Key Points in the FY2010 Intelligence Authorization Act
Further to my earlier post on the FY2010 Intelligence Authorization Act, the full text of the bill and the precise details of the compromise among the White House, Senate, and House can be found here (FAS has posted an excerpt from the Congressional Record that opens with Senator Feinstein's explanatory statement introducing the amended bill, followed by a letter from ODNI-GC Robert Litt setting forth the admi
Published by The Lawfare Institute
in Cooperation With
Further to my earlier post on the FY2010 Intelligence Authorization Act, the full text of the bill and the precise details of the compromise among the White House, Senate, and House can be found here (FAS has posted an excerpt from the Congressional Record that opens with Senator Feinstein's explanatory statement introducing the amended bill, followed by a letter from ODNI-GC Robert Litt setting forth the administration's understanding of the compromise, and then the (lengthy) amended text of the bill itself). Here are the key points regarding the compromise, as well as a selection of other interesting items in the bill:
1. Oversight of Covert Action - Gang of Eight Notification
Nothing earth-shattering here after all. The executive branch continues to have the option in exceptional cases to limit distribution of a covert action finding to the Gang-of-Eight; when it uses that option it now must alert the other members of the intel committees that it has done so and must provide a "general description" as to why; and the executive branch must revisit the decision not to permit wider notification after 180 days.
2. Notification of the Legal Predicate for Covert Actions and for Intelligence Activities Other than Covert Action
The bill amends 50 USC 413a(a)(2) so as to make clear that the committees may request information about "the legal basis under which the intelligence activity is being or was conducted". It does the same re covert action notification under 50 USC 413b(b)(2). According to the letter from ODNI-GC described above, the administration understands this
3. GAO Auditing
Here is how the ODNI-GC letter summarizes the compromise:
Section 336 of the bill directs the President to notify Congress in 30 days after enactment of all cybersecurity programs then "in operation," and to do the same within 30 days of any new program thereafter. The notification must include "the legal basis for the cybersecurity program," any certification that may have been required under 18 USC 2511(2)(a)(ii)(B), the concept of operations for the program, any privacy assessment from the relevant agency, any plans for independent audit or review, and any recommendations for legislative change. Then the responsible agency head must give Congress an annual report, after consultation with the agency's inspector general (note the increasing reliance on this form of intra-executive checking; you might also want to look at various other IG-related provisions, the general thrust of which is to touch up their independence a bit; note, too section 433 which creates an NSA "director of compliance"), concerning the results of any audits/reviews or similar compliance-type inquiries.
In addition, the same provision requires the DHS IG and the IG for the Intelligence Community [who is that, you ask? See section 405 of the bill] to jointly submit to Congress and the President a report on "the sharing of cyber-threat information." Further, the DNI, in coordination with others, has one year to produce a report to Congress proposing legislation or guidelines relating to cybersecurity.
5. A Public Report on Recidivism by Released GTMO Detainees
Who says Congress won't pass laws dealing with detention policy? Why right here in section 334, Congress will require DNI in 60 days to produce a public, unclassified summary of intel relating to recidivism of GTMO detainees, and an assessment of the likelihood that past or current detainees "will engage in terrorism or communicate with persons in terrorist organizations." Seriously, that's in there.
6. More reports...
I'm not sure how many total reports are required by this bill, but there are a whole lot. Many sound quite useful, some less so. Either way, it's going to make a lot of people very busy....
1. Oversight of Covert Action - Gang of Eight Notification
Nothing earth-shattering here after all. The executive branch continues to have the option in exceptional cases to limit distribution of a covert action finding to the Gang-of-Eight; when it uses that option it now must alert the other members of the intel committees that it has done so and must provide a "general description" as to why; and the executive branch must revisit the decision not to permit wider notification after 180 days.
2. Notification of the Legal Predicate for Covert Actions and for Intelligence Activities Other than Covert Action
The bill amends 50 USC 413a(a)(2) so as to make clear that the committees may request information about "the legal basis under which the intelligence activity is being or was conducted". It does the same re covert action notification under 50 USC 413b(b)(2). According to the letter from ODNI-GC described above, the administration understands this
"only to require that the Executive Branch provide the committee with an explanation of the legal basis for the activity; it would not require disclosure of any privileged information or disclosure of information in any particular form."Thus this provision would not purport to entitle the committees to demand to see, say, an OLC memo discussing the legal foundation for some particular activity. Presumably the same is true with respect to the comparable language added to the covert action notification provision.
3. GAO Auditing
Here is how the ODNI-GC letter summarizes the compromise:
The proposed Senate amendment includes a new provision that would require the Director of National Intelligence to issue a directive, in consultation with the Comptroller General, governing access of the Comptroller General to information in the possession of an Intelligence Community element. Nothing in this provision changes the underlying law with respect to GAO access to intelligence information. We interpret this provision to provide the DNI with wide latitude when developing the directive to ensure that it conforms with (1) the statutory provisions governing GAO's jurisdiction and access to information; (2) the intelligence oversight structure embodied in the National Security Act; and (3) relevant opinions of the Office of Legal Counsel of the Department of Justice.4. Cybersecurity Provisions
Section 336 of the bill directs the President to notify Congress in 30 days after enactment of all cybersecurity programs then "in operation," and to do the same within 30 days of any new program thereafter. The notification must include "the legal basis for the cybersecurity program," any certification that may have been required under 18 USC 2511(2)(a)(ii)(B), the concept of operations for the program, any privacy assessment from the relevant agency, any plans for independent audit or review, and any recommendations for legislative change. Then the responsible agency head must give Congress an annual report, after consultation with the agency's inspector general (note the increasing reliance on this form of intra-executive checking; you might also want to look at various other IG-related provisions, the general thrust of which is to touch up their independence a bit; note, too section 433 which creates an NSA "director of compliance"), concerning the results of any audits/reviews or similar compliance-type inquiries.
In addition, the same provision requires the DHS IG and the IG for the Intelligence Community [who is that, you ask? See section 405 of the bill] to jointly submit to Congress and the President a report on "the sharing of cyber-threat information." Further, the DNI, in coordination with others, has one year to produce a report to Congress proposing legislation or guidelines relating to cybersecurity.
5. A Public Report on Recidivism by Released GTMO Detainees
Who says Congress won't pass laws dealing with detention policy? Why right here in section 334, Congress will require DNI in 60 days to produce a public, unclassified summary of intel relating to recidivism of GTMO detainees, and an assessment of the likelihood that past or current detainees "will engage in terrorism or communicate with persons in terrorist organizations." Seriously, that's in there.
6. More reports...
I'm not sure how many total reports are required by this bill, but there are a whole lot. Many sound quite useful, some less so. Either way, it's going to make a lot of people very busy....
Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.