When a conference committee convenes to reconcile differences in the House and Senate versions of the 2016 Intelligence Authorization Act, Members should resist the temptation to legislate on the proposed Cyber Threat Intelligence Integration Center (CTIIC). The Obama Administration and Office of Director of National Intelligence (ODNI) - that is slated to host the new center - are correct in arguing that provisions in the House bill on CTIIC are unnecessary, potentially harmful, and constrict the DNI’s ability to establish (and disband) new intelligence structures in response to a rapidly changing threat environment. To support Senate conferees who will (presumably) seek to remove these provisions from the final bill, the Administration should release the DNI’s status report on CTIIC’s stand-up describing the specific roles and responsibilities that will be assigned to the center, any limitations on its activities, and the nature of relationships it will maintain with other intelligence, law enforcement, and policy bodies that are already active in this crowded field.
In February, President Obama directed the DNI to establish the CTIIC to improve the government’s ability to fuse intelligence on attacks - - both extant and planned – against US networks. The final decision to act on this longstanding structural reform proposal was, according to media reports, grounded in frustration with the inability of existing agencies to reach timely consensus on the sponsorship, goals, and impact of North Korea’s attack several months earlier on networks belonging to Sony Pictures Entertainment. In framing the initiative, the Administration described a modest center housed in ODNI that would provide integrated all-source analysis on cyber threats, foster sharing of cyber intelligence, and support the work of existing cyber centers and interagency bodies that would remain responsible for policy development, strategic planning, and incident response.
We posted an Intelligence Studies Essay that reluctantly supported the creation of a new intelligence bureaucracy and attempted to draw lessons for CTIIC’s stand-up from the decade-plus experience of the National Counterterrorism Center (NCTC) on which CTIIC was being modeled. The Essay argued that the new center should be: 1) assigned exclusively intelligence, and not policy, functions; 2) led by an intelligence professional who reported to the DNI only; and 3) established by the DNI under authorities expressly granted to him by the Intelligence Reform and Terrorism Prevention Act (IRTPA) (and potentially disbanded or modified by the DNI at some future date pursuant to the same authority). The Essay anticipated but did not encourage an attempt by the Congress to legislate on CTIIC.
Earlier this Summer, Bobby called our attention to Section 309 of H.R. 2596, the 2016 Intelligence Authorization bill prepared by the House Permanent Select Committee on Intelligence (HPSCI), that would establish CTIIC in law. The Administration reacted immediately by threatening a presidential veto of the bill if it included the House language delimiting CTIIC’s “role and responsibilities”. OMB’s Statement of Administration Policy objected specifically to the: 1) expansion of CTIIC’s mission beyond that described in the President’s directive to the DNI establishing the center; 2) assignment to CTIIC of “mission manager functions” currently assigned elsewhere in the IC; and 3) limitation on the number of staff that could be assigned to the center (50). Last month, the Senate Select Committee on Intelligence (SSCI) achieved passage of its version of a 2016 Intelligence Authorization Act. The Senate bill includes no reference to CTIIC, thereby creating a disparity in the bills to be resolved in conference.
The House bill would assign five “primary” (…and no secondary) missions to CTIIC. The statutory language employed is general, imprecise, and occasionally contradictory. Borrowing language from the executive order (and later the IRTPA) that established NCTC, the HPSCI bill designates CTIIC as the “primary” government organization responsible for analyzing cyber threat intelligence. In view of the massive volume of current and likely future cyber threats to US networks, this is an enormous responsibility. And, one that is quite different from the “integrating” function envisioned by the Administration. The House bill also does not limit the CTIIC’s functions to “foreign cyber threats” as does the President’s directive, presumably making the center’s analysts responsible for developing expertise on the vast array of home-grown threats to our information systems. Despite these major proposed expansions of CTIIC’s mission, the House bill would limit the center’s staff complement to 50 - - codifying an Administration briefing point that was certainly deployed to blunt foreseeable (albeit stale) criticism of ODNI as a “bloated bureaucracy”.
