data and Privacy Protection, and EPIC Preemption Page.

Privacy

What Privacy Rights May be Involved with Cybersecurity?

Privacy interest in cybersecurity involves establishing protocols and effective oversight regarding when, why, and how government agencies may gain access to personal information that is collected, retained, used, or shared. U.S. businesses and government share responsibility for the insecurity of consumer online personal information. There is no single federal minimum standard for data protection that enforces fair information practices (FIPs). Fair information practices regulate and enforce consumer privacy rights regarding data collection, retention, use, and sharing of personal information. The federal approach has focused not on the protection of personal information, but on the purpose of the information collection.

The history of U.S. government agencies conducting sanctioned and unsanctioned surveillance of domestic communication by colluding with telecommunications and wire communication companies is well known. (The Puzzle Palace, Inside the National Security Agency America's Most Secret Intelligence Organization (1983)- James Bamford) Domestic surveillance first began as a means of acquiring information on criminal activities and quickly moved to documenting people's engagement in social or political activities and their exercise of constitutionally protected rights to expression and assembly. Fundamentally, control of society is, in large part, about the ability of government to control communications.

One key challenge facing digital communications users is that this medium suits those inclined to spy unlike any other form of surveillance because the intruder can hide the fact that a communication has been compromised. The National Security Agency is no amateur at delving into personal communications that are secured by law or design from snooping.

Cybersecurity Interests

Consumer Cybersecurity Interest

Online consumers have been victimized by cyber-threats in the form of spyware; malicious computer viruses, worrms, or malware; and fraud or abusive sales tactics that lure consumers to invest in bogus products or services. Online consumers routinely fall victim to identity theft, as well as spam, phishing or pharming attacks.

Consumers are also facing the challenge of determining which products or services to trust to provide goods and services as advertised.

Political Advocacy and Academic Cybersecurity Interest

For individuals and organizations that rely on the Internet for research, access to information, collaboration, political participation, fundraising, coalition building, campaigns, advocacy, organized dissent, political speech, watchdog actions against government and businesses, freedom of expression, dissemination of information or for outreach to constituencies--cybersecurity does matter a great deal.

Threats posed to political activity include deceptive campaign tactics that deface Websites, target donations for theft, create denial of service attacks on Websites, or send messages that are deceptive or misleading regarding the rules for voter participation on election day. If responses to cyber-attacks deny advocates access to the Internet and/or advanced communications networks, this would deny them the means to engage in a wide range of activities that could include election protection efforts during public elections, mobilize supporters for public protests, educate consumers, or empower constituencies to know and understand policy that impacts their lives. Academics and researchers must have a trustworthy and reliable means of exchanging ideas, participating in discussions, and collaborating on projects that advance their areas of research interest.

Business Cybersecurity Interest

Large and small companies have cyber-threats within and outside of their control such as data breaches, theft of company secrets, spying, attacks on computer networks, and damage to critical systems. Many companies are considering the challenges of cybersecurity and looking to new business applications such as cloud computing to secure data. However, cloud computing has enormous security and privacy risks relating to dependence on untrustworthy or unevaluated third parties.

New business and government services such as electronic health records and development and updating of critical infrastructure such as the Smart Grid each offer new cybersecurity privacy challenges for consumers.

National Security Cybersecurity Interest

The cyber-threats to any nation can range from disruption of an agency's networks or information services to the public to cyber-warfare. Depending on the agency, type of cyber-attack, its scope, duration, and effectiveness, the consequences for the online and offline operation of local, federal, or state government components can range from annoying delays in communications to serious damage to infrastructure threatening life or property.

Cyber-attacks or incidents that threaten the command and control structure of the national government or its assets including national defense, emergency response, and economic systems are of growing concern. The digital infrastructure of the nation must be treated as a strategic national asset. The new mission is to deter, detect, and defend against disruptions and attacks of all descriptions.

