EPIC v. NSA - Cybersecurity Authority
- Executive Order Calls for More Cybersecurity Info "Sharing": President Obama announced today an Executive Order to promote collaboration between the private sector and the government to counter cyber threats. The Order encourages the companies to disclose user data to the federal government outside any judicial process. The Order also promotes compliance with Fair Information Practices and adoption of such Privacy Enhancing Techniques as data minimization. The Executive Order is one of several cybersecurity initiatives announced by the President. In EPIC v. NSA, after a five-year court battle, EPIC obtained National Security Presidential Directive 54 which revealed the NSA's role in domestic cyber security. (Feb. 13, 2015)
- NSA Vows to Disclose Zero-Day Vulnerabilities: In a speech delivered at Stanford University, National Security Agency director Michael Rogers announced that the NSA will no longer stockpile "zero-day exploits", software glitches that could facilitate cyber espionage. In the past, the NSA has kept these vulnerabilities secret for use in counterintelligence. Admiral Rogers announced, "the default setting is if we become aware of a vulnerability, we share it." By disclosing vulnerabilities, the NSA allows software developers to fix the glitches and keep the internet more secure. Admiral Rogers recognized that "'a fundamentally strong Internet is in the best interest of the U.S.'" In December 2013, the President's Review Group on Intelligence and Communications Technologies recommended that "US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks." The Review Group report contains 45 other similar recommendations that EPIC generally supports and the White House has pledged to adopt. Earlier this year, the NSA's policies on zero-day exploits came under scrutiny when an glitch known as the "Heartbleed bug" threatened to undermine SSL encryption across the entire internet. For more information, see EPIC: In re EPIC and EPIC: NSPD-54 Appeal. (Nov. 13, 2014)
- DC Circuit Rules for EPIC in Case Against NSA, Vacates Lower Court Ruling That Secret Order Is Not Subject to FOIA: The U.S. Court of Appeals for the D.C. Circuit ruled in favor of EPIC today in a Freedom of Information Act case seeking the full text of National Security Presidential Directive 54, a previously-secret Presidential order granting the government broad authority over cybersecurity matters. EPIC successfully obtained the Directive from the NSA, and the DC Circuit has vacated the lower court’s Fall 2013 ruling that NSPD-54 was not an “agency record” subject to the FOIA. The Directive also includes the Comprehensive National Cybersecurity Initiative and evidences government efforts to enlist private sector companies to assist in monitoring Internet traffic. EPIC has several related FOIA cases against the NSA pending in federal court. For more information, see EPIC v. NSA: NSPD-54 Appeal and EPIC: Freedom of Information Act Cases. (Jul. 31, 2014)
- EPIC v. NSA: EPIC Appeals Lower Court Decision on Presidential Directive: EPIC has filed its opening brief in EPIC v. NSA. EPIC is seeking to obtain NSPD-54, a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act request to the NSA for NSPD-54 and several related documents. The NSA turned over some of the materials to EPIC but withheld the Directive. EPIC then sued the agency to force disclosure of the document but a court ruled sue sponte that the NSA did not have control over NSPD-54, and thus it was not an "agency record" subject to release. It was the first time a federal court had ruled that a Presidential Directive was not subject to FOIA. In the appeal, EPIC argued that the agency has the document and therefore bears the burden of proving it is not an "agency record." EPIC also pointed out that the lower court failed to apply the control test followed by other courts, and that the NSA itself never claimed that NSPD-54 was not an agency record. For more information, see EPIC: Presidential Directives and Cybersecurity and EPIC v. NSA: NSPD-54 Appeal. (Apr. 1, 2014)
- DHS Releases Revises Privacy Impact Assessment on Internet Monitoring Program : The Department of Homeland Security has released a Privacy Impact Assessment for Einstein 3 - Accelerated. Einstein 3 is a government cybersecurity program that monitors Internet traffic. The monitoring includes scanning email destined for .gov networks for malicious attachments and URLs. According to DHS, the basis of the government’s authority to perform the monitoring is National Security Presidential Directive 54. EPIC is pursuing FOIA litigation to force the government to release the Directive to the public. For more information, see EPIC v. NSA - Cybersecurity Authority. (Apr. 24, 2013)
