Hiding our Cyberwar from Congress

The AP noticed something troubling in Michael Vickers’ response to the Senate Armed Services Committee questions on his nomination to be Undersecretary of Defense for Intelligence: the government did not include descriptions of its cyberwar activities in the quarterly report on clandestine activities.

The Senate Armed Services Committee voiced concerns that cyber activities were not included in the quarterly report on clandestine activities. But Vickers, in his answer, suggested that such emerging high-tech operations are not specifically listed in the law — a further indication that cyber oversight is still a murky work in progress for the Obama administration.

Vickers told the committee that the requirement specifically calls for clandestine human intelligence activity. But if confirmed, he said, he would review the reporting requirements and support expanding the information included in the report.

Now, Vickers apparently portrays this as a matter of legal hair-splitting: since the law doesn’t explicitly require information on cyberwar activities, DOD didn’t give it.

But the story reminded me of something Steven Aftergood reported last month: the Air Force has explicitly prohibited anyone cleared into Air Force Special Access Programs from sharing any information on those programs with Congress.

The Air Force issued updated guidance (pdf) last week concerning its highly classified special access programs, including new language prohibiting unauthorized communications with Congress.


“It is strictly forbidden for any employee of the Air Force or any appropriately accessed organization or company to brief or provide SAP material to any Congressional Member or staff without DoD SAPCO [Special Access Program Central Office] approval.  Additionally, the Director, SAF/AAZ will be kept informed of any interaction with Congress.”  See Air Force Policy Directive 16-7, “Special Access Programs,” December 29, 2010.

Mind you, nothing says the SAPs the Air Force wants to hide from Congress pertain to cyberwar; after all, they might just be hiding our latest and greatest drone programs. Likewise, there’s no reason to believe that the cyberwar activities DOD didn’t describe to Congress are Air Force activities.

But there seems to be some interesting carving out of programs to hide from Congress.

Update: One more point on this: Every time Keith Alexander, in his function as the head of CyberCommand, talks about the legal authority for CyberCommand, he focuses on Title 10. That reminded me of John Rizzo’s warning about the minimal oversight of Title 10 cyber-operations activities last year:

I did want to mention–cause I find this interesting–cyberwarfare, on the issue of cyberwarfare. Again, increasing discussion there clearly is an active arena, will continue to be active. For us lawyers, certainly for the lawyers in the intelligence community, I’ve always found fascinating and personally I think it’s a key to understanding many of the legal and political complexities of so-called cyberlaw and cyberwarfare is the division between Title 10, Title 10 operations and Title 50 operations. Title 10 operations of course being undertaken by the Pentagon pursuant to its war-making authority, Title 50 operations being covert action operations conducted by CIA.

Why is that important and fascinating? Because, as many of you know being practitioners, how these cyber-operations are described will dictate how they are reviewed and approved in the executive branch, and how they will be reported to Congress, and how Congress will oversee these activities. When I say, “these activities,” I’m talking about offensive operations–computer network attacks.

This issue, this discussion, has been going on inside the executive branch for many years, actually. I mean I remember serious discussions during the Clinton Administration. So, again, this is not a post-9/11 phenomenon. Now, I’m speaking her from a CIA perspective, but I’ve always been envious of my colleagues at the Department of Defense because under the rubrik of Title 10, this rubrik of “preparing the battlefield.” They have always been able to operate with a–to my mind [?] a much greater degree of discretion and autonomy than we lawyers at CIA have been, have had to operate under, because of the various restrictions and requirements of Title 50 operations. Covert actions require Presidential Findings, fairly explicit reports to the Intelligence Oversight Committees. We have a very, our Intelligence Committees are … rigorous, rigorous and thorough in their review. I’ve never gotten the impression that the Pentagon, the military, DOD is subject to the same degree of scrutiny for their information warfare operations as CIA. I’m actually very envious of the flexibility they’ve had, but it’s critical–I mean I guess I could say interesting but critical how–I mean if there were operations that CIA was doing, they would be called covert actions, there’s no getting around that. To the extent I’ve ever understood what DOD does in this arena, they certainly sound like covert actions to me but given that I’ve had more than my hands full over the years trying to keep track of what CIA’s doing at any given time, I’ve never ventured deeply into that area. But I think it’s fascinating. [my emphasis]

So John Rizzo–John Rizzo!!!–warned about how DOD’s offensive cyber-operations were eluding oversight last year. And surprise, surprise? DOD specifically left such operations out of its report on clandestine activities?

  1. DWBartoo says:

    My guess is that Congress would rather NOT know. That Congress is trying, very, very hard, not to know any number of things. Knowing suggests resposibility for doing something, for investigating, for engaging in something quaintly known as “oversight”.