Policy

Introduction

Cyberspace is global, but the freedoms that are protected by constitutional rights, human rights norms, and legal institutions are defined by treaty or geography. Cybersecurity may be defined by governments, but will have a lasting impact on many rights and civil liberties enjoyed by free people throughout the world who engage in cyber-communications. Freedom of expression, freedom of association, economic opportunity, and political discourse may be redefined by the course the United States charts for cybersecurity.

Decisions about how to define cybersecurity and who will define it may affect Internet anonymous speech, freedom of expression, free speech, and access to information. Those who have worked on Network Neutrality understand what manipulation of communications over the Internet might mean. However, in the realm of federal cybersecurity, transparency and oversight might not be part of the process.

The Obama Administration has engaged agencies of the federal government, large corporations, technology companies, technologists, legal scholars, and policy experts in the deliberative process related to establishing policy to secure cyberspace.

Cyberspace Policy Review

On May 29, 2009, President Barack Obama announced the Administration's plan to address the growing issue of digital information insecurity. The Administration engaged multiple participants to develop this plan.

Much of the nation's critical infrastructure is connected in some way to computer networks. Addressing digital communication system vulnerabilities touches on important privacy and security questions that must be answered. The President began this discussion on cybersecurity by stating:

It is now clear that this cyber-threat is one of the most serious economic and national security challenges we face as a nation. It's also clear that we are not as prepared as we should be as a government or as a country. In recent years some progress has been made at the federal level, but just as we failed in the past to invest in our physical infrastructure: our roads, our bridges, and rails. We failed to invest in the security of our digital infrastructure. No single official oversees cybersecurity policy across the federal government and no single agency has the responsibility or authority to match the scope and scale of the challenge...

The Obama Administration is challenging federal government agencies, large technology companies, corporate America, academics and digital media users to join efforts to secure the Internet and telecommunications systems from every form of cyber-threat or menace.

The goal of the Administration is to pursue a new aggressive and comprehensive approach to cybersecurity that would address all forms of cyber-based threats. The category of threats will include those faced by consumers, corporations, critical infrastructure, and networked local, state, and federal government agencies. Internet or networked computer based communications have moved beyond an option to a necessary tool for a highly interconnected world. The Internet has fundamentally changed the social, cultural, business, political, and educational experiences of people.

The Cyberspace Policy Review set out 10 near-term actions. According the Whitehouse.gov Cybersecurity Factsheet, the Administration has completed or will soon complete all of those items:

1. Appoint a cybersecurity policy official responsible for coordinating the Nation's cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy. ◊ Complete. Howard A. Schmidt has been appointed as the Cybersecurity Coordinator.
2. Prepare for the President's approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCIactivities and, where appropriate, build on its successes. ◊ Complete. The direction and needs highlighted in the Cyberspace Policy Review and previous national cybersecurity strategy are still relevant, and we have updated that strategy on targeted cyber issues, such as identity management and international engagement.
3. Designate cybersecurity as one of the President's key management prioritiesand establish performance metrics. ◊ Complete. All senior executives and senior leadership have been informed that cybersecurity is one of the President's key management priorities for the Federal Government. We have established metrics through the CyberStats program, and we have also worked with the Office of Management and Budget (OMB) to update the Federal Information Security Management Act (FISMA) metrics by which departments and agencies are graded on their cybersecurity. Together, we are shifting the Federal Government's approach to cybersecurity from a static, paper-based certification and accreditation to a dynamic, relevant process based upon continuous monitoring and risk assessment.
4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate. ◊ Complete. Our second Director for Privacy and Civil Liberties official joined us from the Federal Trade Commission in December 2010.
5. Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government. ◊ Complete. We have developed a formal interagency process as we continue to address policy and legal issues. As part of that process, we identified additional authorities that the executive branch needs to fulfill its mission, and we have requested those authorities as part of our legislative package.
6. Initiate a national public awareness and education campaign to promote cybersecurity. ◊ Complete. We have created the National Initiative for Cybersecurity Education (NICE) with the dual goals of a cyber-savvy citizenry and a cyber-capable workforce, including raising awareness for consumers, enhancing cybersecurity education, and improving the structure, preparation, and training of the cybersecurity workforce. After the 2010 National Cyber Security Awareness Month, DHS launched a year-round national awareness campaign, which has held events around the country.
7. Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity. ◊ Complete. We have finished and will soon release the International Strategy for Cyberspace, which provides a unified foundation for the nation's international engagement on cyberspace issues.
8. Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement. ◊ Complete. The National Cyber Incident Response Plan (NCIRP) was developed and tested during a national cyber exercise, Cyber Storm III. It is now in the final stages of being updated, based upon our experience using the plan in different cyber exercises.
9. In collaboration with other EOPentities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions. ◊ Complete. The White House Office of Science and Technology Policy has finalized a Cyber Research and Development Framework. Public release of the plan is expected to occur in May 2011.
10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation. ◊ Complete. The National Strategy for Trusted Identities in Cyberspace (NSTIC) was released on April 15, 2011. The Department of Commerce will stand up a program office to coordinate the federal government and private sector in implementing this effort.

