EPIC v. DHS - Defense Contractor Monitoring

Top News

  • EPIC Presses Department of Defense on Privacy of Cyber Threat Information: In a statement to Congress in advance of a hearing on the Department of Defense's cyber operations, EPIC urged lawmakers to consider the privacy impact of cyber policies. The Cybersecurity Information Sharing Act of 2015 allowed the federal government to obtain cyber threat information from the private sector—much of which concerns the activities of individual Internet users—without privacy safeguards. EPIC urged Congress to ask Michael Rogers, the Commander of U.S. Cyber Command, about the steps the Defense Department will take to reduce privacy risks. EPIC previously sued the federal government for information regarding a Department of Homeland Security program that allowed the NSA to monitor the Internet traffic of defense contractors. (Feb. 27, 2018)
  • Classified NSA Cybersecurity Directive Sought by EPIC Establishes NSA Cyberattack Authority: Presidential Policy Directive 20 orders the creation of potential targets for Offensive Cyber Effects Operations by the NSA. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ." The Directive was signed last October and EPIC immediately filed a Freedom of Information request seeking public release of the policy as it implicates the privacy of domestic communications. The NSA refused to release the Directive. The White House released a summary of the Directive, but failed to disclose information about the NSA's proposed cyberattacks. PPD-20 was made available to the public in a post to the Guardian by Glenn Greenwald. For more information, see EPIC: Presidential Directives and Cybersecurity, EPIC: EPIC v. NSA - Cybersecurity Authority and EPIC: Cybersecurity Privacy Practical Implications. (Jun. 8, 2013)
  • EPIC FOIA Request Reveals Details About Government Cybersecurity Program: New documents obtained by EPIC in a Freedom of Information Act lawsuit reveal that the Department of Defense advised private industry on how to best circumvent federal wiretap law. The documents concern a collaboration between the Defense Department, the Department of Homeland Security, and private companies to allow government monitoring of private Internet networks. Though the program initially only applied to defense contractors, an Executive Order issued by the Obama administration earlier this year expanded it to include other "critical infrastructure" industries. The documents obtained by EPIC also cited NSPD 54 as one source of authority for the program. NSPD 54 is a presidential directive issued under President Bush that EPIC is pursuing in separate FOIA litigation. For more information, see EPIC: EPIC v. DHS (Defense Contractor Monitoring), and EPIC: EPIC v. NSA - Cybersecurity Authority. (Apr. 24, 2013)


On June 16, 2011, the Washington Post reported that the NSA had implemented a new program designed to monitor all traffic flowing through certain ISPs to a select number of defense contractors. The goal of this pilot program is the "thwarting [of] cyberattacks against defense firms," although Deputy Secretary of Defense William J. Lynn III stated that "[w]e hope the . . . cyber pilot can be the beginning something bigger." The NSA pilot program is to serve as a model that can be "transported to other critical infrastructure sectors, under the leadership of the Department of Homeland Security."

Although no public name has been given to this new program, it is known that the NSA has partnered with AT&T, Verizon and CenturyLink to filter the traffic of fifteen defense contractors, including Lockheed Martin, CSC, SAIC and Northrop Grumman. The NSA claims that it will not be "direct[ly] monitoring the contractors' networks." Instead, it has developed "signatures" of malicious code as well as sequences of suspicious network behavior that it will apply to filter all Internet traffic on those ISPs that flows to these defense contractors. By applying these signatures and filtering suspicious behavior, the NSA will be able to "disable the threats before an attack can penetrate a contractor's servers."

Individuals within the Department of Justice expressed misgivings that the program would "run afoul of privacy laws forbidding government surveillance of private Internet traffic." The Electronic Communications Privacy Act ("ECPA"), 18 U.S.C. ยง 2510, prohibits the interception of electronic communications without a court order or consent from one of the parties. The NSA has alleged that the Agency "will not directly filter the traffic or receive the malicious code captured by Internet providers." It is unclear how the program can detect malicious code and prevent its execution without "captur[ing]" it in violation of federal law.

Deputy Secretary of Defense William J. Lynn III publicly spoke about the program and provided a rough outline of its scope. He stated that it is currently run by the NSA, and that DHS is a partner.

EPIC's Freedom of Information Act Request and Subsequent Lawsuit

In July 2011, EPIC submitted a FOIA request to DHS asking for:

  • All contracts and communications with Lockheed Martin, CSC, SAIC, Northop Grumman, or any other defense contractors regarding the new NSA pilot program;
  • All contracts and communications with AT&T, Verizon, and CenturyLink or any other ISPs regarding the new NSA pilot program;
  • All analyses, legal memoranda, and related records regarding the new NSA pilot program;
  • Any memoranda of understanding between NSA and DHS or any other government agencies or corporations regarding the new NSA pilot program;
  • Any Privacy Impact Assessment performed as part of the development of the new NSA pilot program.

DHS referred EPIC's FOIA Request to the National Protection and Programs Directorate. The Directorate is charged with risk-reduction activities associated with the mission of DHS. The National Protection and Programs Directorate failed to provide any documents, and EPIC filed an Administrative Appeal in January 2012.

On March 1, 2012, EPIC filed a lawsuit against the DHS based on that Agency's non-responsiveness to EPIC's request and in order to compel the disclosure of documents relating to the monitoring program.

Legal Documents

EPIC v. Department of Homeland Security, Case No. 12-00333 (GK) (D.D.C. filed Mar. 1, 2012)

Freedom of Information Act Documents

Released Documents

News Items

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security