EPIC v. NSA: NSPD-54 Appeal
On June 5, 2014, the NSA released National Security Presidential Directive 54 ("NSPD 54") to EPIC after nearly five years of FOIA litigation. NSPD 54 is the foundational legal document outlining the Comprehensive National Cybersecurity Initiative (CNCI), the federal government’s effort to coordinate cybersecurity policy across federal law enforcement, intelligence and executive agencies, as well as with other law enforcement agencies and the private sector. The previously-classified document reveals the underlying legal authority for sweeping changes to federal cybersecurity that have taken place over the last five years. Additionally, NSPD 54 contains significant differences from the previously-released description of the CNCI. For the first time, the public now has access to the document empowering federal agencies to share cybersecurity information, develop offensive cyber programs and improve automated and predictive cyber technologies. NSPD 54 provides the public with an explanation of the government's legal and policy choices regarding cybersecurity and reveals new information about the government's coordinated cybersecurity efforts.
- NSA Inspector General Issues First Unclassified Report: The NSA's Office of Inspector General issued the first unclassified semi-annual report to Congress on the National Security Agency. The report describes the internal watchdog's audits, studies, and investigations of the NSA's activities. Among other findings, the OIG uncovered improper searches through U.S. persons' data collected under the Foreign Intelligence Surveillance Act, as well as "many instances of noncompliance" with rules to secure NSA networks, systems, and data. In 2012, EPIC testified before Congress on the need for better reporting on the use of FISA authorities. EPIC also routinely highlights reporting on federal surveillance under the Wiretap Act. In EPIC v. NSA, EPIC obtained the Presidential Decision Directive, outlining the agency's authority for domestic surveillance. (Jul. 25, 2018)
- Executive Order Calls for More Cybersecurity Info "Sharing": President Obama announced today an Executive Order to promote collaboration between the private sector and the government to counter cyber threats. The Order encourages the companies to disclose user data to the federal government outside any judicial process. The Order also promotes compliance with Fair Information Practices and adoption of such Privacy Enhancing Techniques as data minimization. The Executive Order is one of several cybersecurity initiatives announced by the President. In EPIC v. NSA, after a five-year court battle, EPIC obtained National Security Presidential Directive 54 which revealed the NSA's role in domestic cyber security. (Feb. 13, 2015)
- Privacy Board Renews Call for President Obama to End Bulk Collection: The Privacy and Civil Liberties Oversight Board released a report on prior recommendations regarding the NSA's domestic and global surveillance programs. The Board stated that the Obama Administration has failed to end the domestic telephone collection program. The Board stated, "the Administration can end the bulk telephone records program at any time, without congressional involvement." EPIC and a broad coalition have repeatedly urged the President end the NSA's bulk record collection program. Previously, EPIC petitioned the Supreme Court, with the support of dozens of legal experts, arguing that the NSA program was unlawful. (Jan. 30, 2015)
- DC Circuit Rules for EPIC in Case Against NSA, Vacates Lower Court Ruling That Secret Order Is Not Subject to FOIA: The U.S. Court of Appeals for the D.C. Circuit ruled in favor of EPIC today in a Freedom of Information Act case seeking the full text of National Security Presidential Directive 54, a previously-secret Presidential order granting the government broad authority over cybersecurity matters. EPIC successfully obtained the Directive from the NSA, and the DC Circuit has vacated the lower court’s Fall 2013 ruling that NSPD-54 was not an “agency record” subject to the FOIA. The Directive also includes the Comprehensive National Cybersecurity Initiative and evidences government efforts to enlist private sector companies to assist in monitoring Internet traffic. EPIC has several related FOIA cases against the NSA pending in federal court. For more information, see EPIC v. NSA: NSPD-54 Appeal and EPIC: Freedom of Information Act Cases. (Jul. 31, 2014)