- UPDATED: EPIC Appeals NSA's Withholding of Cybersecurity Directive: EPIC has appealed a decision by the National Security Agency to deny EPIC's Freedom of Information Act Request for the public release of Presidential Policy Directive 20. The Policy Directive expands the NSA's cybersecurity authority and has raised concerns about government surveillance of the Internet. EPIC's FOIA appeal points to numerous substantive and procedural defects in the NSA's response, and highlights the importance of public discussion of cyber security authority. The NSA has ten days to respond to EPIC's appeal. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority. (Nov. 27, 2012)
- President Issues Secret Cybersecurity Directive, EPIC Seeks Public Release: Following a Washington Post report of a new cyber security directive, EPIC has filed a Freedom of Information Act request for the release of Presidential Policy Directive 20. The Directive is believed to expand cyber security authority for the National Security Agency. EPIC is pursuing several FOIA cases, including the release of NSPD-54, an earlier Directive that gave NSA authority to conduct surveillance within the United States. EPIC has also sought public release of the technical arrangement between the NSA and Google that was adopted in January 2010. Federal law prevents the National Security Agency, a component of the Department of Defense, from conducting operations within the United States. For more information, see EPIC: Cybersecurity Privacy Practical Implications, EPIC: EPIC v. NSA - Cybersecurity Authority, and EPIC v. NSA: Google / NSA Relationship. (Nov. 14, 2012)
- EPIC Urges Senate to Safeguard FOIA for Cybersecurity: In a detailed statement to the Senate for a hearing on the "Freedom of Information Act: Safeguarding Critical Infrastructure and the Public's Right to Know," EPIC said that safeguarding FOIA was critical to ensure government oversight and accountability. EPIC described how the FOIA provides the public important information about safety and security, but also warned that the National Security Agency has become a "black hole" for public information about cyber security. EPIC described several NSA programs, including "Perfect Citizen," Internet wiretapping, and even the NSA's own legal authority which the agency has refused to release to the public. EPIC v. NSA, a challenge to the agency's "neither confirm nor deny" response to an EPIC FOIA request will be heard next week by the DC Circuit Court of Appeals. For more information, see EPIC: Cybersecurity. (Mar. 12, 2012)
- EPIC Urges Court to Order Disclosure of CyberSecurity Authority: EPIC filed papers urging a federal court to order the National Security Agency to disclose National Security Presidential Directive 54, a key document governing national cybersecurity policy. The directive grants the NSA broad authority over the security of American computer networks. But the agency has refused to make the document public in response to an EPIC Freedom of Information Act request. EPIC noted that "The NSA’s position amounts to a claim that the President may enact secret laws, direct federal agencies to implement those laws, and shield the content of those laws from public scrutiny." EPIC argued that the law "does not support such a sweeping result." For more, see EPIC v. NSA - Cybersecurity Authority. (Dec. 23, 2011)
- EPIC to Appeal Security Agency's Non-response in FOIA Lawsuit: EPIC has filed a notice of appeal in EPIC v. NSA, a recent court decision that allowed the National Security Agency to neither confirm or deny the existence of government records EPIC sought under the Freedom of Information Act. EPIC is seeking information about the relationship between Google and the NSA, which could reveal that the NSA is developing technical standards that would enable greater surveillance of Internet users. The NSA provided a "Glomar Response," a controversial legal claim that allows federal agencies to conceal the existence of records that might otherwise be subject to public disclosure. In related FOIA matters, EPIC is also seeking government documents relating to the NSA's cybersecurity authority and the NSA's "Perfect Citizen" program. For more information, see EPIC: Open Government. (Sep. 9, 2011)
In January 2008, President Bush issued National Security Presidential Directive 54 (NSPD 54), which grants the National Security Administration broad authority over the security of American computer networks. The Directive created the Comprehensive National Cybersecurity Initiative (CNCI), a "multi-agency, multi-year plan that lays out twelve steps to securing the federal government's cyber networks." This Directive was not released to the public.
