[Infowarrior] - Why the White House Won't Release a Key Cyber Paper

[Richard Forno]

Why the White House Won't Release a Key Cyber Paper

Mar 4 2010, 5:58 PM ET

http://www.theatlantic.com/personal/archive/2010/03/why-the-white-house-wont-release-a-key-cyber-paper/36954/

Even as the new government-wide cyber coordinator, Howard Schmidt,
pledged to promote transparency as the government moves to protect
cyberspace, the administration won't release a legal memorandum that
many, including the one-time head of its cyber security review, hoped
would be made public. The memo was drafted as an appendix to the White
House Cyberspace Policy Review led by Melissa Hathaway, at the time
the acting senior director for cyber issues at the National Security
Council. Hathaway has since left the government. She has told
colleagues that the White House overruled her decision to release the
legal annex. Administration officials dispute the idea that it was her
decision to make in the first place.

Speaking at last year's RSA conference, Hathaway praised the review
process for its "unprecedented transparency." A footnote in the
appendix of the main report notes that the legal analysis was not
intended to be of the type that would or could influence policy. And
the report itself calls for a new interagency legal review team -- the
team that would produce products for internal, executive-branch only
deliberation.

Hathaway, in discussing the review the next week, expressed enthusiasm
about the legal review to an audience of intelligence professionals
and journalists at a conference in Virginia. Bob Gourley, a former
senior intelligence official, blogged after the event that Hathaway
bragged about the comprehensiveness of the legal review. Gourley noted
that the legal annex "captures some of some of the opinion of federal
legal experts from across the government."

Wednesday, Schmidt announced the declassification of part of the
Comprehensive National Cyber Initiative, which has been shrouded in
secrecy, even to members of Congress. Even though most of the
information has been in the public domain, the declassification marked
a step that the previous administration was unwilling to take.

A senior administration official said the legal report would not be
released because its contents are classified. The official cited
"national security" as the reason why the legal annex has not been
released, said that the White House should have been given more credit
for declassifying some information about the CNCI, and said that
President Obama is committed to as much "transparency as possible."
Congress has also asked the White House for a copy of the annex and as
of a month ago had not received it. Schmidt told an audience earlier
this week that administration lawyers are working on about 40 discrete
issues.

But two people who have seen the report say that although it covers
sensitive matters like the legal authority the United States has to
conduct offensive cyber warfare, a minimally redacted version could be
released without compromising any intelligence program or strategy.
The document poses many questions, these people said, and does not
presuppose that the U.S. government has come to any conclusions. For
example, a portion of the document about the laws of war is a
straightforward, academic discussion about how they might or might not
apply to cyber attacks.

According to these people, the report also includes a rigorous
discussion about whether offensive cyber capabilities are best
described as a traditional military activity (and therefore be subject
to Title 10 of the US code) or an intelligence activity, which would
impose a different set of legal requirements upon whatever action was
being considered. The analysis also ponders whether the U.S. might
establish a "first use" doctrine of cyber offense.

The legal annex includes some discussion about the National Security
Agency's data collection and retention policies, most of which has
already been declassified in other forums by the previous
administration. Among the more sensitive political issues that harass
elected officials is the degree to which the NSA might have to monitor
the dot.com domain in order to fully protect the country from major
cyber attacks. To date, government officials have been reluctant to
even acknowledge that the possibility would ever be discussed, which
would require Congress to change current law.

> From the administration's perspective, because the questions raised in
the analysis were brought forward by lawyers working for intelligence
agencies, releasing the information would provide enemies with an
insight into what capabilities the government might have or might want
to develop.

"As vitally important as openness is, every organization also needs to
have confidentiality around legal deliberations so that the client can
get sound, unvarnished advice from counsel. That concern is
particularly acute in matters of national security," the official said
in an e-mailed statement. "These deliberations concerned important
legal issues facing the cyber review team, and should remain
privileged."

The official would not say whether the administration planned to
discuss the complex legal issues in public at any point. Aside from
offensive cyber warfare, these issues include the legal implications
of the government working with the private sector, restrictions
imposed by the Fourth Amendment, whether existing statues like the
Electronic Communications Privacy Act need to be expanded.

In 2006, the Justice Department produced an unclassified white paper
on the National Security Agency's surveillance program that was well
received, even as it protected sensitive programs and even as many
legal experts profoundly disagreed with the analysis. In 2009, it
released an unclassified legal memorandum on a sensitive government
program known as Einstein II, which was set up to protect servers on
the dot-gov domain.

In February, at a symposium at the University of Texas at Austin's law
school, a CIA consultant gave an unclassified speech, which included
CIA-approved Power Point slides, about the difficulties inherent in
crafting a comprehensive legal approach. The consultant, Sean Kanuck,
included several slides about the current questions the U.S.
government is wrestling with, including what type of cyber attack
constitutes an act of war, and whether offensive cyber security
actions require the government to take into account the potential for
human suffering on the other side. (Kanuck said at the time that his
presentation was not endorsed by the CIA and that his discussion did
not necessarily reflect any specific internal deliberations.)

As with the NSA program, the cyber law terrain triggers extreme
sensitivities, with journalists and commentators worrying about
whether the government is planning in secret to take control of the
Internet. They aren't -- but in refusing to open parts of the issue to
public discussion, they are feeding the uneducated and impoverished
public discourse on the subject.

"Why can't we have a debate about nuclear weapons that it's in the
open and not have that debate about cyber?" said James A. Lewis of the
Center for Strategic and International Studies, who has consulted with
the administration in the past about cyber security issues. "The
answer they give is that we would give our adversaries notice of our
red lines. Well, that assumes the enemies don't know our red lines
already."