The Cybersecurity Executive Order: A Right Start

May 13, 2017

President Trump issued two days ago a much anticipated executive order that reflects mature thinking about managing the sprawling kluge of federal networks, a determination to do it, and an over-estimation of the government’s ability to comply with demands for 16 Cabinet-level reports in short order. Whether the order is rigorously implemented remains to be seen, but it’s a right start.

The order’s provisions on critical infrastructure are hesitant by comparison, but far more robust than the terms of the leaked drafts floating around since January. That’s a welcome change. The order follows by six weeks the publication of a Report by MIT’s Internet Policy Research Institute called “Keeping America Safe: Toward More Secure Networks for Critical Infrastructure.” (I was the principal author of that report.) The comparisons are interesting.

Federal Networks 

The order’s strong points are simple, yet they had never been articulated at the highest level of government, let alone implemented. First, excepting national security systems, cybersecurity risk will now be managed as a joint executive branch enterprise, rather than as a series of inconsistent departmental enterprises. Doing this will trench on departmental prerogatives and will therefore require strong presidential leadership. Watch for blood on the floor. If you don’t see any, it isn’t happening. If it does happen, better security and substantial efficiencies in procurement and management should result.

Second, the order directs the newly created American Technology Council to report within 90 days on the technical feasibility and cost effectiveness of transitioning all federal agencies, or a subset of them, to one or more consolidated network architectures and shared IT services. The danger here is the risk of moving from multiple points of failure to a single point of failure. The drafters seem aware of this danger, however. Hence the reference to subsets of agencies and “one or more” architectures.

Third, the order requires agencies to abandon competing standards for evaluating cybersecurity risk. All agencies must now use “The Framework for Improving Critical Infrastructure Cybersecurity” developed by the National Institute of Standards and Technology. The MIT Report observed (as have others) that competing compliance standards create confusion and suggested that the NIST Framework be adopted across the government. This will now be done. We also suggested that the Framework be imposed on federal contractors. That has not been done.

Fourth, the order requires the Office of Management and Budget to join the Secretary of Homeland Security in assessing the progress of the order’s implementation. This is critical. OMB is the hammer in the Executive Branch. It controls the money. It not only giveth; it taketh away. The MIT Report’s first recommendation was to involve OMB in precisely this way. If this provision is robustly implemented, it will bring results.

How should we judge the success this part of the order? The only metric that ultimately matters is the reduction in the number of federal cyber incidents that result either in the loss of significant information (by volume or sensitivity) or in the implantation of malware that cannot be readily identified and remediated.

Five proxy metrics should also be officially tracked and made public:

  1. An increase in the dollar volume of joint department procurement of equipment and services relating to the order;
  2. The number of agencies that move to (a) one or more consolidated network architectures, and (b) to shared IT services – without creating a single point of failure;
  3. The dollar volume of funds that are re-programed within and between agencies in response to the ongoing evaluations called for in the order;
  4. The dollar volume of Congressionally authorized expenditures fenced in response to these evaluations; and
  5. Whether cabinet officials are fired if their departments suffer from avoidable network failures.

Critical Infrastructure

 The section of the order dealing with critical infrastructure is less precise, less sure-footed, and less satisfying. I believe it represents an awareness that earlier drafts paid insufficient attention to the topic, but no conviction about what to do about it. Fair enough. About 85 percent of this infrastructure is privately owned, and while national security depends on it, the President can’t simply order its owners to do what he wants.

The order therefore commands five reports to the President. The first is to identify all federal legal authorities that can be used to support the infrastructure at greatest risk. It is difficult to believe that authoritative memoranda on this topic do not already exist in the departments of justice and homeland security.

The second report will examine “the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities ….” Obscurity this dense in an otherwise clear order must be intentional. I translate it thus: “We are going to figure out better ways to publicly embarrass big companies whose cybersecurity really stinks.” If that’s what it means, I’m for it.

The third report will evaluate ways to improve resilience against botnets and other automated attacks. This is a good idea, but I fear the drafters believe that the fundamental insecurity of Internet communications is technological. Technological challenges do exist. Automated attacks require automated defenses. But as the MIT Report makes clear, the most difficult obstacles in the way of higher cybersecurity are not technological. They are legal, economic, and managerial. (Short explanation here.) If the required report to the President fails to address these non-technological challenges, it will be useless.

The fourth report will be an assessment of the nation’s readiness to prevent, manage, and recover from a disruption of our regional electric grids. I applaud this focus. But the order has missed a trick. We simply don’t have sufficient data on which to base much more sophisticated, cross-sector simulations than we can now do. Why? Because the companies that own the vulnerability data won’t share it. At the same time, the companies that have vulnerability data don’t have a handle on the latest threats. The Internet Policy Research Initiative at MIT is about to tackle this problem. We aim to discover whether data owners would be willing to put anonymized and encrypted data into a secure facility at MIT, then participate in realistic simulations of cyber-initiated disasters – and share the results.

The fifth report will concern the challenges faced by the defense industrial base, including supply chain risk.