- EPIC v. NSA: EPIC Obtains Presidential Directive for Cybersecurity: After almost five years, EPIC has obtained National Security Presidential Directive 54. The previously classified Presidential Directive contains the full text of the Comprehensive National Cybersecurity Initiative and "establishes United States policy, strategy, guidelines, and implementation actions to secure cyberspace." This Directive, which is the foundational legal document for all cybersecurity policies in the United States, evidences government efforts to enlist private sector companies, more broadly monitor Internet activity, and develop offensive cybersecurity capability. EPIC first sought public release of NSPD-54 with a Freedom of Information Act request, submitted to NSA in June 2009. After the agency failed to disclose the document, EPIC filed suit. When a federal district court ruled in 2013 that the Presidential Directive was not subject to the Freedom of Information Act, EPIC then filed an appeal with the DC Circuit Court of Appeals. The document has now been disclosed to EPIC. The case is EPIC v. NSA, a Freedom of Information Act lawsuit in D.C. Circuit Court. EPIC has several related FOIA cases with the NSA pending in federal court. For more information see EPIC - EPIC v. NSA (Cybersecurity Authority). (Jun. 6, 2014)
- New Documents Reveal Close Ties Between NSA and Tech Companies, PBS Special to Air: New e-mails obtained under the Freedom of Information Act reveal former NSA Director Keith Alexander's close communication with technology companies regarding emerging cybersecurity threats. The CEOs of Google, Apple, Microsoft, and other technology companies were invited to classified briefings as part of the "Enduring Security Framework," a government initiative focused on sharing "cyber threat information with the private sector." EPIC previously sued the NSA to obtain records about the agency's collaboration with Google on cybersecurity, following the China hack in January 2010. In that case, the NSA refused to confirm or deny the existence of any records responsive to EPIC's request. EPIC had previously urged Google to routinely encrypt cloud-based services. PBS Frontline begins a two-part special this week that explores NSA surveillance and the role of tech companies. For more information, see EPIC v. NSA: Google/NSA Relationship and EPIC: Cybersecurity. (May. 12, 2014)
- FOIA Groups Support EPIC in Case Against NSA: Several open government organizations, including Public Citizen, the Sunlight Foundation, the Project on Government Oversight, Citizens for Responsibility and Ethics in Washington, the Center for Effective Government and Openthegovernment.org have filed an amicus brief supporting EPIC in EPIC v. NSA. EPIC is seeking to obtain a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act Request to the NSA for NSPD-54 and several related documents. After the agency refused to disclose the Directive, EPIC sued the NSA under the Freedom of Information Act. The NSA then disclosed several documents but argued it could withhold NSPD-54 under a narrow legal exemption. Suprisingly, a federal court ruled sue sponte that NSPD-54 was not an "agency record" and simply dismissed the case. The FOIA groups argued that the judge's decision was contrary to FOIA law because NSPD-54 is an agency record and also because courts cannot dismiss such cases particularly when the agency itself thought it was subject to the law. For more information see: EPIC v. NSA. (Apr. 8, 2014)
- EPIC v. NSA: EPIC Appeals Lower Court Decision on Presidential Directive: EPIC has filed its opening brief in EPIC v. NSA. EPIC is seeking to obtain NSPD-54, a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act request to the NSA for NSPD-54 and several related documents. The NSA turned over some of the materials to EPIC but withheld the Directive. EPIC then sued the agency to force disclosure of the document but a court ruled sue sponte that the NSA did not have control over NSPD-54, and thus it was not an "agency record" subject to release. It was the first time a federal court had ruled that a Presidential Directive was not subject to FOIA. In the appeal, EPIC argued that the agency has the document and therefore bears the burden of proving it is not an "agency record." EPIC also pointed out that the lower court failed to apply the control test followed by other courts, and that the NSA itself never claimed that NSPD-54 was not an agency record. For more information, see EPIC: Presidential Directives and Cybersecurity and EPIC v. NSA: NSPD-54 Appeal. (Apr. 1, 2014)
