NSPM-7: "Integration, Sharing, and Use of National Security Threat Actor Information to Protect Americans"
[Update: A knowledgeable contact confirms my sense that NSPM-7 should be viewed in continuity with long-standing efforts within the IC to develop technical architectures for sharing identity-specific information about suspected security threats. Those efforts trace back to, among other things, the 2008 issuance of NSPD-59/HSPD-24, which dealt with biometrics relating to terrorism-related threats. As noted below, the idea with NSPM-7 is to extend a similar approach to other categories of national security threat.
Published by The Lawfare Institute
in Cooperation With
[Update: A knowledgeable contact confirms my sense that NSPM-7 should be viewed in continuity with long-standing efforts within the IC to develop technical architectures for sharing identity-specific information about suspected security threats. Those efforts trace back to, among other things, the 2008 issuance of NSPD-59/HSPD-24, which dealt with biometrics relating to terrorism-related threats. As noted below, the idea with NSPM-7 is to extend a similar approach to other categories of national security threat. Significantly, the idea of such an extension predates the Trump administration, and the issuance of NSPM 7 is probably best viewed as the culmination of an effort to get a clear statement of presidential support driving interagency buy-in and cooperation for a long-standing goal of the Intelligence Community.]
Last Thursday, the White House released National Security Presidential Memorandum 7, titled "Integration, Sharing, and Use of National Security Threat Actor Information to Protect Americans." It has not garnered much media attention, so I thought I'd flag it here and note a few interesting elements.
The overarching question I have about this is whether and to what extent it differs from existing efforts to craft data-management, -sharing, and -analysis systems. I'm in no position to judge that, so having noted the issue, I will move on to a quick description of NSPM-7. Here are some of the key moving parts, for those who do not have time or inclination to click through:
First, an interagency effort to create the information-sharing system and gird it with relevant policy and legal protections:
The Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence shall lead, in consultation and coordination with the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Secretary of Energy, and the Director of the Central Intelligence Agency, the development and implementation of appropriate technical architectures and corresponding policy frameworks to advance the integration, sharing, and use of identity attributes and associated derogatory information for each individual category of evaluated national security threat actor information described in the annex to this memorandum. The technical architecture and corresponding policy framework for each category shall be developed in a manner that appropriately protects the security and integrity of information; enables the appropriate analysis, sharing, and use of information to the extent permitted by and consistent with applicable law; ensures relevant operational deconfliction and security; and provides for the maintenance and use of such information in a manner that appropriately protects individuals' privacy, civil rights, civil liberties, and other constitutional and statutory rights, including through compliance with applicable guidelines governing the collection, retention, and dissemination of personally identifiable information.
Also: The system will have distinct categories of threat, and different agencies will be the executive agent for designing the system on a category-by-category basis. Could be a recipe for turf war...unless, perhaps, the "winning" agency has to pay to develop their share of the system.
The Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, in consultation with the Secretary of State, the Secretary of the Treasury, and the Secretary of Energy, shall jointly identify, as between themselves, the department or agency (or component thereof) best suited to serve as the executive agent for each individual category of national security threat actor information. The executive agent shall be responsible for developing and maintaining that category's specific technical architecture, its corresponding policy framework, and an appropriate governance mechanism to facilitate the capability reviews described in subsection (B) of this section.
Part of the aim appears to be to facilitate the use of algorithms, machine learning, big data methods, and the like:
The Director of National Intelligence shall work with Intelligence Community elements to explore and implement solutions for standardizing and publishing key identity attributes captured within intelligence information reports in machine readable formats to support automated processing within the technical architectures established under subsection (A) of this section, in accordance with approved standards, formats, and application profiles established under subsection (F) of this section.
There are other details in the document, and—take note—there is an unreleased (and presumably classified) annex that apparently spells out the particular categories of threat actor information the White House has in mind. That's all I have for now. If readers who understand the status quo better can shed light on how NSPM-7 actually departs from the current norm, I'm happy to hear from you.