Legislative Proposals

The White House proposed cybersecurity legislation in May 2011. According to the White House, the proposed legislation will help safeguard personal data, help protect our national security by addressing threats to critical infrastructure, and help the government protect federal networks while at the same time creating stronger privacy and civil liberties protections. The Whitehouse.gov Fact Sheet on the Proposal highlights the following features of the legislation:

National Data Breach Reporting
Penalties for Computer Criminals
Voluntary Government Assistance to Industry, States, and Local Governments
Voluntary Information Sharing with Industry, States, and Local Governments
Critical Infrastructure Cybersecurity Plans
Increase of Effort and Resources to Protect the Federal Network

On January 5, 2011, Representative Bennie Thompson (D-MS) sponsored H.R. 174, the Homeland Security Cyber and Physical Infrastructure Protection Act of 2011. H.R. 174 "seeks to enhance DHS' cybersecurity capacity by authorizing the DHS Office of Cybersecurity and Communications and creating a new Cybersecurity Compliance Division to oversee the establishment of performance-based standards responsive to the particular risks to the (1) .gov domain and (2) critical infrastructure networks, respectively." (Source: Press Release). It was referred to the House Committee of Homeland Security's Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies.

The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies has held several hearings on the issue of cybersecurity. On June 24, 2011, the subsommittee held a hearing entitled "Examining the Homeland Security Impact of the Obama Administration's Cybersecurity Proposal." (http://homeland.house.gov/hearing/subcommittee-hearing-examining-homeland-security-impact-obamaadministrations-cybersecurity). On April 15, 2011, the subcommittee held a hearing entitled "The DHS Cybersecurity Mission: Promoting Innovation and Securing Critical Infrastructure." On March 16, 2011, the subsommittee held a hearing entitled "Examining the Cyber Threat to Critical Infrastructure and the American Economy."

National Strategy for Trusted Identities in Cyberspace (NSTIC)

One objective of the White House's Cyberspace Policy Review was to develop a national plan for a public secure Internet identification program:

"The Federal government - in collaboration with industry and the civil liberties and privacy communities - should build a cyber security-based identity management vision and strategy for the Nation that considers an array of approaches, including privacy-enhancing technologies. The Federal government must interact with citizens through a myriad of information, services and benefit programs and thus has no interest in the protection of the public's private information as well."

Based on the White House's recommendations, an inter-agency writing team developed and released a Draft plan of the National Strategy for Trusted Identities in Cyberspace (NSTIC) in June 2010. NSTIC is seen as an acceleration and expansion of the initiatives developed by ICAM to the public domain. The Draft identified what it called the Identity Ecosystem - "a user-centric online environment, a set of technologies, policies, and agreed upon standards that securely supports transactions ranging from anonymous to fully authenticated and from low to high value." The Draft was published on IdeaScale, and was open for the public to submit comments. (The page has since been removed, though MSNBC has maintained a screenshot.)