These studies will be useful for the security of critical infrastructure – but only if they deal with three fundamental issues identified in the MIT Report but ignored in the executive order:

  1. Isolation. The President must be told that critical infrastructure systems cannot be made reasonably secure unless key controls are isolated from public networks. Believing otherwise is delusional.
  1. A Market for Safe Controls. One of the worst supply chain threats to infrastructure doesn’t come from malicious manipulation of equipment. It comes from insecure, multipurpose electronic controls that are not suitable for specialized, sensitive uses. The government must explore the cost and feasibility of supporting a market for simpler, secure variants of commercial controls for critical infrastructure.
  1. Market and Tax Incentives. The incentives for producing more secure hardware and software, and for retiring legacy systems, are misaligned, and the order should have said so. Tax incentives should encourage firms to retire legacy components, for example. Negative incentives are also important. Apart from the manufacture of hardware and software, in what area of economic life is it possible to put unsafe or unsuitable products into the stream of commerce without liability? I can’t think of any. This must change.

If the cabinet-level reports required by the order do not address each of these issues, then critical infrastructure vulnerabilities will continue to get worse, and the Trump Administration will simply join its predecessors in producing feckless, hand-wringing rhetoric on the subject. Stay tuned.


 It seemed we’d been waiting a long time for this order, but only because several half-baked drafts were leaked at the start of Trump’s term. In fact, this order comes less than four months into his term. That’s quick. The frustrating thing about it is not that we waited four months for Trump’s team to issue the order. Rather, it’s that we waited about 12 years for Presidents Bush and Obama to issue an order like this, and they never did.

I like to think this order is evidence of the wisdom of appointing Rob Joyce as the new cyber advisor on the national security staff, but it’s too soon to tell. The media continue to refer to Joyce as the cyber “czar.” The best reason to avoid calling any American official a “czar” comes from former CIA Director Jim Wolsey, who used to say that five hundred years of reactionary stupidity followed by seventy-two years of Bolshevism is not a governance model we want to emulate. Czars were absolute rulers. Joyce is a mere “coordinator” – which means he has no power at all. Which brings me back to the first recommendation in the MIT Report: Joyce should be elevated to the position of deputy national security advisor. Rank counts. It will determine who returns his phone calls and how quickly and whether he’s even invited to meetings with senior officials whose actions he’s trying to influence. I wish him much luck.

Emerging Standard of Care in Data Security: The FTC’s LabMd decision

Company data security practices will now be measured against a legally enforceable standard of care. The National Institute for Standards and Technology (NIST) began creating the groundwork for this standard in 2002,[1] the Third Circuit announced its arrival last year in Wyndham  Hotels[2], and the Federal Trade Commission (FTC or Commission) told you last month in its LabMD decision exactly what your company can and cannot do if it wants to avoid lengthy and expensive regulatory proceedings and related litigation.[3]

LabMD was a clinical laboratory testing service, the kind your physician probably uses. It held the records of 750,000 patients – under shoddy conditions. LabMD is now out of business.

The FTC’s Checklist

 The Commission’s findings provide a check-list for company counsel and IT managers. LabMD:

  1. Had no intrusion detection system or file integrity monitoring.
  2. Failed to monitor traffic coming through its firewalls.
  3. Failed to monitor its network for unauthorized exfiltration.
  4. Failed to provide meaningful data security training to its employees.
  5. Collected sensitive consumer data it did not need.
  6. Failed to delete consumer data for which it had no further use.
  7. Failed to control the hardware and software its employees could run on its system.
  8. Failed to require strong passwords.

Under the “deceptive” standard of Section 5, FTC proceedings have become routine (and FTC orders often oppressive) against companies that fail to adhere to their own privacy statements. Under Wyndham and LabMd, we can expect a similar development under the “unfairness” standard of Section 5 – routine proceedings that raise the cybersecurity bar in the private sector, but often involving oppressive compliance orders of unreasonable duration that can cripple small firms. The FTC’s checklist is also likely to become a general negligence standard in the courts. So be warned.

The Commission was particularly scathing about LabMD’s failure to control employees’ use of peer-to-peer or P2P software such as music sharing services. These services, unless configured perfectly, permit millions of strangers to access a wide variety of material other than the music the employee intends to share. This vulnerability has been widely known for years, yet many companies do not forbid P2P software on their networks. In LabMd’s case, the failure resulted in the exposure of the medical and other sensitive records of thousands of patients. And when management was told about the vulnerability, it did essentially nothing about it.

It would be a mistake to assume the FTC’s decision in LabMD was limited to companies subject to the Health Insurance Portability and AccountabilityAct (HIPAA), which imposes special standards on parties holding patient data. HIPAA is barely mentioned in the opinion, and Wyndham Hotels, which laid the groundwork for this decision, did not involve health care.

You can assume, however, that your risk of facing an FTC proceeding is vastly greater if you hold sensitive personal information than if you do not. If the only sensitive information in your system are the formulas, business plans, and trade secrets that make your company valuable, the FTC probably won’t care. In that case, nobody but your competitors, particularly in China and Russia, will be interested in getting into your system. However, your shareholders, who will be well represented by class action counsel, may feel they have an interest in keeping them out, in which case LabMd outlines the first wave of discovery demands you will get.

Two Take-Aways

The immediate take-away from LabMD is obvious. You now have a legal standard against which to measure your company’s behavior. But the case should also impel management to ask a deeper question: What business do you want to be in? If you are a widget manufacturer or in a service business, running a complex and expensive IT system is not your line of work, and you are probably not equipped with the talent and know-how to do it right. Now that the legal consequences of running a porous and insecure system are becoming clearer, many companies will confront anew the question of what functions they would be prudent to out-source.


