In January 2008, President Bush issued National Security Presidential Directive 54 (NSPD 54), which grants the National Security Administration broad authority over the security of American computer networks. The Directive created the Comprehensive National Cybersecurity Initiative (CNCI), a “multi-agency, multi-year plan that lays out twelve steps to securing the federal government’s cyber networks.” This Directive was not released to the public.
EPIC’s Freedom of Information Act Request and Subsequent Lawsuit
In June 2009, EPIC submitted a FOIA request to the NSA asking for copies of the Directive, the Initiative and privacy policies related to either. The request specifically asked for the following documents:
The text of the National Security Presidential Directive 54.
The full text of the Comprehensive National Cybersecurity Initiative, including unreported sections and any executing protocols distributed to the agencies in charge of its implementation.
Any privacy policies related to the Directive or the Initiative, including contracts or other documents describing privacy policies with information shared with private contractors to facilitate the CNCI.
Noting the extraordinary public interest in the plan and the public’s right to comment on the measures in Congress, EPIC asked the NSA to expedite the processing of its request.
On July 1, 2009, the NSA acknowledged receipt of EPIC’s FOIA request, but denied the request for expedited processing and did not make any substantive determination regarding the actual FOIA request. EPIC then submitted an administrative appeal, appealing the NSA’s failure to make a timely substantive determination as well as denying expedited processing on July 30, 2009. In response, the NSA granted EPIC’s request for expedited processing, but did not make a substantive determination on the FOIA request.
On August 14, 2009, the NSA released two documents that had previously been made public
In October 2009, the NSA identified three relevant documents, but refused to disclose any of them. One document, relating to the text of the Directive, was not disclosed because the record “did not originate with” the NSA, and “has been referred to the National Security Council for review and direct response to” EPIC. Two other documents relating to privacy policies were withheld allegedly pursuant to a FOIA exemption. On November 24, 2009, EPIC appealed the NSA’s determination. The NSA acknowledged receipt of this appeal in December, but failed to provide any further communication.
On February 4, 2010, EPIC filed a lawsuit against the NSA and the National Security Council to compel the disclosure of documents relating to NSPD 54. One of EPIC’s counts against the NSA included an Administrative Procedures Act violation because the NSA referred EPIC’s FOIA request to the NSC, which is not subject to FOIA.
In March 2010, the NSA and NSC filed a partial motion to dismiss the alleged FOIA violation against the NSC and the alleged APA violation against the NSA. EPIC filed an opposition on April 8, 2010, the government filed its reply on April 15, 2010. On July 7, 2011, the District Court ordered that the lawsuit would proceed against the NSA, but dismissed the NSC from the case. The Judge agreed with EPIC that “a referral of a FOIA request could be considered a ‘withholding’ if ‘its net effect is to impair the requester’s ability to obtain the records or significantly to increase the amount of time he must wait to obtain them,” but held that “an entity that is not subject to FOIA cannot unilaterally be made subject to the statute by any action of an agency, including referral of a FOIA request.”
In the interim, the White House published a description of the CNCI in March 2010. The initiatives cover a wide range of government activity, from cyber education to intrusion detection. However, the text of the underlying legal authority for cybersecurity still remains a secret. On August 30, 2011, the NSA released the heavily redacted version of two of the original three documents it had identified as responsive. The remaining document, NSPD 54 (and the CNCI, contained therein) was not released in any form.
On July 21, 2011, a briefing schedule was set for the case to move forward. The NSA invoked the narrowly construed “Presidential Communications Privilege” as the basis for withholding the text of NSPD 54 and the full version of the CNCI. The case remains pending in U.S. District Court for the District of Columbia for a finding on the merits of (a) the withholding of NSPD 54 and the CNCI in full and (b) the exemptions invoked to redact material from the August 30, 2011 documents.
EPIC v. National Security Agency & National Security Council, Case No. 10-0196 (RMU) (D.D.C. filed Feb. 2, 2010)