In addition to integrating analysis, the other principal contribution CTIIC might make to our national cybersecurity effort is to improve the sharing of information that is now gathered, processed, and stored by multiple Federal agencies. The 9/11 Commission found a direct link between inadequate information sharing and our failure to prevent al Qaida’s successful terror attacks on the US Homeland. Correcting shortcomings in information sharing therefore became a primary responsibility for new institutions like NCTC and ODNI. Inconsistent sharing of threat information complicates the government’s current challenge detecting and disrupting cyber attacks or, in the worst case, attributing and responding to them. The President’s directive assigned CTIIC the task of developing and implementing new “systems, programs, policies and standards” to improve sharing and also mandated that raw as well as finished intelligence should reach the full range of government users. The House bill directs broad dissemination of analysis on cyber threats but neglects to assign CTIIC direct responsibility for improving the sharing of all information relevant to cyber threats.
In two vague provisions, the House bill assigns CTIIC the responsibility to “coordinate cyber threat intelligence activities of the departments and agencies” and “conduct strategic cyber threat intelligence planning for the federal government”. If the legislative intent of these provisions is to ensure the CTIIC director is designated, and exercises the responsibilities of, the National Intelligence Manager for Cyber, that is a defensible aim. The directors of NCTC and ODNI’s National Counterproliferation Center (NCPC) simultaneously serve as “mission managers” in their respective areas by setting requirements, allocating resources, and coordinating the activities of IC agencies. The CTIIC director should play the same role in cyber intelligence. HPSCI’s proposed language, however, implies a more intrusive and open-ended role for CTIIC in planning and coordinating the cyber activities of agencies inside and outside the IC. Such a broad grant of authority to an ODNI intelligence center would risk infringing upon the statutory prerogatives of other department and agency heads and would, in any case, be more likely to provoke resistance rather than encourage the cooperation CTIIC will need to succeed.
The final reason to resist HPSCI’s effort to legislate CTIIC concerns the DNI’s role as head of the IC and his need for flexibility in allocating and shifting scarce intelligence resources to meet changing threats. On this question, the establishment of NCPC is instructive. The IRTPA included a section establishing NCPC and granting the new center broad intelligence and policy responsibilities in our national counterproliferation effort, including a “strategic operational planning” function similar to that assigned to NCTC for counterterrorism. Congress, however, included a waiver provision that allowed the president to choose not to establish an NCPC if he deemed such a center unnecessary. President Bush ultimately directed the establishment of an NCPC within ODNI that more closely tracked a recommendation of the Silberman-Robb (“Iraq WMD”) Commission for a modest-sized center focused on integrating non-proliferation intelligence activities. In the heyday of structural reform of US intelligence during the last decade, numerous proposals for new intelligence centers and IC mission managers were advanced by Members of Congress and others with special interest in a given intelligence topic (e.g. North Korea, Cuba/Venezuela, Space, Climate, China). In most cases, these proposals were successfully resisted or at least prevented from being codified in law. While no one doubts the serious and growing hazard posed to US national security by cyber attacks, the DNI should have the flexibility to establish and disestablish specialized centers, define their intelligence responsibilities, and allocate resources to match the tasks he has assigned them.
Establishment of the CTIIC will not address the myriad legal, policy, and technology deficiencies in our current effort to secure the Nation’s information systems. An intelligence center that promotes information sharing and produces integrated, timely, and accurate intelligence analysis can, however, contribute to improved government performance on cybersecurity. The DNI has the authority and information required to create and supervise such a center. Congress should resist the temptation to legislate CTIIC (or any other intelligence center) and, rather, plan to vigorously oversee the new center’s performance. The Administration could help bring about this result by releasing the DNI’s status report on stand-up of the CTIIC required by the President’s February directive - - consistent with the President’s persistent call for greater transparency in US intelligence activities.