[1] See In the matter of LabMD, Inc., FTC docket no. 9357 (July 29, 2016), at 12, n. 23, at

[2] FTC v. Wyndham Worldwide, Inc. 799 F.3d 236 (3d Cir. 2015). This case upheld the FTC’s power to regulate poor data security under the “unfairness” standard of Section 5 of the FTC Act. Previously its data security cases had been brought only under the “deceptive” standard of Section 5.

[3] LabMD, supra, upholding the FTC’s statutory and constitutional authority to proceed under the “unfairness” standard of Section 5.

Debating the Chinese Cyber Threat

If you follow cyber conflict issues, you’ll want to see this correspondence from International Security, Vol. 40, No. 1 (Summer 2015), pp. 191–195:

In “The Impact of China on Cybersecurity: Fiction and Friction,” Jon Lindsay asserts that the threat of Chinese cyber operations, though “relentlessly irritating,” is greatly exaggerated; that China has more to fear from U.S. cyber operations than the United States does from China; and that U.S.-China relations are reasonably stable.1 He claims that “[o]verlap across political, intelligence, military, and institutional threat narratives . . . can lead to theoretical confusion” (p. 44). In focusing almost exclusively on military- to-military operations, however, where he persuasively argues that the United States retains a signiacant qualitative advantage, Lindsay underemphasizes the signiacance of vulnerabilities in U.S. civilian networks to the exercise of national power, and he draws broad conclusions that have doubtful application in circumstances short of a full-out armed conoict with China. In addition, he does not discuss subthreshold conoicts that characterize, and are likely to continue to characterize, this symbiotic but strife-ridden relationship.

To begin, Lindsay argues that American infrastructure is safe from nation-state cyberattack. For support, he cites a similar conclusion by Desmond Ball, who touts the supposed “sophistication of the anti-virus and network security programs available” in advanced Western countries.2 The notion that Western-made anti-virus and network se- curity programs are effective against sophisticated cyberattacks would astonish any group of corporate security ofacers. Anti-virus programs are oimsy alters designed to catch only some of the malware that their designers know about. They miss a great deal. New malware enters the market at the rate of about 160,000 per day.3 Filters, whether employed by the military or not, are unable to keep up. “Network security programs” vary in quality, are insufaciently staffed, and are often not implemented at all across the economy. The Pentagon is expending huge sums to build its own power grids, even as its budget shrinks, precisely because the civilian grid cannot be relied upon in a crisis. On this subject, Lindsay says only that China’s ability to attack the U.S. grid “cannot be discounted.” In contrast, Adm. Michael Rogers, director of the National Security Agency (NSA) and commander of U.S. Cyber Command, testiaed in 2014 that China and “one or two” other countries could shut down the power grid and other critical systems in the United States.4

Lindsay’s article also fails to address the relationship between nonmilitary vulnera- bilities and the exercise of national power. For example, when Russian intruders pene- trated JPMorgan Chase Bank’s computer system in 2014 during tensions over Ukraine, no one could tell President Barack Obama whether Russian President Vladimir Putin was sending him an implied threat.5 Taking down a major bank would have enormous economic repercussions, and Chase’s vulnerability was there for all to see. When evalu- ating his options, could the president ignore the possibility that exercising one of them carried the palpable risk that a major U.S. bank could be taken down? Whatever the source and objective of the intrusion in the Chase case, the incident demonstrates the way in which a critical vulnerability in the civilian economy could constrain the ex- ercise of national power, including military power, in a crisis.

Lindsay speculates skeptically about the increase in the reporting of commercial net- work exploitation since 2010 and wonders whether it may be spurred by self-interested disclosures by network defense arms seeking to scare up demand for their services. He does not mention that the Securities and Exchange Commission issued guidance in 2011 stating that public companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.”6 And despite Lindsay’s claim that commercial network exploitation is overreported, virtually every private-sector lawyer and consultant I know in this aeld believes that publicly dis- closed information understates the severity and frequency of attacks on corporate net- works. The reasons are well known: companies resist disclosure for fear of harm to their brands and stock prices and to avoid shareholder derivative class-action lawsuits and regulatory action by the Federal Trade Commission.

Lindsay is on better footing when he denies that a network penetration, even when it results in the theft of intellectual property (IP), necessarily results in lost proat or mar- ket share. The absorption and application of stolen intellectual property are compli- cated processes; they require know-how as well as a recipe. This is one reason why IP theft and reverse engineering do not necessarily produce market share for the thief and the copy-cat. Thus China still cannot produce a jet engine, even though it has plenty of American and Russian engines to study, because it cannot master the fabrica- tion process. These are not contested propositions, however. Insurance carriers cer- tainly understand them, which is largely why IP cannot be insured against theft. It is incorrect, however, to imply from this, as Lindsay does, that IP theft is not a signiacant issue for many of its victims. China has no difaculty using stolen IP about, say, oil and gas exploration data and materials testing research. Both are prime targets.