EPIC's Freedom of Information Act Request and Subsequent Lawsuit
In June 2009, EPIC submitted a FOIA request to the NSA asking for copies of the Directive, the Initiative and privacy policies related to either. The request specifically asked for the following documents:
- The text of the National Security Presidential Directive 54.
- The full text of the Comprehensive National Cybersecurity Initiative, including unreported sections and any executing protocols distributed to the agencies in charge of its implementation.
- Any privacy policies related to the Directive or the Initiative, including contracts or other documents describing privacy policies with information shared with private contractors to facilitate the CNCI.
On July 1, 2009, the NSA acknowledged receipt of EPIC's FOIA request, but denied the request for expedited processing and did not make any substantive determination regarding the actual FOIA request. EPIC then submitted an administrative appeal, appealing the NSA's failure to make a timely substantive determination as well as denying expedited processing on July 30, 2009. In response, the NSA granted EPIC's request for expedited processing, but did not make a substantive determination on the FOIA request.On August 14, 2009, the NSA released two documents that had previously been made public
In October 2009, the NSA identified three relevant documents, but refused to disclose any of them. One document, relating to the text of the Directive, was not disclosed because the record "did not originate with" the NSA, and "has been referred to the National Security Council for review and direct response to" EPIC. Two other documents relating to privacy policies were withheld allegedly pursuant to a FOIA exemption. On November 24, 2009, EPIC appealed the NSA's determination. The NSA acknowledged receipt of this appeal in December, but failed to provide any further communication.
On February 4, 2010, EPIC filed a lawsuit against the NSA and the National Security Council to compel the disclosure of documents relating to NSPD 54. One of EPIC's counts against the NSA included an Administrative Procedures Act violation because the NSA referred EPIC's FOIA request to the NSC, which is not subject to FOIA.
In March 2010, the NSA and NSC filed a partial motion to dismiss the alleged FOIA violation against the NSC and the alleged APA violation against the NSA. EPIC filed an opposition on April 8, 2010, the government filed its reply on April 15, 2010. On July 7, 2011, the District Court ordered that the lawsuit would proceed against the NSA, but dismissed the NSC from the case. The Judge agreed with EPIC that "a referral of a FOIA request could be considered a 'withholding' if 'its net effect is to impair the requester's ability to obtain the records or significantly to increase the amount of time he must wait to obtain them," but held that "an entity that is not subject to FOIA cannot unilaterally be made subject to the statute by any action of an agency, including referral of a FOIA request."
In the interim, the White House published a description of the CNCI in March 2010. The initiatives cover a wide range of government activity, from cyber education to intrusion detection. However, the text of the underlying legal authority for cybersecurity still remains a secret. On August 30, 2011, the NSA released the heavily redacted version of two of the original three documents it had identified as responsive. The remaining document, NSPD 54 (and the CNCI, contained therein) was not released in any form.
On July 21, 2011, a briefing schedule was set for the case to move forward. The NSA invoked the narrowly construed "Presidential Communications Privilege" as the basis for withholding the text of NSPD 54 and the full version of the CNCI. The case remains pending in U.S. District Court for the District of Columbia for a finding on the merits of (a) the withholding of NSPD 54 and the CNCI in full and (b) the exemptions invoked to redact material from the August 30, 2011 documents.