EPIC responded to the Draft NSTIC with a formal statement on the unique challenges the proposal presented for the continued protection of privacy and consumer rights. EPIC emphasized the need for:

• A complete enumeration of the sources of the problems identified in the draft
• A clear plan for privacy protection
• A strategy for the protection of private communications by fair information practices
• The assignment of responsibility of government agencies to oversee authorities, courts, and credential users regarding constitutional rights
• The assurance that Internet users can continue to create, control, and own web content.

EPIC also emphasized the importance of applying Fair Information Practices to all personally identifiable information that is collected, retained or used, and recommended an explicit statutory provision that would apply protections in the Federal Privacy Act to all credential-related information.

On January 7, 2011, White House Cybersecurity Coordinator, Howard Schmidt and Commerce Secretary Gary Locke appeared at an event at Stanford University in California. In his speech, Locke detailed many potential threats on the Internet, claiming that the "cyber threat" was "one of the most serious economic and national security challenges we face as a nation." In order to lead the government's efforts on digital identity, Locke announced the creation of a National Program Office at the Department of Commerce, housed under the National Institute for Standards and Technology (NIST), that would be responsible for a digital identity framework.

As described by Secretary Locke in his announcement: The new Program Office would spearhead the development of NSTIC, though implementation would be outsourced to the private market, eliminating the need for a single overseer or a central database. (However, because the federal government will not be maintaining the databases of information, they will not be subject to the protections provided in the Federal Privacy Act of 1974). The digital identity program is also designed to be entirely voluntary to users. In addition to private industry, the General Services Administration and the Department of Homeland Security were also slated to assist with development of the new programs.

For the full NSTIC page, see EPIC: NSTIC

International Strategy for Cyberspace

On May 16, 2011, the White House announced the International Strategy for Cyberspace (ISC). The ISC outlines the United States' approach to cyber issues. The ISC states the goal of a "future for cyberspace that is open, interoperable, secure, and reliable." Policy priorities include:

• Promoting International Standards and Innovative, Open Markets
• Protecting Our Networks: Enhancing Security, Reliability, and Resiliency
• Internet Governance: Promoting Effective and Inclusive Structures
• Internet Freedom: Supporting Fundamental Freedoms and Privacy

Department of Commerce's Cybersecurity Policy Framework

On June 8, 2011, The Department of Commerce announced a new policy framework for cybersecurity and businesses online. The Department of Commerce Green Paper proposes voluntary codes of conduct for companies that do business online but are not part of the critical infrastructure sector. The framework makes specific policy recommendations, including:

• Establish nationally recognized but voluntary codes of conduct to minimize cybersecurity vulnerabilities. For example, the report recommends that businesses employ present-day best practices, such as automated security, to combat cybersecurity threats and that they implement the Domain Name System Security (DNSSEC) protocol extensions on the domains that host key Web sites. DNSSEC provides a way to ensure that users are validly delivered to the web addresses they request and are not hijacked.
• Developing incentives to combat cybersecurity threats. The report also recommends exploring and identifying incentives that could include reducing "cyberinsurance" premiums for companies that adopt best practices and openly share details about cyberattacks for the benefit of other businesses.
• Improve public understanding of cybersecurity vulnerabilities through education and research. Programs like the National Initiative for Cybersecurity Education should target awareness and training to the I3S and develop methods for cost/benefit analyses for cybersecurity expenditures.
• Enhance international collaboration on cybersecurity best practices to support expanded global markets for U.S. products. This should include enhanced sharing of research and development goals, standards, and policies that support innovation and economic growth.

The Green Paper was the product of the Internet Policy Task Force. The Department of Commerce launched the Internet Policy Task Force in April 2010. The Department of Commerce is seeking public comment on the Green Paper.

