EPIC v. NSA – Cybersecurity Authority

Background

In January 2008, President Bush issued National Security Presidential Directive 54 (NSPD 54), which grants the National Security Administration broad authority over the security of American computer networks. The Directive created the Comprehensive National Cybersecurity Initiative (CNCI), a “multi-agency, multi-year plan that lays out twelve steps to securing the federal government’s cyber networks.” This Directive was not released to the public.

EPIC’s Freedom of Information Act Request and Subsequent Lawsuit

In June 2009, EPIC submitted a FOIA request to the NSA asking for copies of the Directive, the Initiative and privacy policies related to either. The request specifically asked for the following documents:

• The text of the National Security Presidential Directive 54.
• The full text of the Comprehensive National Cybersecurity Initiative, including unreported sections and any executing protocols distributed to the agencies in charge of its implementation.
• Any privacy policies related to the Directive or the Initiative, including contracts or other documents describing privacy policies with information shared with private contractors to facilitate the CNCI.

Noting the extraordinary public interest in the plan and the public’s right to comment on the measures in Congress, EPIC asked the NSA to expedite the processing of its request.

On July 1, 2009, the NSA acknowledged receipt of EPIC’s FOIA request, but denied the request for expedited processing and did not make any substantive determination regarding the actual FOIA request. EPIC then submitted an administrative appeal, appealing the NSA’s failure to make a timely substantive determination as well as denying expedited processing on July 30, 2009. In response, the NSA granted EPIC’s request for expedited processing, but did not make a substantive determination on the FOIA request.

On August 14, 2009, the NSA released two documents that had previously been made public

In October 2009, the NSA identified three relevant documents, but refused to disclose any of them. One document, relating to the text of the Directive, was not disclosed because the record “did not originate with” the NSA, and “has been referred to the National Security Council for review and direct response to” EPIC. Two other documents relating to privacy policies were withheld allegedly pursuant to a FOIA exemption. On November 24, 2009, EPIC appealed the NSA’s determination. The NSA acknowledged receipt of this appeal in December, but failed to provide any further communication.

On February 4, 2010, EPIC filed a lawsuit against the NSA and the National Security Council to compel the disclosure of documents relating to NSPD 54. One of EPIC’s counts against the NSA included an Administrative Procedures Act violation because the NSA referred EPIC’s FOIA request to the NSC, which is not subject to FOIA.

In March 2010, the NSA and NSC filed a partial motion to dismiss the alleged FOIA violation against the NSC and the alleged APA violation against the NSA. EPIC filed an opposition on April 8, 2010, the government filed its reply on April 15, 2010. On July 7, 2011, the District Court ordered that the lawsuit would proceed against the NSA, but dismissed the NSC from the case. The Judge agreed with EPIC that “a referral of a FOIA request could be considered a ‘withholding’ if ‘its net effect is to impair the requester’s ability to obtain the records or significantly to increase the amount of time he must wait to obtain them,” but held that “an entity that is not subject to FOIA cannot unilaterally be made subject to the statute by any action of an agency, including referral of a FOIA request.”

In the interim, the White House published a description of the CNCI in March 2010. The initiatives cover a wide range of government activity, from cyber education to intrusion detection. However, the text of the underlying legal authority for cybersecurity still remains a secret. On August 30, 2011, the NSA released the heavily redacted version of two of the original three documents it had identified as responsive. The remaining document, NSPD 54 (and the CNCI, contained therein) was not released in any form.

On July 21, 2011, a briefing schedule was set for the case to move forward. The NSA invoked the narrowly construed “Presidential Communications Privilege” as the basis for withholding the text of NSPD 54 and the full version of the CNCI. The case remains pending in U.S. District Court for the District of Columbia for a finding on the merits of (a) the withholding of NSPD 54 and the CNCI in full and (b) the exemptions invoked to redact material from the August 30, 2011 documents.

Legal Documents

EPIC v. National Security Agency & National Security Council, Case No. 10-0196 (RMU) (D.D.C. filed Feb. 2, 2010)

• EPIC’s Complaint Against NSA and NSC (Feb. 2, 2010) (pdf)
• NSA and NSC’s Answer to EPIC’s Complaint (Mar. 25, 2010) (pdf)
• NSA and NSC’s Partial Motion to Dismiss (Mar. 25, 2010) (pdf)
• EPIC’s Opposition to NSA and NSC’s Partial Motion to Dismiss (Apr. 8, 2010) (pdf)
• NSA and NSC’s Reply (Apr. 15, 2010) (pdf)
• Memorandum Opinion Dismissing NSC (July 7, 2011) (pdf)
• Scheduling Order (July 21, 2011) (pdf)
• NSA Motion for Summary Judgment (Oct. 11, 2011) (pdf)
• EPIC’s Opposition and Cross Motion for Summary Judgment (Nov. 11, 2011) (pdf)
• NSA’s Opposition and Reply (Dec. 8, 2011) (pdf)
• EPIC’s Reply (Dec. 22, 2011) (pdf)
• Court’s Memorandum Opinion and Order (Oct. 21, 2013) (pdf)
• EPIC Motion for Attorneys’ Fees and Costs
• NSA Opposition to EPIC’s Fee Motion
• Fees Opinion (Apr. 8, 2015)
• EPIC Motion to Alter or Amend Judgment (Apr. 17, 2015)
• NSA Opposition to Motion to Alter or Amend Judgment (May 1, 2015)

Freedom of Information Act Documents

• EPIC’s FOIA Request (June 25, 2009) (pdf)
• NSA’s Acknowledgement and Response (July 1, 2009) (pdf)
• EPIC’s Administrative Appeal (July 30, 2009) (pdf)
• NSA’s Response to EPIC’s Administrative Appeal (Aug. 12, 2009) (pdf)
• NSA’s Additional Response (Oct. 26, 2009) (pdf)
• EPIC’s Second Administrative Appeal (Nov. 24, 2009) (pdf)
• NSA’s Response to EPIC’s Second Administrative Appeal (Dec. 18, 2009) (pdf)

Released Documents

• NSA’s August 14, 2009 Release of Two Documents Previously Made Public (pdf)
• NSA’s August 30, 2011 Release of Two Redacted Documents (pdf)