- EPIC Accepts NSA's Settlement Offer, Receives Attorneys Fees: EPIC has accepted the NSA's offer to settle a Freedom of Information Act case EPIC v. NSA. EPIC sought both National Security Presidential Directive 54, a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States, as well as documents related to NSPD 54. EPIC received some of the documents as a result of the lawsuit, "substantially prevailing" under the FOIA, and prompting the NSA to make a settlement offer to EPIC. As a consequence, EPIC will receive attorneys fees from the NSA. EPIC is simultaneously appealing the lower court's determination that NSPD-54 is not an "agency record" subject to the FOIA. It was the first time a federal court has ruled that a Presidential Directive is not subject to the Freedom of Information Act. For the appeal, EPIC has already filed a Statement of the Issue, and the parties are waiting for the D.C. Circuit Court of Appeals to set a briefing schedule. For more information, see EPIC v. NSA - Cybersecurity Authority. (Feb. 11, 2014)
- EPIC Files Appeal, Challenging Secrecy of Presidential Directives : EPIC has filed a Statement of the Issue Presented with the D.C. Circuit Court of Appeals. EPIC is appealing a lower court decision that NSPD 54 -- a Presidential Directive setting out the scope of the NSA's authority over computer networks in the United States -- is not subject to disclosure under the Freedom of Information Act. EPIC sought the Presidential Directive, signed by President Bush in January 2008, from the National Security Agency after the White House disclosed the existence of the Directive but not the substance. After the agency failed to respond to EPIC's FOIA request, EPIC filed an administrative appeal, and then a lawsuit. The lower court ruled in EPIC v. NSA that the Presidential Directive is not subject to the FOIA because it was not under "the control" of the NSA. It was the first time a federal court has ruled that an Presidential Directive is not subject to the Freedom of Information Act. EPIC is now asking the Court of Appeals to determine, "Whether the district court erred in holding that a Presidential Directive in the possession of a federal agency is not an agency record subject to the FOIA." For more information, see EPIC v. NSA: Cybersecurity Authority. (Jan. 22, 2014)
EPIC filed a Freedom of Information Act request for National Security Presidential Directive 54 (NSPD-54), the "Cybersecurity Policy Presidential Directive". The document in question is a presidential order concerning the implementation of federal cybersecurity policy that carries the force of law. The President issued NSPD-54 to "to a number of high ranking Presidential advisers, Cabinet officials, and agency heads, including (inter alia) the Director of NSA."
EPIC's Freedom of Information Requests
On June 25, 2009, EPIC submitted a FOIA request to the NSA, seeking the text of NSPD-54, executing protocols, and related privacy policies. EPIC also requested expedited processing. On July 1, 2009, the NSA acknowledged receipt of EPIC's FOIA request but denied expedited processing and made no determination as to the substance of EPIC's request. On July 30, 2009, EPIC filed an administrative appeal, challenging the NSA's denial of expedited processing as well as its failure to make a timely substantive determination under 5 U.S.C. §552(a)(6). In response to EPIC's administrative appeal, the NSA granted EPIC's request for expedited processing, but did not make a substantive determination on EPIC's FOIA request.
On October 26, 2009, the NSA sent EPIC a letter identifying three documents responsive to EPIC's request. The last document identified, which included the full text of NSPD-54, was "referred to the National Security Council (NSC) for review and direct response" to EPIC. Id. The NSA stated that the two other responsive documents, relating to privacy policies, were exempt from disclosure. Id. On November 24, 2009, EPIC appealed the NSA's determination. The NSA acknowledged receipt of this appeal on December 18, 2009, but failed to respond further to EPIC's appeal or its request. The NSC never contacted EPIC regarding the request for the text of NSPD-54 held by the NSA.