Resources

• Coalition Letter Outlining Concerns Regarding Lack of Civil Society Presence in Decision Making
• White House Cybersecurity Memo Title: FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, April 21, 2010
• Advance Senate Armed Services Confirmation Hearing Questions for Lieutenant General Keith Alexander, USA Nominee for Commander, United States Cyber Command (Hearing Date April 15, 2010
• Remarks on Internet Freedom, Hillary Rodham Clinton, Secretary of State at The Newseum, Washington, DC, January 21, 2010
• Privacy and Technology Experts Reply to Clinton's Remarks by Urging Ratification of the Council of Europe Convention on Privacy, January 28, 2010
• EPIC FOIA for National Security Presidential Directive 54
• Obama Administration: Cyberspace Policy Review
• Critical Infrastructure Protection and the Endangerment of Civil Liberties
• DHS Cybersecurity Documents
• DHS: A Road Map to Cybersecurity
• CRS Analysis of the US PATRIOT Act
• White House Cyberspace Policy Review (May 29, 2009)
• President Obama's Speech on Cyber-security (May 29, 2009)
• EPIC's Testimony to the House Subcommittee on Oversight and Investigations on "Creating the Department of Homeland Security: Consideration of the Administration's Proposal" (July 9, 2002)
• EPIC's Testimony to the Senate Committee on Governmental Affairs on "Securing Our Infrastructure: Private/Public Information Sharing" (May 8, 2002)
• EPIC's Letter to the House Judiciary Committee, Subcommittee on Crime, on H.R. 3482, The Cyber Security Enhancement Act of 2002(February 26, 2002)
• EPIC's Testimony to the House Government Reform Committee on H.R. 4246, The Cyber Security Information Act (June 22, 2000)
• EPIC's Testimony to the Senate Judiciary Committee on "CyberAttack: The National Protection Plan and its Privacy Implications" (PDF, 128K) (February 1, 2000)
• EPIC Press Release on "National Plan for Information Systems Protection" (February 1, 2000)
• Memo from Ronald D. Lee, Associate Deputy Attorney General, Department of Justice to Jeffrey Hunker, Director, Critical Infrastructure Assurance Office regading the National Information Systems Protection Plan, March 8, 1999. Obtained by EPIC under the Freedom of Information Act.
• Memo from Jeffrey Hunker, CIAO to CICG Members regarding "Offsite Materials." Obtained by EPIC under the Freedom of Information Act.
• White House "National Plan for Information Systems Protection" (PDF, 912K) (January 7, 2000)
• Executive Summary of "National Plan for Information Systems Protection" (PDF, 664K) (January 7, 2000)
• White House Press Release on "Cyber-Security" (January 7, 2000)
• Transcript of White House Press Briefing on "Cyber-Security" (January 7, 2000)
• European Parliament: Report ont he existence of a global system for interception of privacy and commercial communications(ECHELON intercept system) (2001/2098(INI))

EPIC Reports, FOIA and Testimony

• FOIA Production DARPA, Brandeis Program (Sept. 21, 2017)
• EPIC FOIA for details of DARPA Brandeis Program (Sept. 23, 2015)
• Email Communications Part 1 Part 2 Part 3
• 2015 Budget Part 1 Part 2
• 2016 Budget Part 1 Part 2
• Proposers Day Details
• EPIC FOIA for disclosure of National Security Presidential Directive 54
• NSA FOIA Request for Classified Supplement from Cyber Command Nominee Alexander
• E-Deceptive Campaign Practices: Internet Technology and Democracy 2.0
• Critical Infrastructure Protection and the Endangerment of Civil Liberties (October 1998)
• Surfer Beware: Privacy Policy without Privacy Protection (1999)
• Surfer Beware: Notice is Not Enough (1998)
• Surfer Beware I (1997)
• EPIC Privacy Guidelines National Information Infrastructure (1994)

