EPIC - EPIC v. NSA - Cybersecurity Authority

EPIC v. NSA - Cybersecurity Authority

Top News |
Background |
Legal Documents|
Freedom of Information Act Documents |
Released Documents |
News Items

Top News

NSA Inspector General Issues First Unclassified Report: The NSA's Office of Inspector General issued the first unclassified semi-annual report to Congress on the National Security Agency. The report describes the internal watchdog's audits, studies, and investigations of the NSA's activities. Among other findings, the OIG uncovered improper searches through U.S. persons' data collected under the Foreign Intelligence Surveillance Act, as well as "many instances of noncompliance" with rules to secure NSA networks, systems, and data. In 2012, EPIC testified before Congress on the need for better reporting on the use of FISA authorities. EPIC also routinely highlights reporting on federal surveillance under the Wiretap Act. In EPIC v. NSA, EPIC obtained the Presidential Decision Directive, outlining the agency's authority for domestic surveillance. (Jul. 25, 2018)
Federal Court: DHS Failed to Justify Withholdings in Defense Contractor Monitoring FOIA Case: In EPIC v. DHS, a federal district court ruled that the Department of Homeland Security failed to justify withholding documents subject to the Freedom of Information Act. EPIC sued DHS to compel the disclosure of records relating to a cybersecurity program designed to monitor traffic flowing through ISPs to a select number of defense contractors. The court concluded that the agency's argument relied on "a weak assumption," but will allow the agency to submit a revised justification for withholding the records. EPIC previously won a five-year legal battle to release NSPD-54, the foundational legal document for U.S. cybersecurity policies. (Aug. 5, 2015)
Open Government Groups Oppose Cyber Security Bills: A broad coalition of organizations now oppose cybersecurity bills currently before Congress. The groups warn that the measures will increase monitoring of Internet users, increase government secrecy, and remove judicial oversight for government surveillance. Many have described the cyber security bills as "cyber surveillance" measures. Last year, EPIC won a five-year court battle against the NSA for NSPD 54-the foundational legal document for U.S. cybersecurity policies. The Directive reveals the NSA's interest in enlisting companies to monitor user activity in the United States. (Apr. 23, 2015)
Court Awards EPIC Attorneys' Fees in FOIA Case Against NSA: A federal district court has ordered the NSA to pay EPIC attorneys fees in a lawsuit that led to the the release of a presidential cybersecurity order. Back in 2009, EPIC requested National Security Presidential Directive 54, which concerns the NSA's domestic surveillance authority. After EPIC brought suit and then an appeal to the D.C. Circuit, the NSA finally released the document to EPIC. The agency then opposed EPIC's request for attorneys fees in the case. A federal court has now ruled that NSA's refusal to disclose the document was "incorrect as a matter of law," that EPIC had "substantially prevailed," and awarded EPIC more than $31,000 in fees. (Apr. 9, 2015)
Senate Committee Approves Cyber Surveillance Bill: In a closed-door meeting, the Senate Select Committee on Intelligence approved the "Cyber Information Sharing Act of 2015". The bill would allow the government to obtain user information from private companies without judicial oversight. Companies would receive immunity for their disregard of existing privacy law. Senator Wyden, who opposed the measure, stated, "If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill - it's a surveillance bill by another name." Last year, EPIC won a five-year court battle against the NSA for NSPD 54—the foundational legal document for U.S. cybersecurity policies. The Directive reveals the government's long-standing interest in enlisting private sector companies to monitor user activity. (Mar. 14, 2015)
Executive Order Calls for More Cybersecurity Info "Sharing": President Obama announced today an Executive Order to promote collaboration between the private sector and the government to counter cyber threats. The Order encourages the companies to disclose user data to the federal government outside any judicial process. The Order also promotes compliance with Fair Information Practices and adoption of such Privacy Enhancing Techniques as data minimization. The Executive Order is one of several cybersecurity initiatives announced by the President. In EPIC v. NSA, after a five-year court battle, EPIC obtained National Security Presidential Directive 54 which revealed the NSA's role in domestic cyber security. (Feb. 13, 2015)
NSA Vows to Disclose Zero-Day Vulnerabilities: In a speech delivered at Stanford University, National Security Agency director Michael Rogers announced that the NSA will no longer stockpile "zero-day exploits", software glitches that could facilitate cyber espionage. In the past, the NSA has kept these vulnerabilities secret for use in counterintelligence. Admiral Rogers announced, "the default setting is if we become aware of a vulnerability, we share it." By disclosing vulnerabilities, the NSA allows software developers to fix the glitches and keep the internet more secure. Admiral Rogers recognized that "'a fundamentally strong Internet is in the best interest of the U.S.'" In December 2013, the President's Review Group on Intelligence and Communications Technologies recommended that "US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks." The Review Group report contains 45 other similar recommendations that EPIC generally supports and the White House has pledged to adopt. Earlier this year, the NSA's policies on zero-day exploits came under scrutiny when an glitch known as the "Heartbleed bug" threatened to undermine SSL encryption across the entire internet. For more information, see EPIC: In re EPIC and EPIC: NSPD-54 Appeal. (Nov. 13, 2014)
DC Circuit Rules for EPIC in Case Against NSA, Vacates Lower Court Ruling That Secret Order Is Not Subject to FOIA: The U.S. Court of Appeals for the D.C. Circuit ruled in favor of EPIC today in a Freedom of Information Act case seeking the full text of National Security Presidential Directive 54, a previously-secret Presidential order granting the government broad authority over cybersecurity matters. EPIC successfully obtained the Directive from the NSA, and the DC Circuit has vacated the lower court’s Fall 2013 ruling that NSPD-54 was not an “agency record” subject to the FOIA. The Directive also includes the Comprehensive National Cybersecurity Initiative and evidences government efforts to enlist private sector companies to assist in monitoring Internet traffic. EPIC has several related FOIA cases against the NSA pending in federal court. For more information, see EPIC v. NSA: NSPD-54 Appeal and EPIC: Freedom of Information Act Cases. (Jul. 31, 2014)
EPIC v. NSA: EPIC Appeals Lower Court Decision on Presidential Directive: EPIC has filed its opening brief in EPIC v. NSA. EPIC is seeking to obtain NSPD-54, a Presidential Directive on cyber security that was widely circulated to federal agencies and senior policy advisors. EPIC submitted a Freedom of Information Act request to the NSA for NSPD-54 and several related documents. The NSA turned over some of the materials to EPIC but withheld the Directive. EPIC then sued the agency to force disclosure of the document but a court ruled sue sponte that the NSA did not have control over NSPD-54, and thus it was not an "agency record" subject to release. It was the first time a federal court had ruled that a Presidential Directive was not subject to FOIA. In the appeal, EPIC argued that the agency has the document and therefore bears the burden of proving it is not an "agency record." EPIC also pointed out that the lower court failed to apply the control test followed by other courts, and that the NSA itself never claimed that NSPD-54 was not an agency record. For more information, see EPIC: Presidential Directives and Cybersecurity and EPIC v. NSA: NSPD-54 Appeal. (Apr. 1, 2014)
DHS Releases Revised Privacy Impact Assessment on Internet Monitoring Program : The Department of Homeland Security has released a Privacy Impact Assessment for Einstein 3 - Accelerated. Einstein 3 is a government cybersecurity program that monitors Internet traffic. The monitoring includes scanning email destined for .gov networks for malicious attachments and URLs. According to DHS, the basis of the government’s authority to perform the monitoring is National Security Presidential Directive 54. EPIC is pursuing FOIA litigation to force the government to release the Directive to the public. For more information, see EPIC v. NSA - Cybersecurity Authority. (Apr. 24, 2013)