    Besides, if Congress knew and the people, the citizens of the nation, knew that Congress knew, then Congress would have to exlpain why it did and does … NOTHING.

    Congress is exceptionally good at excuses, but very, shall we say, “challenged”?, at rational, responsible and reasoned explanations.

    Congress is “getting” precisely what it wants, in fact, many members are rolling in it. Consider how some dogs like to roll in disgusting things, that they might take the “perfumes” along with themselves … well Congress has the same relation with money, we may all bank upon that, and looking into the Executive’s readily acceeded prerogatives is akin to a dog locking itself in the backyard, away from noisome opportunities …

    I am convinced that Congress is capable of ignoring anything it sets its mind upon closing, after all, the revolving door doth beckon and what more lucrative sand-box is there than the leavings of organized mayhem, on the “battlefield” (which is now “everywhere”) or in the new universe of cyberspace?

    Frankly, EW, Congress doesn’t give a damn.


  2. Synoia says:

    May I remind you of the effectiveness of “Military Intelligence”?

    The hackers are some of the smartest people on the planet. Not many of them appear to be:

    a) US Citizens
    b) Motivated by patriotic duty to enlist in our military

    Especially when the profit motive is so strong (selling porn and viagra).

    Will the Air Force protect us from estates left to us by people killed in Nigeria, urgent actions we must take on bank accounts at institution where we do not bank, spam, porn and Viagra? These are our top existential threats.

      • lareineblanche says:

        Yep, and if known by an Oversight Committee might entail them finding out that the military may be operating on US soil.

        Oh, but they are

        More on CIFA [the Pentagon’s CounterIntelligence Field Activity] here :

        But NorthCom has shown a keen interest in gathering intelligence on counter-recruitment protesters. “The security people at USNorthCom . . . had begun noticing some trouble at a few military recruiting events in 2005,” Eric Lichtblau recounts in Bush’s Law: The Remaking of American Justice. “Military officials at NorthCom asked their counterparts at CIFA [the Pentagon’s CounterIntelligence Field Activity] to ping their powerful new database . . . and find out how many episodes of violence and disruption were actually imperiling their recruiters.” As Lichtblau notes, “Out from the system spat dozens of disparate leads and files that had nothing to do with violent attacks or disruption against military installations, or anything else that might conceivably fall under the wide umbrella of terrorist attacks.”

        This was the so-called Talon database, the Pentagon’s surveillance of some 263 nonviolent protests around the country. These included spying on the American Friends Service Committee, CodePink, Veterans for Peace, the War Resisters League, and many college anti-war groups. “The United States military improperly kept tabs on lawful, nonviolent, First Amendment activities,” the ACLU says. According to Lichtblau, when a senior official saw a summary of the NorthCom findings, he asked: “Why do we have this stuff in here? Why are we talking about protest activities?”

        “CyberCommand” / NorthCom ?
        I haven’t looked into this, but some the geniuses around here maybe already have.

  3. PeasantParty says:

    Ruh-Row! Congress better watch out. They may be the victims of the cyberwarfare suck up.

    That Title 10 rule is stupid if connected to Cyberwarfare. It takes humans to initiate and participate. So how does leaving CWF outside of human intelligence collection possible? Oh! I know. It’s all about the use of words.


  4. ondelette says:

    Somebody needs to put a definition of cyberwarfare out on the table, in terms that comport with international and domestic law, and make sense with both, very quickly. Otherwise, these terms, “cyberattack, cyberwar, Title 10, Title 50, and all the rest are going to be perverted. Already people are using law of war language for things that have no possibility of doing what the laws of war are meant to constrain. Those laws severely jeopardize human rights law usage, and they tromp on all sorts of boundaries. And the “cyber” moniker is notoriously immune to national and temporal boundaries, and things like the Posse Comitatus Act.

    Definitions please, Messrs. Vickers and Rizzo. Er, scratch that Mr. Rizzo, you and Mr. Yoo flunked definitions, you try, Mr. Vickers. I don’t want cyberwar defined in terms of Medicare protocols for billing ambulance rides for extreme pain.

    • emptywheel says:

      Yup. There’s a part of me that wonders whether they’re hiding their “Cyberwar” against Wikileaks, including against people like US citizen Jacob Appelbaum.

      • ondelette says:

        It isn’t totally a matter of “hiding”. We first need a matter of “defining”. What’s a “cyberwar”? People keep asking, because there are hints that they expect the laws of war to apply (esp. with respect to things like combatants and espionage and detention, and privilege). But those things are all defined because people die and get mistreated in real wars. It isn’t the same when the only thing that suffers damage is some ones and zeroes or some corporation’s bank account.