Chinese intruders have also stolen negotiation strategies to good effect, as more than a few companies could testify (but will not). And in the case of solar-power tech- nology, Chinese IP thieves had no trouble absorbing stolen secrets and penetrating Western markets.7 Some descriptions of the economic losses have been hyperbolic, no doubt; and the losses have eluded persuasive quantiacation. Nevertheless, the problem is real and substantial.

The overall state of American networks and of private-sector capabilities simply is drastically different from the picture Lindsay paints. Take attribution. Public reports that the NSA can often—though not always—do very good attribution does not mean that private companies can do it. Attribution has three levels: (1) identifying the device from which an intrusion was both launched and commanded; (2) identifying the actor at the keyboard; and (3) identifying the actor’s afaliation. Even the NSA can- not always get to the second and third levels, as the Chase Bank incident demonstrated.

The most basic difference between the military-to-military situation and the corpo- rate reality, however, is that militaries and intelligence agencies aght back. In contrast, companies are exposed to attack without the legal right to retaliate (for mostly good reasons) even when they have, or could buy, the ability to do so. In this environment, offense is unquestionably dominant. According to Lindsay, since 2010 “Western cyber- security defenses, technical expertise, and government assistance to arms have im- proved” (p. 23). In fact, very few companies receive government help with intrusions. If he means that private-sector defenses have improved when measured against them- selves, then that is true but irrelevant. Attacks have also increased in sophistication, and when measured against the offense, defenses have not improved. All defenses are versions of Whac-A-Mole, and there are too many moles to whack them all.8

In sum, Lindsay and I agree that the current and foreseeable state of cyber technol- ogy “enables numerous instances of friction to emerge below the threshold of violence” (p. 9). This is what I have called “the gray space between war and peace.” If this envi- ronment is showing signs of strategic stability, it is partly, as Lindsay argues, because mutual vulnerability is creating mutual restraint among nation-states. But the vulnera- bilities remain, and they could be exploited by China or Russia in a crisis and by a growing number of second-tier cyber players that are not so constrained.


1. Jon R. Lindsay, “The Impact of China on Cybersecurity: Fiction and Friction,” International Security, Vol. 39, No. 3 (Winter 2014/15), pp. 7–47. Further references to Lindsay’s article appear parenthetically in the text.

2. Ibid., p. 35 n. 94, quoting Desmond Ball, “China’s Cyber Warfare Capabilities,” Security Affairs, Vol. 17, No. 2 (Winter 2011), p. 101.

3. Luis Corrons, “Malware Still Generated at a Rate of 160,000 New Samples a Day in Q2 2014,” Panda News, August 29, 2014, malware-still-generated-rate-160000-new-samples-day-q2-2014/.

4. Ken Dilanian, “NSA Director: Yes, China Can Shut Down Our Power Grids,” Associated Press, November 20, 2014, power-grids-2014-11.
5. See Joel Brenner, “Nations Everywhere Are Exploiting the Lack of Cybersecurity,” Washington Post, October 24, 2014.

6. U.S. Securities and Exchange Commission, Corporate Finance Division, “CF Disclosure Gui- dance: Topic No. 2: Cybersecurity” (Washington, D.C.: U.S. Securities and Exchange Commission, October 13, 2011), .htm.

International Security, Vol. 40, No. 1 (Summer 2015), pp. 191–195, doi:10.1162/ISEC_c_00208
© 2015 by the President and Fellows of Harvard College and the Massachusetts Institute of Technology.

Forty Years After Church-Pike: What’s Different Now?

This is the Henry F. Schorreck Memorial Lecture that I delivered at the  National Security Agency

May 15, 2015



About ten years ago, when I was the inspector general here, I found myself one day in Hawaii, under the Pineapples, and by coincidence there was at the same time a conference nearby of the agency’s training staff from all over the Pacific region. And one of them came to me and said, We do all this training about the legal restrictions on our activities — USSID 18 and Executive Order 12333 and all that – and we know it’s a big deal, but none of the people we’re training know why we’re doing it.  And then after a pause she said:  And frankly, we’re not sure either.

I had lived through the upheavals of the late ‘sixties and the ‘seventies – the Vietnam War, the intelligence scandals, the Nixon impeachment, and the implementation of the legislative and regulatory framework that we impliedly refer to every time we say that this agency operates under law.  Younger people had not.

We Americans don’t take instructions well if we don’t understand the reasons for them.  And so I decided it was incumbent on us to tell and re-tell the story of how and why the United States became the first nation on earth to turn intelligence into a regulated industry.  But the story isn’t entirely behind us.  It continues.  And so this morning I’m not only going to recount what happened in the ’seventies; I’m also going to address the Agency’s position in the wake of the Snowden leaks, and how we got here.  Because insofar as NSA has again been in the public’s doghouse (It is certainly not in the policymakers’ dog house), it is for very different reasons from those in 1976, and that difference is worth reflecting on.