Organizations Working on Cybesecurity

• National Infrastructure Protection Center (NIPC)
• NIPC "CyberNotes" (published every two weeks)
• Critical Infrastructure Assurance Office (CIAO)
• Federal Bureau of Investigation
• A look at the Critical Infrastructures FBI
• United States Department of Defense
• Defense Information Systems Agency
• The Defense Intelligence Agency
• National Institute of Standards and Technology
• The National Security Institute
• Terrorism Research Center
• American Bar Association Standing Committee On Law and National Security
• National Telecommunications and Information Administration
• Infrastructure Assurance Center
• Office of the Director of Central Intelligence
• Federation of American ScientistsComprehensive Guide to Information Warfare Resources
• The Information Warfare Research Center
• Centre for Infrastructural Warfare Studies (CIWARS)
• The Institute for Advanced Study of Information Warfare
• National Archives and Records Administration
• The Government Printing Office (Research site)
• Institute for Telecommunication Science (ITS is the research and engineering branch of the National Telecommunications and Information Administration, which is part of the U.S. Department of Commerce.)
• Information Infrastructure Task Force (implements the Administration's vision for the National Information Infrastructure)

Papers and Articles

• White House cyber security plan to cite e-health", Health IT, By Mary Mosquera, Wednesday, May 12, 2010
• A House insider's view of U.S. cybersecurity policy, Federal Computer Week, Ben Bain, May 6, 2010
• Summit in Dallas targets cybercrime, Dallas Morning News, By VICTOR GODINEZ, May 3, 2010
• Whitehouse: Congress needs clarity on who handles cybersecurity, the Hill, By Tony Romm - May 3, 2010
• Cyber-Security Survey Shows Distrust Between Public and Private Sectors, Government Technology, May 3, 2010
• FBI Names Cybersecurity Division Chief, Elizabeth Montalbano, InformationWeek, April 26, 2010
• Meeting of the Minds Over Fed Cybersecurity, Government Info Security
• Politicians jockey for cybersecurity positioning, Federal Computer Week, Ben Bain, April 23, 2010
• FCC launches NOI on voluntary cybersecurity certification program - NOI seeks to implement National Broadband Plan information security recommendation, Association of Corporate Council, April 22, 20101
• Politicians jockey over cybersecurity positioning, By Ben Bain, Federal Computer Week, April 21, 2010
• DHS Fills 2 Key Cybersecurity Posts, Government Info Security, April 21, 2010
• Four myths about cyber-security, Sync-blog.com, April 20
• Cyber Command nominee lays out rules of engagement, Ben Bain, Federal Computer Week, April 16, 2010
• Pick to lead cyber command lays out battle plans, Ben Bain, Federal Computer Week, April 15, 2010
• Cyber security, FEMA meeting on Obama's agenda, Washington Post, May 29, 2009.
• Computer Security Review Due This Week, Helene Cooper, N.Y. Times, May 26, 2009.
• Cyber Terror Arsenal Grows. Niall McKay, Wired News, October 16, 1998.
• An Electronic Pearl Harbor? Not Likely. George Smith, Issues in Science and Technology, Fall 1998.
• American Military Intervention: A User's Guide. The Heritage Foundation's look at military intervention.
• Protecting America's Critical Infrastructures. Critical Infrastructure Assurance Office factsheet on PDD 63.
• White House Fact Sheet: Protecting America's Critical Infrastructures: PDD 63. May 22, 1998.
• The President's speech on infrastructure protection at the U.S. Naval Academy.
• Statement of Dr. Jeffrey A. Hunker (Director, Critical Infrastructure Assurance Office).
• Is Cyberterrorism a Real Threat?. Reuters.
• Reno Unveils Center to Protect Infrastructure. Heather Harreld and Torsten Busse, Federal Computer Week.
• Networks: DOD's First Line Of Defense. George Leopold, Electronic Engineering Times, October 13, 1997.
• Testimony Before the House Science Subcommittee in behalf of the Computer System Security and Privacy Advisory Board. Willis H. Ware, Chairman, June 19, 1997.
• Report to the President's Commission on Critical Infrastructure Protection. James Ellis, David Fisher, Thomas Longstaff, Linda Pesante, and Richard Pethia, CERT Coordination Center Software Engineering Institute, Carnegie Mellon University, January 1997.
• Press Release ñ House Science Committee Chairman F. James Sensenbrenner, Jr. (R-WI) introduced H.R. 1903, the Computer Security Enhancement Act of 1997, legislation aimed at strengthening computer security throughout the federal government.
• Reflections on the 1997 Commission on Critical Infrastructure Protection (PCCIP) Report. Clark Staten, The Emergency Responce and Research Institute.
• The Information Warfare Challenges of a National Information Infrastructure. Ronald Knecht and Ronald A. Gove.
• Report of the Defense Science Board Task Force on Information Warfare. November 1996.
• Security and the National Infrastructure in the Computer Age. Judith Nocella, University of Buffalo, Fall 1996.
• What is Information Warfare?. Martin C. Libicki, March 1996.
• Papers on Network Centric Warfare.
• The Clipper Chip: Frequently Asked Questions (FAQ).
• Overview of the Defense Intelligence Agency (DIA).
• List of websites related to the Department of Defense Advanced Research Projects Agency.

