Why the White House Won't Release a Key Cyber Paper

The struggle to balance national security with a promise of transparency

Even as the new government-wide cyber coordinator, Howard Schmidt, pledged to promote transparency as the government moves to protect cyberspace, the administration won't release a legal memorandum that many, including the one-time head of its cyber security review, hoped would be made public.

The memo was drafted as an appendix to the White House Cyberspace Policy Review led by Melissa Hathaway, at the time the acting senior director for cyber issues at the National Security Council. Hathaway has since left the government. She has told colleagues that the White House overruled her decision to release the legal annex. Administration officials dispute the idea that it was her decision to make in the first place.

Speaking at last year's RSA conference, Hathaway praised the review process for its "unprecedented transparency." A footnote in the appendix of the main report notes that the legal analysis was not intended to be of the type that would or could influence policy. And the report itself calls for a new interagency legal review team -- the team that would produce products for internal, executive-branch only deliberation.

Hathaway, in discussing the review the next week, expressed enthusiasm about the legal review to an audience of intelligence professionals and journalists at a conference in Virginia. Bob Gourley, a former senior intelligence official, blogged after the event that Hathaway bragged about the comprehensiveness of the legal review. Gourley noted that the legal annex "captures some of some of the opinion of federal legal experts from across the government."

Wednesday, Schmidt announced the declassification of part of the Comprehensive National Cyber Initiative, which has been shrouded in secrecy, even to members of Congress. Even though most of the information has been in the public domain, the declassification marked a step that the previous administration was unwilling to take.

A senior administration official said the legal report would not be released because its contents are classified. The official cited "national security" as the reason why the legal annex has not been released, said that the White House should have been given more credit for declassifying some information about the CNCI, and said that President Obama is committed to as much "transparency as possible." Congress has also asked the White House for a copy of the annex and as of a month ago had not received it. Schmidt told an audience earlier this week that administration lawyers are working on about 40 discrete issues.

But two people who have seen the report say that although it covers sensitive matters like the legal authority the United States has to conduct offensive cyber warfare, a minimally redacted version could be released without compromising any intelligence program or strategy. The document poses many questions, these people said, and does not presuppose that the U.S. government has come to any conclusions. For example, a portion of the document about the laws of war is a straightforward, academic discussion about how they might or might not apply to cyber attacks.

According to these people, the report also includes a rigorous discussion about whether offensive cyber capabilities are best described as a traditional military activity (and therefore be subject to Title 10 of the US code) or an intelligence activity, which would impose a different set of legal requirements upon whatever action was being considered. The analysis also ponders whether the U.S. might establish a "first use" doctrine of cyber offense.

The legal annex includes some discussion about the National Security Agency's data collection and retention policies, most of which has already been declassified in other forums by the previous administration. Among the more sensitive political issues that harass elected officials is the degree to which the NSA might have to monitor the dot.com domain in order to fully protect the country from major cyber attacks. To date, government officials have been reluctant to even acknowledge that the possibility would ever be discussed, which would require Congress to change current law.

From the administration's perspective, because the questions raised in the analysis were brought forward by lawyers working for intelligence agencies, releasing the information would provide enemies with an insight into what capabilities the government might have or might want to develop.

"As vitally important as openness is, every organization also needs to have confidentiality around legal deliberations so that the client can get sound, unvarnished advice from counsel. That concern is particularly acute in matters of national security," the official said in an e-mailed statement. "These deliberations concerned important legal issues facing the cyber review team, and should remain privileged."

The official would not say whether the administration planned to discuss the complex legal issues in public at any point. Aside from offensive cyber warfare, these issues include the legal implications of the government working with the private sector, restrictions imposed by the Fourth Amendment, whether existing statues like the Electronic Communications Privacy Act need to be expanded.

In 2006, the Justice Department produced an unclassified white paper on the National Security Agency's surveillance program that was well received, even as it protected sensitive programs and even as many legal experts profoundly disagreed with the analysis. In 2009, it released an unclassified legal memorandum on a sensitive government program known as Einstein II, which was set up to protect servers on the dot-gov domain.

In February, at a symposium at the University of Texas at Austin's law school, a CIA consultant gave an unclassified speech, which included CIA-approved Power Point slides, about the difficulties inherent in crafting a comprehensive legal approach. The consultant, Sean Kanuck, included several slides about the current questions the U.S. government is wrestling with, including what type of cyber attack constitutes an act of war, and whether offensive cyber security actions require the government to take into account the potential for human suffering on the other side. (Kanuck said at the time that his presentation was not endorsed by the CIA and that his discussion did not necessarily reflect any specific internal deliberations.)

As with the NSA program, the cyber law terrain triggers extreme sensitivities, with journalists and commentators worrying about whether the government is planning in secret to take control of the Internet. They aren't -- but in refusing to open parts of the issue to public discussion, they are feeding the uneducated and impoverished public discourse on the subject.

"Why can't we have a debate about nuclear weapons that it's in the open and not have that debate about cyber?" said James A. Lewis of the Center for Strategic and International Studies, who has consulted with the administration in the past about cyber security issues. "The answer they give is that we would give our adversaries notice of our red lines. Well, that assumes the enemies don't know our red lines already."

Thumbnail image credit: JohnSeb/Flickr