intelligence oversight

Five Important (Or At Least Interesting) Provisions in the Intelligence Authorization Bill HPSCI Passed

By Robert Chesney
Monday, June 8, 2015, 11:00 AM

One thing I love about the various annual authorization bills is that they often contain very interesting but little-noticed provisions. The Intelligence Authorization Act for Fiscal Year 2016, which HPSCI (the House Permanent Select Committee on Intelligence) voted out last week, is no exception. The full text is here, and my top-five highlights appear below:

Section 303: The Intelligence Committees want in on Special Access Program reporting.

This section extends congressional oversight of certain SAPs (Special Access Programs, defined in EO 13526 sec. 4(3)(b)) to the intel committees. Specifically, it requires the DNI or Secretary of Defense give 30 days’ advance written warning to SSCI and HPSCI in connection with creation of new SAPs pertaining to intelligence activities, intelligence-related activities, or covert action. There is a waiver for emergency circumstances, in which case a written notice (with explanation of the emergency) must be given no later than 48 hours after the SAP is created.

Context: 10 USC 119 already requires DOD to give the defense committees (SASC, HASC, and the defense subcoms of the Appropriations Committees) such notice. Part of the idea with section 303, then, is to give SSCI and HPSCI similar insight. It will be interesting to see if the defense committees push back.

Section 306: Hey PCLOB, stay away from covert action.

Section 306 would clarify that the Privacy and Civil Liberties Oversight Board may not obtain access to “information that an executive branch agency deems related to covert action”.

Context: PCLOB recently initiated an investigation involving Executive Order 12333, and though it likely will be focused on certain collection activities under that heading there is concern in some quarters that PCLOB now or in the future might attempt to investigate other things under this heading, perhaps including covert action. Perhaps section 306 is a preemptive response.

Section 308: Are you a foreign government investigating NSA? Don’t ask us for help.

Section 308 forbids the IC from giving information to a foreign entity in response to foreign investigations into our intelligence activities (parliamentary, judicial, etc.). There is an exception meant to ensure the ordinary flow of information with foreign liaison services continues.

Context: The context for this one is pretty clear, I think!

Section 309: Let’s define the mission of the Cyber Threat Information Integration Center.

The administration established CTIIC by presidential order back in February (see here for more). Section 309 would define CTIIC’s authorities in statute, as follows:

(1) analysis and integration of all intel relating to cyber threats;

(2) provide all-source intel support to all agencies with cyber threat intelligence missions, and also provide “independent, alternative analyses”;

(3) provide analyses to POTUS, various executive agencies/departments, and relevant Congressional committees;

(4) “coordinate cyber threat intelligence activities of the departments and agencies of the Federal Government”;

(5) “conduct strategic cyber threat intelligence planning for the Federal Government.”

Context: The President’s February directive called for CTIIC to do the following:

Sec. 2. Responsibilities of the Cyber Threat Intelligence Integration Center. The CTIIC shall:

(a) provide integrated all-source analysis of intelligence related to foreign cyber threats or related to cyber incidents affecting U.S. national interests;

(b) support the National Cybersecurity and Communications Integration Center, the National Cyber Investigative Joint Task

Force, U.S. Cyber Command, and other relevant United States Government entities by providing access to intelligence necessary to carry out their respective missions;

(c) oversee the development and implementation of intelligence sharing capabilities (including systems, programs, policies, and standards) to enhance shared situational awareness of intelligence related to foreign cyber threats or related to cyber incidents affecting U.S. national interests among the organizations referenced in subsection (b) of this section;

(d) ensure that indicators of malicious cyber activity and, as appropriate, related threat reporting contained in intelligence channels are downgraded to the lowest classification possible for distribution to both United States Government and U.S. private sector entities through the mechanism described in section 4 of Executive Order 13636 of

February 12, 2013 (Improving Critical Infrastructure Cybersecurity); and

(e) facilitate and support interagency efforts to develop and implement coordinated plans to counter foreign cyber threats to U.S. national interests using all instruments of national power, including diplomatic, economic, military, intelligence, homeland security, and law enforcement activities.

Section 309 seems a bit different, lacking some of what the President’s order refers to, but also specifying an uncertain coordination function along with a strategic planning function.

Sections 321-23, and 331: Don’t forget those GTMO transfer constraints.

The usual stuff: no sending KSM or others at GTMO to U.S. territory, nor to any place constituting a “combat zone” in the sense understood by…the Internal Revenue Service.

There is much more in the bill, of course, and no doubt some of it will strike you as more interesting than any of the five I’ve selected.