Cybersecurity Infrastructure Surveillance Laws

• US PATRIOT ACT
• Foreign Intelligence Surveillance Act
• Electronic Communications Privacy Act
• Federally Funded State Managed Fusion Centers
• Office of National Intelligence Director's Information Sharing Environment
• DHS Einstein Program (I, II, III)
• National Security Presidential Directive 54 (Amended by George Bush)

Cybersecurity Legislation in the 111th Congress

• H.R.2165: Bulk Power System Protection Act of 2009 (Barrow)
• S. 3193: International Cyberspace and Cybersecurity Coordination Act of 2010 (Kerry)
• Cybersecurity Enhancement Act of 2010, (Lipinski)
• S. 773: Cybersecurity Act of 2009 (Rockefeller)
• S. 778: To establish, within the Executive Office of the President, the Office of the National Cybersecurity Advisor (Rockefeller)
• S. 1438: Fostering a Global Response to Cyber Attacks Act (Gillibrand)
• S. 921: U.S. ICE Act of 2009 (Carper)
• H.R. 1319: Informed P2P User Act (Bono Mack)

News Articles

• Opponents focus on defeating CISA cyberthreat info-sharing bill, Computer World, July 30, 2015
• Cyber bill opponents fight CISA with the power of fax, The Washington Times, July 27, 2015
• CISA: New “Cybersecurity” Bill Is About Surveillance, Not Security. The Christian Post, April 8, 2015
• Congress' Fix for Cyberattacks May Hand the Government More of Your Data. Mother Jones, June 17, 2015
• Cyberwar Commander Survives Senate Hearing, Wired Magazine, Threat Level Blog, April 15, 2010
• DHS Announces National Cybersecurity Awareness Campaign Challenge Deadline April 30, 2010
• U.S. to Reveal Rules on Internet Security, By JOHN MARKOFF, New York Times, March 1, 2010
• Google Asks Spy Agency for Help With Inquiry Into Cyberattacks, By JOHN MARKOFF, New York Times, February 4, 2010
• Privacy experts see room for improvement from Obama, By Andrew Noyes, CongressDaily, September 9, 2009
• Cybersecurity Plan Doesn't Breach Employee Privacy, Administration Says, By Ellen Nakashima, Washington Post, September 19, 2009
• Obama Set to Create A Cybersecurity Czar With Broad Mandate, Ellen Nakashima, Washington Post, May 26, 2009
• National Cyber Security Czar Steps Down, March 9, 2009
• Cybersecurity Plan to Involve NSA, Telecoms DHS Officials Debating The Privacy Implications, By Ellen Nakashima, Washington Post Staff Writer, July 3, 2009