Let’s go back to January 1970, when a former Army captain in military intelligence, Christopher Pyle, disclosed in the Washington Monthly that the U.S. Army intelligence had more than a thousand plainclothes agents surveilling every significant political demonstration in the United States.[2] According to Pyle’s account, the Army kept “files on the membership, ideology, programs, and practices of virtually every activist political group in the country . . . including . . . the Southern Christian Leadership Conference, Clergy and Laymen United Against the War in Vietnam, the American Civil Liberties Union, Women Strike for Peace, and the National Association for the Advancement of Colored People.”[3] It also kept a “Blacklist” of “people who might cause trouble for the Army.”[4]  There had been violent, destructive race riots in Los Angeles in 1965, in Detroit in 1967, and then in April 1968 in Washington after Rev. Martin Luther King, Jr. was assassinated.  Two months later, Bobby Kennedy was assassinated.  That same year, the Soviet Army moved into Prague, the Fifth Republic in France nearly fell as a result of massive domestic unrest, and Chicago during the 1968 Democratic National Convention was the scene of serious street violence.  Lest anyone forget, we were also deep in the Cold War, early in the Brezhnev years, and the antiwar movement unquestionably included a small but violent far-left element.  Stability was a genuine concern of sober people.

The scope of the Army’s domestic spying was nevertheless unauthorized in law, out of control, and plainly political.  In the Army’s eyes, dangerous people included Coretta Scott King, Georgia State Representative Julian Bond, folk singer Arlo Guthrie, and former military officers who opposed the Vietnam War.  In Colorado Springs, the leader of a church youth group attended a peaceful antiwar protest; in response, the Army infiltrated his church.  In Kansas City, the Army asked local high schools and colleges to turn over the names of ‘potential trouble makers’ and anyone who was ‘too far left or too far right.’”  Classroom statements by teachers and students found their way into police and Army files.[5]  Based on Pyle’s account, Senator Sam Ervin, a conservative southern Democrat from North Carolina and chairman of the Senate Judiciary Committee, opened hearings, but they ran into a wall because the Executive Branch, citing executive privilege and “national security,” declined to provide much information. This episode nevertheless opened the first, small wedge into a system of government secrecy that had been little questioned since 1941.

The Army hearings were not the beginning of the American public’s distrust of government, but by 1970, trust was running out on a strong ebb tide.  Just to color the picture a bit brighter, in April 1970, the United States secretly expanded the Vietnam War into Cambodia, but the operation was leaked and produced vehement opposition.  On May 4, frightened and undisciplined Ohio National Guard troops fired into a crowd of student demonstrators at Kent State University, killing four and wounding nine.  In July, a cabal of radicals blew up the Army Math Research Center at the University of Wisconsin, killing a graduate student.  The Weather Underground planned further bombings.

The sense of anxiety and pessimism was profound, and lots of people really did seem to believe, as the song said, that we were on the eve of destruction.  (That song was actually written in 1964, but it had long legs.)

On December 22, 1974, the New York Times published a front-page story by Seymour Hersh about a CIA program called “family jewels.”  It began this way:

The Central Intelligence Agency, directly violating its charter, conducted a massive, illegal domestic intelligence operation during the Nixon Administration against the antiwar movement and other dissident groups in the United States, according to well-placed Government sources.

An extensive investigation by The New York Times has established that intelligence files on at least 10,000 American citizens were maintained by a special unit of the C.I.A. that was reporting directly to Richard Helms, then the Director of Central Intelligence ….

This article is worth your reading, or re-reading after forty-one years – and not only for the mood of the country and the revelations themselves. It also lays out the unbelievably bad blood between the FBI and the CIA and the intentional freezing of cooperation between them.  The seeds of the next generation’s intelligence problem were there to see, unnoticed in plain view.

Just two weeks after Hersh’s article, in January 1975, the Senate convened a Select Committee to Study Governmental Operations with Respect to Intelligence Activities, chaired by Senator Frank Church of Idaho.  The Committee’s work had support from both sides of the aisle.  A similar committee convened in the House under Rep. Otis G. Pike of New York, but the Senate version under Church was the more significant. It published fourteen reports in 1975-76 on intelligence agency activities, probably the most such comprehensive reports in history, in any country.  The reports detailed the CIA’s habit of opening our mail, NSA’s domestic interception programs, and CIA’s human subject research – including a notorious instance of LSD administered to an unwitting subject who, in a hallucinating fit, jumped out a window to his death.  They also went deeply into intelligence activities overseas as well as at home, disclosing assassination plots against the Diem brothers of Vietnam, Patrice Lumumba in the Congo, General René Schneider in Chile, and Rafael Trujillo in the Dominican Republic, as we as the failed plan to use the Sicilian Mafia to kill Fidel Castro.  Coups against the governments of Arbenz in Guatemala and Mosadegh in Iran were also exposed.

The country was stunned by the systematic domestic surveillance, and shocked to learn that assassination was a tool of American foreign policy.  It was as if we Americans had eaten of the fruit of the Tree of Knowledge.  We had lost our innocence and the belief in the purity of our methods as well as our intentions.

Revelations about the FBI were, if possible, even more stunning. For 17 years, from 1956 to 1973, the Bureau under J. Edgar Hoover had run a covert program called COINTELPRO, for Counterintelligence Program.  It had antecedents at least back to World War I.  Its initial purpose was to assess the activities of the Communist Party of the U.S., but it eventually included surveillance of Senators Howard Baker and Church (who were the ranking member and chairman of the Senate Foreign Relations Committee), the women’s movement, nearly all groups opposing the Vietnam War, Albert Einstein, and many civil rights leaders.  Hoover loathed Martin Luther King, Jr., and after the March on Washington in 1963, he called King “the most dangerous Negro of the future in this nation from the standpoint of communism, the Negro, and national security.”  The FBI systematically bugged King’s home and hotel rooms.  By the way, much of the surveillance was personally approved by Attorney General Robert F. Kennedy – who later discovered he too had been a target of FBI surveillance.

