On June 16, 2011, the Washington Post reported that the NSA had implemented a new program designed to monitor all traffic flowing through certain ISPs to a select number of defense contractors. The goal of this pilot program is the “thwarting [of] cyberattacks against defense firms,” although Deputy Secretary of Defense William J. Lynn III stated that “[w]e hope the . . . cyber pilot can be the beginning something bigger.” The NSA pilot program is to serve as a model that can be “transported to other critical infrastructure sectors, under the leadership of the Department of Homeland Security.”
Although no public name has been given to this new program, it is known that the NSA has partnered with AT&T, Verizon and CenturyLink to filter the traffic of fifteen defense contractors, including Lockheed Martin, CSC, SAIC and Northrop Grumman. The NSA claims that it will not be “direct[ly] monitoring the contractors’ networks.” Instead, it has developed “signatures” of malicious code as well as sequences of suspicious network behavior that it will apply to filter all Internet traffic on those ISPs that flows to these defense contractors. By applying these signatures and filtering suspicious behavior, the NSA will be able to “disable the threats before an attack can penetrate a contractor’s servers.”
Individuals within the Department of Justice expressed misgivings that the program would “run afoul of privacy laws forbidding government surveillance of private Internet traffic.” The Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2510, prohibits the interception of electronic communications without a court order or consent from one of the parties. The NSA has alleged that the Agency “will not directly filter the traffic or receive the malicious code captured by Internet providers.” It is unclear how the program can detect malicious code and prevent its execution without “captur[ing]” it in violation of federal law.
Deputy Secretary of Defense William J. Lynn III publicly spoke about the program and provided a rough outline of its scope. He stated that it is currently run by the NSA, and that DHS is a partner.
EPIC’s Freedom of Information Act Request and Subsequent Lawsuit
In July 2011, EPIC submitted a FOIA request to DHS asking for:
All contracts and communications with Lockheed Martin, CSC, SAIC, Northop Grumman, or any other defense contractors regarding the new NSA pilot program;
All contracts and communications with AT&T, Verizon, and CenturyLink or any other ISPs regarding the new NSA pilot program;
All analyses, legal memoranda, and related records regarding the new NSA pilot program;
Any memoranda of understanding between NSA and DHS or any other government agencies or corporations regarding the new NSA pilot program;
Any Privacy Impact Assessment performed as part of the development of the new NSA pilot program.
DHS referred EPIC’s FOIA Request to the National Protection and Programs Directorate. The Directorate is charged with risk-reduction activities associated with the mission of DHS. The National Protection and Programs Directorate failed to provide any documents, and EPIC filed an Administrative Appeal in January 2012.
On March 1, 2012, EPIC filed a lawsuit against the DHS based on that Agency’s non-responsiveness to EPIC’s request and in order to compel the disclosure of documents relating to the monitoring program.
EPIC v. Department of Homeland Security, Case No. 12-00333 (GK) (D.D.C. filed Mar. 1, 2012)