  5. SirLurksAlot says:

    luv the Cybermen graphic ! not so much the clandestine warfare carried on in our name. just like with the insolvent banks, they cannot allow the ruse of online privacy to be shown up.

  6. capitolwon says:

    Considering this is the same Congress that gave us the FISA Amendments Act and Ted Stevens “SERIES OF TUBES!” speech, I’m not sure if having them conduct oversight of this program would be better or worse. For now, I agree with commenter #1 that they simply don’t want to know what all these newfangled terms like “cyberwarfare” and “Google” and “Email” are, because then they would have to own up to it.

  7. canadianbeaver says:

    Fear not! The great Orator In Chief in his memorial speech in Arizona said it was time to stop the senseless gun violence. So with that in mind, he will be therefore ending all the unjust bombings of civilians around the globe in the name of the flag! He wouldn’t lie or be a hypocrite, would he?

  8. jerryy says:

    “It is strictly forbidden for any employee of the Air Force or any appropriately accessed organization or company to brief or provide SAP material to any Congressional Member or staff without DoD SAPCO [Special Access Program Central Office] approval. Additionally, the Director, SAF/AAZ will be kept informed of any interaction with Congress.” See Air Force Policy Directive 16-7, “Special Access Programs,” December 29, 2010.

    This may seem to be a bit of a stretch, but isn’t this an act of rebellion, seeking to overthrow civilian rule, by a segment of the Air Force? After all, as the Supreme Court has abundantly ruled, it is Congress that makes the rules for the military, not the other way around.


  9. Theater403 says:

    I find this information utterly defeating. There is a part of Leviathan that you want to hold out for being “benign” in its sovereignty. I would prefer a monarchy if it were benign in this way. This reveals the depths that we are in and how little chance there is in getting out of it.

  10. ottogrendel says:


    One might think so. But only if everyone exists within the law. Such does not seem to be the case, especially where the military is concerned. I would bet this “rebellion”—if it ever even comes up as worth mentioning by anyone in a position of power—will be explained away as a necessary action in exceptional times, in the same way that torture, rendition, assassination, executive privilege and illegal war have been justified in these decades of perpetual war (exceptions actually being the norm during perpetual war).

    “The rule of law can be wiped out in one misguided, however well-intentioned, generation.” –William Gossett

    Indeed. Especially if Fear is throwing trump.

  11. joanneleon says:

    I wonder how much of the cyber warfare department is dedicated to protecting the banks.

    But this just has an entirely wrong tone about it:

    Additionally, the Director, SAF/AAZ will be kept informed of any interaction with Congress.”

    Because when they say Congress, they mean the people. Congress is us, they are our representatives, our voices and our knowledge of our own government.

    And we pay for all this shit.

    As for the drones, it’s just plain creepy. I assume that these drones could be armed, like the ones in Afghanistan.

    Black bears.

    Training exercises.

    Do they think we’re f’ing stupid?

  12. joanneleon says:

    We have to pay for drones surveilling black bears over the Adirondacks, but we have to cut the food stamp program?

  13. lareineblanche says:

    Yes, this is important, and as ondelette pointed out, there is an egregious abuse of language in defining everything as a “war” – on terror, drugs, etc. This verbal ambiguity and imprecise use of words opens up the door for such abuses. One can be at “war” with almost anything – including environmental, peace activists, one’s own citizens… gives new meaning to the phrase “Department of Defense”

    The whole thing sounds like the DoD is being used as a cover for activities which would normally be done by institutions subject to more oversight (I thought this was what the CIA was for !). The gods of war in the US are sacrosanct, and their motives should not be questioned.

    Some good info here for those who haven’t seen it :

    Tim Shorrock, author of the seminal book Spies for Hire, has described Lockheed Martin as “the largest defense contractor and private intelligence force in the world.” As far back as 2002, the company plunged into the “Total Information Awareness” (TIA) program that was former National Security Advisor Admiral John Poindexter’s pet project. A giant database to collect telephone numbers, credit cards, and reams of other personal data from U.S. citizens in the name of fighting terrorism, the program was de-funded by Congress the following year, but concerns remain that the National Security Agency is now running a similar secret program.

    In the meantime, since at least 2004, Lockheed Martin has been involved in the Pentagon’s Counterintelligence Field Activity (CIFA), which collected personal data on American citizens for storage in a database known as “Threat and Local Observation Notice” (and far more dramatically by the acronym TALON).

    Don’t know if any of Lockheed Martin’s activities are considered part of “CyberCommand” or if it’s independent… but it’s huge, and surely comprises a multitude of different programs. It seems to me the money would be going into the Pentagon to be funneled through “CyberCommand” into a large number of private corporations.