On November 21, 1964, the FBI sent an anonymous package to King that contained audio recordings of his sexual indiscretions together with a letter that said: “There is only one way out for you. You better take it before your filthy, abnormal, fraudulent self is bared to the nation.” The FBI was encouraging King to commit suicide.

Hoover, by the way, was regarded by several presidents as too powerful to remove from office because he was known or believed to have dossiers on them with embarrassing information.

NSA, meanwhile, was running two projects called SHAMROCK and MINARET.  SHAMROCK began in August 1945 – the month Japan surrendered – and involved the collection by NSA’s predecessor, the Armed Forces Security Agency and then by NSA, of all telegraphic traffic entering or leaving the United States.  Western Union, RCA, and ITT gave the agency direct daily access to microfilm copies of this traffic – up to 150,000 messages per month.  There was wartime precedent for this, but the scope of the collection, and its conduct in peacetime, was a different story.

MINARET was a related project by which NSA intercepted electronic communications of 1,650 people who were on a watch list.  There were no warrants and no judicial oversight of these activities, which were simply assumed to be the normal activities of a foreign intelligence agency.  The targets included Senators Church and Baker, many critics of the Vietnam War, King, Whitney Young, Muhammad Ali, Tom Wicker of the New York Times, and Washington Post columnist Art Buchwald.  After the Church Committee disclosed these programs, then-NSA Director Lew Allen shut them down.  The director’s testimony before the Committee was the first time since NSA’s founding in 1952 that any director had publicly testified before Congress; it was also the first time that NSA’s existence was publicly acknowledged.  Before then, NSA really did stand for “No Such Agency.”  (Now it stands for “Not Secret Anymore.”)

I think it fair to say, and important to say, that everyone associated with these various programs thought that he was a patriot acting in the national interest.  Which is precisely why subjective notions of patriotism and national security are insufficient guides for people and agencies that claim to operate under law in a democratic republic.  (Snowden and Hoover actually represent converse instances of unmoored, egotistical arrogation to oneself of the right to determine the public good.  The comparison will annoy their respective admirers.  So much the better.  They should think about it.)

The Church-Pike hearings were watershed events in our nation’s history, psychologically as well as politically, and they led directly to the legal structures you operate under today. President Ford’s Executive Order 11905, later modified and reissued by President Reagan as E.O. 12333 in substantially the form we now know it; the creation of the House and Senate permanent select committees on intelligence; the Foreign Intelligence Surveillance Act of 1978; the Inspector General Act of 1978; and USSID 18 (originally issued in 1980) – not to mention drastic budget cuts in intelligence – all these were the direct product of the Church-Pike hearings and reports.

Because of the hearings whose anniversary we celebrate today, the men and women of the intelligence community operate with a profoundly different mindset.  You take orders from a democratically elected government, and you answer to an independent judiciary. This is the “why.”  This is the answer to the question put to me that day in Hawaii.  This is the history we must teach to our successors.

I’m glad to say that NSA did not repeat the mistakes of the period that led to the Church-Pike hearings.  Okay, then, so how did we get in the doghouse this time?

The seed of the problem was planted shortly after 9/11, when the White House determined to undertake certain collection outside the FISA regime under a highly classified, but now mostly declassified, program called STELLAR WIND.[6]  That program was not SAP’ed, because the creation of a new special access program requires Congressional notification, but it was run directly by the Office of the Vice President and put under the direct personal control of the Vice President’s counsel, David Addington.  Under periodically renewed Presidential orders, NSA collected two kinds of intelligence:  First, the contents of communications between a person outside the United States with a known connection to Al Qaeda or certain affiliated organizations, and a person inside the country; and second, bulk metadata in order to chain off the domestic link. In my judgment, any President who had failed to order such surveillance on an emergency basis immediately after 9/11 would have been derelict.  The President’s first duty is to protect the nation, and the fear of further attack was palpable.  You could smell it.  But under statute, the interceptions were not permissible without a FISA order because they were taken from a wire inside the United States; and FISA did not permit metadata collection at all.  Under prevailing law, metadata, which is analogous to the information on the outside of a mailed envelope, may have had no Constitutional protection.  But the bulk collection of that data was a watershed political event in the history of American intelligence and in American politics.  As an emergency matter, there’s no question in my mind that the President had the power under Article II of the Constitution to order this collection – both kinds.  But how long does an emergency last?  (An emergency usually doesn’t come with a specific expiration date like a quart of milk, but claims of emergency do get sour.)

Now, it was the view in the White House that the President did have the power to collect this intelligence on a permanent basis.  And I am persuaded that the White House, and certainly the Office of the Vice President, believed that FISA was an unconstitutional limitation on the President’s Article II power in all circumstances.  This was an odd view, because Article I, Section 8 of the Constitution gives Congress the power to regulate interstate and foreign commerce, and that includes telecommunica­tions.  Under well-settled law, Congress cannot exercise its power in a manner that makes it impossible for the Executive to carry out its Constitutional duties, but it can regulate that exercise in a reasonable manner.

