White House Offers Glimpse of Cybersecurity Program

The White House yesterday released a newly declassified description (pdf) of the Comprehensive National Cybersecurity Initiative (CNCI), a highly classified program that is intended to protect U.S. government computer networks against intrusion and disruption.

The cybersecurity initiative was established in January 2008 by President Bush’s classified National Security Presidential Directive (NSPD) 54, and quickly became controversial in part because of the intense secrecy surrounding it.

“Virtually everything about the initiative is highly classified,” the Senate Armed Services Committee complained in 2008, “and most of the information that is not classified is categorized as ‘For Official Use Only’.  These restrictions preclude public education, awareness and debate about the policy and legal issues, real or imagined, that the initiative poses in the areas of privacy and civil liberties…. The Committee strongly urges the [Bush] Administration to reconsider the necessity and wisdom of the blanket, indiscriminate classification levels established for the initiative.”  No such reconsideration was forthcoming until now.

Concerns about overclassification were also expressed by the National Academy of Sciences in a 2009 report, which called for “a broad, unclassified national debate and discussion about cyber-attack policy,” and argued that “secrecy even about broad policy issues serves mostly to inhibit necessary discussion about them.”

The Comprehensive National Cybersecurity Initiative was “the single largest request and the most important initiative of the President’s fiscal year 2009 [intelligence] budget request,” the House Intelligence Committee said in its report on the FY2009 intelligence authorization act.

The Electronic Privacy Information Center filed a Freedom of Information Act lawsuit (pdf) just last month seeking declassification and disclosure of the Bush Administration’s NSPD 54.

But that foundational directive was not disclosed, nor did the Obama Administration address the issue of offensive cyber policy raised by the National Academy.  Instead, the White House released a descriptive summary of 12 component elements of the Cybersecurity Initiative, a gesture that it said was consistent with the President’s emphasis on increased transparency.

“Transparency is particularly vital in areas, such as the CNCI, where there have been legitimate questions about sensitive topics like the role of the intelligence community in cybersecurity,” said Howard A. Schmidt, the White House Cybersecurity Coordinator who announced the disclosure.  “Transparency provides the American people with the ability to partner with government and participate meaningfully in the discussion about how we can use the extraordinary resources and expertise of the intelligence community with proper oversight for the protection of privacy and civil liberties,” Mr. Schmidt said.

But without a clear delineation of legal authorities and implementation mechanisms, the scope for meaningful public discussion seems limited.

As the House Intelligence Committee put it in 2008, “a cybersecurity initiative [is] worthwhile in principle, but the details of the CNCI remain vague and, thus, open to question.”

In order to bolster independent oversight of programs such as the CNCI that must remain classified, at least in part, dozens of public interest organizations including the Federation of American Scientists this week urged President Obama (pdf) to finally appoint the members of an independent executive branch oversight board.

The Privacy and Civil Liberties Oversight Board (pdf), originally proposed in 2004 by the 9/11 Commission to monitor and defend civil liberties in information sharing and counterterrorism activities, was given independent agency status by Congress in 2007.  But it has remained vacant since that time and thus unable to fulfill its assigned task.

“It is crucial that you nominate qualified individuals to serve on the PCLOB, so that it may begin to provide guidance as new policies and procedures are developed,” the public interest group letter said.