An Intelligence Authorization Act Compromise? GAO Audits, Covert Action Findings, and Statements on the Legality of Covert Action in Cyberspace

Robert Chesney
Tuesday, September 28, 2010, 11:01 AM
[FINAL UPDATE: Please disregard this original post, and instead look to my summary of the actual bill posted on 9/29/10] [update: some have suggested to me that my impression of the bill will be different once I see the actual text.  I will post something appropriate once I have seen that text. ] Famously, we have not had an Intelligence Authorization Act since 2004.  It did not seem likely that this would change this year in light of White House resistance to proposals that would (i) give GAO

Published by The Lawfare Institute
in Cooperation With
Brookings

[FINAL UPDATE: Please disregard this original post, and instead look to my summary of the actual bill posted on 9/29/10]
[update: some have suggested to me that my impression of the bill will be different once I see the actual text.  I will post something appropriate once I have seen that text. ]
Famously, we have not had an Intelligence Authorization Act since 2004.  It did not seem likely that this would change this year in light of White House resistance to proposals that would (i) give GAO authority to conduct performance audits of programs run by the CIA and other intelligence entities and (ii) expand the scope of the existing statutory obligation to report Presidential Findings in support of covert action.  On the latter point, 50 U.S.C. 413-b(c)(2) currently provides that:
If the President determines that it is essential to limit access to the finding to meet extraordinary circumstances affecting vital interests of the United States, the finding may be reported to the chairmen and ranking minority members of the congressional intelligence committees, the Speaker and minority leader of the House of Representatives, the majority and minority leaders of the Senate, and such other member or members of the congressional leadership as may be included by the President.
The Washington Post reports this morning that a deal is in the works on both points, and that this will pave the way for quick passage of an authorization act after all.  A few comments:

I don't have the compromise language before me, so it is hard to say whether the resulting changes are real or cosmetic.  On the GAO issue, the report indicates that the executive branch will be obliged to negotiate with GAO regarding the latter's access.  This would mean little if the bill is merely calling for negotiations, but a lot if the bill establishes that GAO must in fact get access and the negotiation business merely concerns the mode of their doing so.
On the scope of disclosure of covert action findings, the report indicates that the executive branch may no longer permanently limit disclosure to the Gang of Eight in exceptional circumstances, but also that broader disclosure to the full membership of the committees need not occur simultaneous with Gang of Eight disclosure either.  In some circumstances, the compromise provides, such broader disclosure may be delayed...thought it's unclear from the report whether there is an ultimate limit on the extent of the delays, and hence it is unclear how much practical change would really flow from enacting this provision.  It also is not clear whether the proposed bill would alter 50 U.S.C. 413-b(c)(3)'s "timely notification" language, which anticipates that in some instances there may be delay in disclosing a presidential finding to anyone in Congress.
A third item worth noting in the bill, according to the Post, one that has received less attention:
The new draft also includes a provision for "the head of a department or agency of the United States with responsibility for a cybersecurity program" authorized by presidential findings to report on the legality of its operations.
Again, I'll withhold firm judgment until I've seen the actual language.  But let's translate that sentence to see what it appears to mean.  A "cybersecurity program...authorized by presidential finding" could mean a cybersecurtiy program that constitutes a covert action, thus requiring such a finding.  If that's what is meant here, then the provision appears to be, in effect, an add-on to the normal range of information that must be included in or with a covert action finding.  Specifically, the executive branch (through the relevant agency head) would have to include a statement about why the proposed action would be/is legal.   This is interesting, though it's also doubtful that much more than conclusory, anodyne statements about the legal issues in cyberspace would result.  By way of comparison, 50 U.S.C. 413-b(a)(5) requires in connection with the Presidential Finding itself that
(5) A finding may not authorize any action that would violate the Constitution or any statute of the United States.
Note that this language says nothing of treaties or, for that matter, customary international law.  The apparent cybersecurity/covert action filing requirement should probably make clear whether it is meant to be construed in similarly specific terms (perhaps the actual language already is clear on this point).

Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.

Subscribe to Lawfare