Both the NSA General Counsel at the time, Bob Deitz, and I looked for guidance in this situation to one of the more famous passages of Twentieth Century Constitutional law, and I’m going to read you a short bit of it.  It’s by Justice Robert Jackson, concurring in the Supreme Court’s decision striking down President Truman’s seizure of the steel mills on national security grounds.  Jackson is talking about Presidential power in a divided government and the point at which law and politics cannot be separated.  The President’s power fluctuates, Jackson observed, depending upon Congress’ exercise of its power. He saw three possibilities:[7]

  1. When the President acts pursuant to an express or implied authorization of Congress, his authority is at its maximum, for it includes all that he possesses in his own right plus all that Congress can delegate.
  1. When the President acts in the absence of either a congressional grant or denial of authority, he can only rely upon his own independent powers, but there is a zone of twilight in which he and Congress may have concurrent authority, or in which its distribution is uncertain. …In this area, any actual test of power is likely to depend on the imperatives of events and contemporary imponderables rather than on abstract theories of law.
  1. When the President takes measures incompatible with the expressed or implied will of Congress, his power is at its lowest ebb ….

In my view, President Bush’s STELLAR WIND orders fell into the third category – at least, I thought they did after some fairly brief but indeterminate emergency.  (This was not the Administration’s view.  They thought the Authorization for Use of Military Force impliedly granted the power to implement STELLAR WIND.  That was a serious argument, but it was based on debatable inferences; so even accepting that view, I thought the President was in the twilight zone.)  You may know that after President Lincoln unilaterally suspended habeas corpus during the Civil War on the grounds that it was necessary to save the Union, he went to Congress to get his action ratified.  President Bush chose not to do that.  So I put the question to NSA’s senior leadership:  Why don’t we amend FISA, which we could easily have done in the aftermath of 9/11, and do this collection under statute?  This was actually an academic question, because policy was being driven, and driven hard, by Addington, who detested the FISA statute. “We’re one bomb away from getting rid of that obnoxious [FISA] court,” he would say.[8]   But the answer I got here at the Fort was interesting.  It was that amending FISA would require a public debate; that the public debate would educate our adversaries; and that we would lose intelligence as a result.  My response was that the program could not be kept secret forever, and that its eventual disclosure would create a firestorm and divide the country.  The broad unity of the country behind the agency’s activities was a strategic asset; the loss of collection was likely to be tactical and temporary; and sacrificing a strategic asset for tactical advantage was as foolish in politics as it is in military operations.  Better, I said, to amend the statute.  But Inspectors General do not make policy, and they are not consulted about it, nor should they be.

Sooner or later this program’s cover was going to be blown, and on December 16, 2005, it happened: The New York Times exposed the interception part of the program (but not the bulk metadata portion), amid accusations that NSA was engaged in “domestic” spying because it was intercepting communications involving Americans.  In my view that was a distorted description, but when you’re explaining, you’re losing.  This was the beginning of a shift in public opinion that until then had, on the whole, been highly supportive of our intelligence agencies.  Suddenly we faced a country that was seriously divided about our activities.

Most of the criticism actually had little to do with the merit of the interceptions, just the authority for it.  Nor surprisingly, the inflammatory publicity attendant on the STELLAR WIND disclosure and the resulting damage to actual collection, to NSA’s reputation, and to our public support were far greater than any damage that would have occurred if the program, and the reasons for it, had been publicly discussed at the outset and the FISA statute amended.

Ladies and gentlemen, democracies distrust power and secrecy and are right to do so.  Intelligence agencies are powerful and secret.  To square that circle, two conditions must be met: The rules under which they operate must be clear to the public and authorized by law, and the public must have reason to believe that the rules are being followed.  STELLAR WIND failed to meet those requirements, and NSA paid for it in loss of public trust.

Again, a lesson was learned – but imperfectly.  FISA was amended in 2008, but only after a rancorous public debate, and the statute is frankly a bit of a mess.  Still, you follow that statute.

And then in 2013 came Mr. Snowden.  Overseas, people were stunned to learn how extremely good NSA really is at its business – sometimes at their expense.  You were being criticized for being too good.  And of course the dough of outrage rose higher and higher when leavened with the yeast of hypocrisy.

But why did the Snowden leaks hurt so badly here in our own country?  There hasn’t been even a whiff of intelligence abuse for political purposes.  This was the only intelligence scandal in history involving practices approved by Congress and the federal courts and the President, and subject to heavy oversight.  How did this happen?

The answer, I think, goes back to the power-and-secrecy principle and to the evolution of our representative democracy in the digital age.  NSA was operating under statute – but ordinary, intelligent, educated Americans could not have looked at that statute and understood that it meant what the FISA Court interpreted it to mean.  The intelligence committees knew.  Any member of Congress who wanted to know either did know or could have known.  (I discount the hypocrisy from that quarter, and the Second Circuit Court of Appeals’ opinion last week is just wrong about that.)  But it is true that the FISA Court’s expansive interpretation of the law was secret.  So the argument that the Agency was operating under “secret law” had legs with the public, much of which is allergic to bulk collection and doubts its value.