EPIC v. National Security Agency & National Security Council, Case No. 10-0196 (RMU) (D.D.C. filed Feb. 2, 2010)
- EPIC's Complaint Against NSA and NSC (Feb. 2, 2010) (pdf)
- NSA and NSC's Answer to EPIC's Complaint (Mar. 25, 2010) (pdf)
- NSA and NSC's Partial Motion to Dismiss (Mar. 25, 2010) (pdf)
- EPIC's Opposition to NSA and NSC's Partial Motion to Dismiss (Apr. 8, 2010) (pdf)
- NSA and NSC's Reply (Apr. 15, 2010) (pdf)
- Memorandum Opinion Dismissing NSC (July 7, 2011) (pdf)
- Scheduling Order (July 21, 2011) (pdf)
- NSA Motion for Summary Judgment (Oct. 11, 2011) (pdf)
- EPIC's Opposition and Cross Motion for Summary Judgment (Nov. 11, 2011) (pdf)
- NSA's Opposition and Reply (Dec. 8, 2011) (pdf)
- EPIC's Reply (Dec. 22, 2011) (pdf)
- Court's Memorandum Opinion and Order (Oct. 21, 2013) (pdf)
- EPIC Motion for Attorneys' Fees and Costs
- NSA Opposition to EPIC's Fee Motion
- EPIC's FOIA Request (June 25, 2009) (pdf)
- NSA's Acknowledgement and Response (July 1, 2009) (pdf)
- EPIC's Administrative Appeal (July 30, 2009) (pdf)
- NSA's Response to EPIC's Administrative Appeal (Aug. 12, 2009) (pdf)
- NSA's Additional Response (Oct. 26, 2009) (pdf)
- EPIC's Second Administrative Appeal (Nov. 24, 2009) (pdf)
- NSA's Response to EPIC's Second Administrative Appeal (Dec. 18, 2009) (pdf)
- NSA's August 14, 2009 Release of Two Documents Previously Made Public (pdf)
- NSA's August 30, 2011 Release of Two Redacted Documents (pdf)
- Cybersecurity Directive from Bush Kept Secret, Courthouse News, Oct. 23, 2013.
- EPIC FOIA Fails to Get Secret Presidential Cybersecurity Order, McClatchy DC, Oct. 22, 2013.
- Google Comes Under Fire for 'Secret' Relationship with NSA, PC World, Jan. 25, 2011.
- DHS Secretary Asserts Cybersecurity Leadership, Information Week, Dec. 20, 2010.
- Chinese leaders ordered Google hack, U.S. cable quotes source as saying, The Washington Post, Dec. 4, 2010.
- Military's Cyber Commander Swears: "No Role" in Civilian Networks, Wired.com, Sept. 23, 2010.
- General Alexander’s Confirmation And The Failure Of Cyberwar Transparency. Forbes.com Blog, May 13, 2010.
- Battling the Cyber Warmongers, The Wall Street Journal, May 8, 2010.
- Cyberwar Commander Survives Senate Hearing, Wired.com, April 15, 2010.
- Cyberwar Nominee Sees Gaps in Law, The New York Times, April 14, 2010.
- Cyber Command Nominee Keith Alexander: Military Must Return Cyber Attacks, The Huffington Post, April 14, 2010.
- White House Reveals Secret Cybersecurity Plan Developed Under Bush Administration, The Huffington Post, Mar.10, 2010.
- U.S. to Reveal Rules on Internet Security, The New York Times, Mar. 1, 2010.
- Group files request for details on Google, NSA partnership, MarketWatch, Feb. 5, 2010.
- Google seeks assistance from NSA, The Boston Globe, Feb. 5, 2010.
- EPIC files FOIA request over reported Google, NSA partnership, Computerworld, Feb. 4, 2010.
- Google to enlist NSA to help it ward off cyberattacks, The Washington Post, Feb. 4, 2010.
- Report: Google, NSA talk defense partnership, CNET News, Feb. 3, 2010.
- Military Command Is Created for Cyber Security, The Wall Street Journal, June, 24, 2009.
- Fending Off Attacks in Cyberspace, The New York Times Blog, May 29, 2009.
- Obama Outlines Coordinated Cyber-Security Plan, The New York Times, May 29, 2009.
- Control of Cybersecurity Becomes Divisive Issue, The New York Times, Apr.16, 2009.
- Top Cyber Official Sounds Off, Forbes, Mar. 9, 2009.
- Federal cybersecurity director quits, complains of NSA role, Computerworld, Mar. 8, 2009.
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a by-monthly newsletter highlighting emerging privacy issues.