Background

In January 2008, President Bush issued National Security Presidential Directive 54 (NSPD 54), which grants the National Security Administration broad authority over the security of American computer networks. The Directive created the Comprehensive National Cybersecurity Initiative (CNCI), a "multi-agency, multi-year plan that lays out twelve steps to securing the federal government's cyber networks." This Directive was not released to the public.

EPIC's Freedom of Information Act Request and Subsequent Lawsuit

In June 2009, EPIC submitted a FOIA request to the NSA asking for copies of the Directive, the Initiative and privacy policies related to either. The request specifically asked for the following documents:

The text of the National Security Presidential Directive 54.
The full text of the Comprehensive National Cybersecurity Initiative, including unreported sections and any executing protocols distributed to the agencies in charge of its implementation.
Any privacy policies related to the Directive or the Initiative, including contracts or other documents describing privacy policies with information shared with private contractors to facilitate the CNCI.

Noting the extraordinary public interest in the plan and the public's right to comment on the measures in Congress, EPIC asked the NSA to expedite the processing of its request.

On July 1, 2009, the NSA acknowledged receipt of EPIC's FOIA request, but denied the request for expedited processing and did not make any substantive determination regarding the actual FOIA request. EPIC then submitted an administrative appeal, appealing the NSA's failure to make a timely substantive determination as well as denying expedited processing on July 30, 2009. In response, the NSA granted EPIC's request for expedited processing, but did not make a substantive determination on the FOIA request.

On August 14, 2009, the NSA released two documents that had previously been made public

In October 2009, the NSA identified three relevant documents, but refused to disclose any of them. One document, relating to the text of the Directive, was not disclosed because the record "did not originate with" the NSA, and "has been referred to the National Security Council for review and direct response to" EPIC. Two other documents relating to privacy policies were withheld allegedly pursuant to a FOIA exemption. On November 24, 2009, EPIC appealed the NSA's determination. The NSA acknowledged receipt of this appeal in December, but failed to provide any further communication.

On February 4, 2010, EPIC filed a lawsuit against the NSA and the National Security Council to compel the disclosure of documents relating to NSPD 54. One of EPIC's counts against the NSA included an Administrative Procedures Act violation because the NSA referred EPIC's FOIA request to the NSC, which is not subject to FOIA.

In March 2010, the NSA and NSC filed a partial motion to dismiss the alleged FOIA violation against the NSC and the alleged APA violation against the NSA. EPIC filed an opposition on April 8, 2010, the government filed its reply on April 15, 2010. On July 7, 2011, the District Court ordered that the lawsuit would proceed against the NSA, but dismissed the NSC from the case. The Judge agreed with EPIC that "a referral of a FOIA request could be considered a 'withholding' if 'its net effect is to impair the requester's ability to obtain the records or significantly to increase the amount of time he must wait to obtain them," but held that "an entity that is not subject to FOIA cannot unilaterally be made subject to the statute by any action of an agency, including referral of a FOIA request."

In the interim, the White House published a description of the CNCI in March 2010. The initiatives cover a wide range of government activity, from cyber education to intrusion detection. However, the text of the underlying legal authority for cybersecurity still remains a secret. On August 30, 2011, the NSA released the heavily redacted version of two of the original three documents it had identified as responsive. The remaining document, NSPD 54 (and the CNCI, contained therein) was not released in any form.

On July 21, 2011, a briefing schedule was set for the case to move forward. The NSA invoked the narrowly construed "Presidential Communications Privilege" as the basis for withholding the text of NSPD 54 and the full version of the CNCI. The case remains pending in U.S. District Court for the District of Columbia for a finding on the merits of (a) the withholding of NSPD 54 and the CNCI in full and (b) the exemptions invoked to redact material from the August 30, 2011 documents.