On February 4, 2010, EPIC filed a lawsuit against the NSA and the NSC under the Freedom of Information Act and the Administrative Procedure Act. In its Complaint, EPIC alleged that the NSA had failed to comply with the FOIA’s statutory deadlines, that the NSA and NSC had unlawfully withheld responsive records under the FOIA, and that the NSA had violated the Administrative Procedures Act by referring EPIC’s FOIA request to the NSC, which is not an agency subject to the FOIA.
In March 2010, the NSA and NSC filed a partial motion to dismiss the entire Complaint as to the defendant NSC and the alleged APA violation as to the defendant NSA. On July 7, 2011, the District Court ordered that the lawsuit would proceed against the NSA, but dismissed the NSC from the case. The lower court agreed with EPIC that “a referral of a FOIA request could be considered a ‘withholding’ if ‘its net effect is to impair the requester’s ability to obtain the records or significantly to increase the amount of time he must wait to obtain them,’” but held that “an entity that is not subject to FOIA cannot unilaterally be made subject to the statute by any action of an agency, including referral of a FOIA request.” Id.
In the interim, the White House published a summary of federal cybersecurity policy. However, the text of NSPD-54 remained a secret. On August 30, 2011, the NSA released a heavily redacted version of two documents it had identified as responsive to EPIC’s request. The remaining document, NSPD 54, was not released in any form. Id.
On October 11, 2011, the NSA filed a Motion for Summary Judgment, arguing that it had properly fulfilled its duties under the statute. In its Motion, the NSA invoked the presidential communications privilege of FOIA Exemption 5 as the basis for withholding the text of NSPD-54. The NSA also argued that one paragraph of NSPD-54 was properly classified and thus subject to Exemption 1. The NSA provided two declarations: one from its Deputy Associate Director of Policy and Records, Diane M. Janosek, and another from the Director of the National Security Staff (“NSS”) Access Management Office, which is a “component of the Executive Office of the President (EOP).” Both declarations contended that NSPD-54 could be withheld under the presidential communications privilege.
On November 11, 2011, EPIC filed its Memorandum in Opposition and Cross Motion for Summary Judgment, arguing that NSPD-54 could not be withheld under Exemption 5 because the presidential communications privilege was not properly invoked. In its Cross Motion, EPIC also argued that NSPD-54 was not subject to the privilege, and that the public’s interest in disclosure outweighs the agency’s interest in secrecy.
On September 9, 2013, nearly two years after briefing had concluded, the lower court issued a Minute Order, offering the EPIC and the NSA the opportunity to brief the relevance of a recent decision of the D.C. Circuit, Judicial Watch v. U.S. Secret Serv., 726 F.3d 208 (D.C. Cir. 2013). In Judicial Watch the D.C. Circuit ruled that White House visitor logs, held temporarily by the Secret Service, were not "agency records" subject to the FOIA. In the Joint Status Report, EPIC and NSA stated that “The parties have conferred and agreed that no supplemental briefing is necessary.”
The issued a Memorandum Opinion and Order on October 21, 2013. In the Opinion, the court held that NSPD-54 was not an “agency record” subject to the FOIA. As a result, the court found that it did not “have the power under the FOIA” to order disclosure of NSPD-54. According to the lower court, “[T]he parties gloss over the question of whether NSPD 54 is an ‘agency record’ at all, which is a threshold question the Court must resolve before turning to the applicability of any exemptions . . . . Under this Circuit’s recent opinion in Judicial Watch, the answer to this critical question as to NSPD 54 is no, rendering all other arguments about the applicability of Exemption 5 moot.” Id.
The court ruled that documents originating in the President’s National Security Staff are not in the “control” of the agencies to which they are issued. The court also concluded that NSPD-54 was not sufficiently in the “control” of the NSA for it to qualify as an “agency record.”
EPIC's Appeal to the DC Circuit
On December 17, 2013, EPIC filed its notice of appeal to the D.C. Circuit. EPIC identified the issue on appeal as:
- "Whether the district court erred in holding that a Presidential Directive in the possession of a federal agency is not an agency record subject to the FOIA."