We had amended FISA, yes, but our leaders had failed to absorb the transparency lesson.  You now live in a glass house.  How could anyone think the bulk collection program would remain secret?  I’m not telling you there are no more secrets.  You still have plenty of them.  I am telling you that with instantaneous electronic communications, secrets are hard to keep; and that which can be kept secret does not stay secret for long. The idea that the broad rules governing your activities – not specific operations, but the broad rules – can be kept secret is a delusion.  And they should not be kept secret.  Leaders who do not understand this will continue to make strategic blunders. I do not state this as a policy preference.  I state it as a fact of life that political leaders and intelligence agencies – I mean you – must take into account as you make decisions about what can be, and should be, kept secret – and about what activities you can and should undertake.

I should note that even if the general counsel or the Director had given different advice to President Obama about bulk collection, it would not have been followed. The fight in 2008 was bruising enough. The White House had no appetite for more FISA battles.  In any case, that was the President’s call – not the Director’s.  The Director was on the right side of the law.  Would the program be unpopular?  Maybe.  But we do our work.  We keep our heads down.  Sometimes we take some punches for it.  Besides, there’s always a political faction that doesn’t like us no matter what.  Tough luck.  If it’s legal, we do our work.

But in retrospect there’s a lesson to learn.  The public, not just the three branches of government, must know what kinds of things we are allowed to collect domestically.

If you disagree with me on this, do your own damage assessment.  In the wake of Snowden, our country has lost control of the geopolitical narrative; our companies have lost more than $100 billion in business and counting.  Collection has surely suffered.  The damage from the Snowden leaks to American foreign intelligence operations, to American prestige, and to American power – not to mention the damage to morale and to personnel retention right here at Fort Meade – has unquestionably been vastly greater than if the Executive Branch had determined from the outset to amend FISA back in 2002 to permit the activities the White House felt necessary to protect the country.

Do you reply that the Congress in late 2001 or in 2002 might not have permitted NSA to do it?  I doubt it.  But even so, in a functioning representative democracy, this Agency cannot keep the nation safer than the nation, acting through its elected representatives, wants to be kept.

We learned the hard lessons of 1976.  Let’s now think hard and learn this lesson too.  And let’s teach it to those who come after us.

Thank you for the opportunity to address you.  What you do is enormously important, and I count it a great privilege to have served among you.


[1] Joel Brenner was the Inspector General of the National Security Agency from 2002-2006; the National Counterintelligence Executive in the Office of the Director of National Intelligence from 2006-2009; and senior counsel at NSA from 2009-10.  He now maintains a private law and consulting practice and is the Robert F. Wilhelm Fellow at the Massachusetts Institute for Technology’s Center for International Studies.

[2] Christopher H. Pyle, “CONUS Intelligence: The Army Watches Civilian Politics,” Washington Monthly I, January 1970, 4; reproduced in Congressional Record (hereafter cited as “Cong. Rec.”) 91st Cong., 2nd sess., 2227‑2231.

[3] Pyle, “CONUS” Intelligence”, 5‑6.

[4] Ibid.

[5] Karl E. Campbell, “Senator Sam Ervin and The Army Spy Scandal of 1970-1971: Balancing National Security and Civil Liberties in a Free Society,” Charlotte-Mecklenburg Historic Landmarks Commission, at, citing primary sources.

[6] The orders themselves have not been declassified, so far as I know.

[7] Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579, 635 (1952).

[8]  Jack Goldsmith, The Terror Presidency: Law and Judgment Inside the Bush Administration (New York: W.W. Norton & Co., 2007), p. 181.

Bringing Out the Big Stick


President Obama yesterday signed an executive order that will put serious economic pressure on organized cyber criminals operating from overseas and on foreign companies that benefit from the cyber theft of American trade secrets and other intellectual property.  I have previously criticized this administration for bringing too little, too late to this fight, but this order has real teeth.  The President has moved beyond palliatives.

The order permits the government to freeze the assets of anyone who engages in, or who is complicit in, cyber attacks from abroad that harm or attempt to harm organizations “in a critical infrastructure sector.”  That sector, defined in regulation, now includes a wide swath of the economy, including banks, energy, and pharmaceuticals, all of which are being relentlessly attacked over our networks.  Anyone who uses cyber means to steal trade secrets, money, or intellectual property “for commercial or competitive advantage or private financial gain” is also subject to the order.

These provisions alone would not accomplish much because cyber thieves are hard to catch and are usually protected by uncooperative governments, chiefly in Russia and China.  So the order goes farther.  In the case of stolen intellectual property, it permits the government to freeze the assets of any company that benefits from the stolen property, “knowing it to be stolen.” That knowledge is easily supplied, either to company that manufactured the widgets or the U.S. company that imported them.  The goods would then be subject to seizure.

The order also covers the property of people and companies acting directly or indirectly on behalf of parties whose property is blocked by the order.  If you’re an estate agents in Mayfair, for example, you must now think very carefully before handling the property of Russian Mafiosi who has been or could be tied to cyber crime.  If you do, you can now be excluded from entry into the United States, and if your agency has an office in Beverly Hills or Manhattan, the whole operation can be seized, kit and caboodle.  Banks, which already have a headache trying to “know their customers,” will require even more aspirin.

This order was made under statutes that give the President emergency powers.  Invoking them was a big step.  It was based on the President’s finding that “increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”  True enough.  Well done, Mr. President.  It’s now up to the Treasury Secretary to put this order into effect through regulations.  Let’s get going, Mr. Secretary.