On June 5, 2014, the NSA released National Security Presidential Directive 54 ("NSPD 54") to EPIC after nearly five years of FOIA litigation. The document was released after EPIC had written and filed its opening brief in the Appeal to the D.C. Circuit but before the DOJ had responded with their reply brief.
Comprehensive Cybersecurity Initiative
In 2009, the White House previously released the Comprehensive National Cybersecurity Initiative ("CNCI"), which was meant to summarize NSPD 54. This was not the actual legal text of the CNCI, but a paraphrase. NSPD-54 contains the actual legal text of the CNCI, released to the public for the first time. However, the release of NSPD 54 has revealed significant discrepancies between the publicly released document and the government’s previous summary.
- While the summary of the CNCI framed the government's cybersecurity efforts as defending against malicious cyber attacks, NSPD 54 also empowers agencies to coordinate and apply offensive strategies. This authority for offensive action was not previously released to the public in the CNCI.
- NSPD 54 empowers all Federal agencies to "increase predictive, behavioral, information, and trend analyses." These analyses will be used to anticipate future potential cybersecurity threats. The summary of the CNCI did not mention predictive or behavioral trend analyses as part of the government’s cybersecurity initiative.
- NSPD 54 directs agencies to "assume that adversaries have the capability and intent to . . . capture [all data currently residing on Federal government networks]." Although the summary of the CNCI identified cybersecurity as "one of the most serious economic and national security challenges we face as a nation," it omitted language directing agencies to "assume" the capabilities and intent of foreign powers.
- NSPD 54 directs coordination between intelligence agencies and law enforcement to "better support investigations." The initiative does not specify when information sharing between intelligence agencies and law enforcement is appropriate or how such information should be used to conduct law enforcement investigations. The summary of the CNCI did not mention law enforcement investigations as part of the government cybersecurity initiative.
- NSPD 54 directs agencies to implement a plan to "deploy active response sensors across Federal systems." CNCI omits the language "active response sensors,"instead describing only "passive sensors" and "the ability to automatically detect and respond appropriately to cyber threats before harm is done."
The EINSTEIN Program is an automated cybersecurity tool developed for use across Federal civilian government networks. Four versions of the program have been developed: EINSTEIN 1, EINSTEIN 2, EINSTEIN 3, and EINSTEIN 3 Accelerated (“E3A”). EINSTEIN 1, developed in 2003, had the ability to collect and “analyze network flow records,” recording the source and destination IP address to identify security threats. EINSTEIN 2 expanded on EINSTEIN 1, adding the ability to detect network intrusions based on specific patterns of network activity.
NSPD-54 directed DHS to"accelerate deployment of the Einstein program to all Federal systems," and to "enhance the Einstein program to include full-packet content and protocol signature detection." Following this, DHS began a pilot program called "Initiative 3" to develop and implement Einstein 3, which supposedly can "identify and characterize malicious network traffic [and] automatically detect and respond appropriately to cyber threats before harm is done." The DHS has described the Einstein 3 Accelerated system as allowing "for the near real-time deep packet inspection of federal network traffic to identify and react to known or suspected cyber threats." In implementing E3A, DHS states that it “will contract with ISPs to provide E3A managed intrusion prevention security services to deploy countermeasures against known indicators in order to better secure the federal networks.” NSPD-54 serves as the original foundational legal document for the development and extension of the Einstein system, which has the capacity to examine network traffic at the ISP level, beyond a merely defensive status.
D.C. Circuit Documents
- Opening Brief of Plaintiff-Appellant EPIC
- Joint Appendix
- Amicus Curiae Brief of Public Citizen, Center for Effective Government, Citizens for Responsibility and Ethics in Washington, Openthegovernment.org, Project on Government Oversight, and Sunlight Foundation in Support of Appellant EPIC