The 2008 revision of Executive Order 12333, cyber policy, and the Cyber Threat Intelligence Integration Center: An Interview with Mr. David Shedd
President Reagan enacted Executive Order 12333 in 1981 to provide the structural framework and organization for the United States Intelligence Community (IC) under the direction of the Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004. Mr. David Shedd led an effort in 2008 to revise it for modern cyber capabilities. However, today’s common term cyber never once appears in the document.1 This omission seems strange today, as cyber issues are one of the most discussed and debated topics of 2015. Unfortunately, the US IC does not seem to possess clear goals regarding cyber intelligence. President Obama has called for a Cyber Threat Intelligence Integration Center (CTIIC) to address the issue, which hinges on how the USG should understand cyber in an intelligence context. At least there is some form of an underlying structural fabric for the US IC to use as a starting point as they attempt to improve the current situation of cyber intelligence.
General Challenges of Writing an Intelligence Community Policy Document
Global uncertainty, coupled with the competing interests of separate government agencies and politicians, affect the creation of intelligence documents, and EO12333 as amended in 2008 was no exception. Mr. David Shedd says that he and the team he led in crafting the revision of EO 12333 were worn out from the lengthy, difficult fighting they had to undergo—around 15 to 16 months—to achieve the draft that was eventually signed by President George W. Bush in July 2008. The discussions at the time did not contemplate adding cyber responsibilities in anticipation of needs that might arise in 2015.2 But Shedd also admits that he might not have had the vision to understand just how ingrained cyber would become in society and how big of a priority it would be.
Executive Order 12333
The strength of EO 12333 is its readability and simplicity. However, the document derives much of its simplicity from statements declaring that the Director of National Intelligence (DNI) has the responsibility to determine how the structure of the IC will operate. In other words, the execution of the framework laid out by EO 12333 is delegated to the authority of the DNI. Mr. Shedd notes that, in his view, the DNI has the authority now to determine the roles and responsibilities of the IC in the areas of collection and counterintelligence, and how everything relates to the broader authorities. Giving the DNI this authority sets the needed groundwork for later policy building and lines up with EO 12333’s stated IC policy process.
In some sense, EO 12333’s simplicity and focus on the DNI creates a level of structural flexibility that is rather impressive. However, the broader emphasis that the IC and USG now place on cyber seems to demand that some form of clear cyber policy be declared. To posit one solution, the DNI could simply create the policy— but that policy would be limited, binding only on the IC alone. Moreover, even the elements of the IC sometimes question the DNI’s position and authority. While this does not mean conflict will be inevitable, it does include a lot of risk. There is always a factor of risk in creating policy when, as Mr. Shedd says, the IC members do not place complete trust in one another.
If the DNI did begin to make policy, the negotiations involved might possibly have a more severe impact on inter-agency trust in the IC than Mr. Shedd’s negotiations over the 2008 revision of EO 12333. The negotiations would be between agencies and a semi-controversial DNI instead of between the agencies and their customers in the USG. To make matters even tougher, the agencies fear that they will lose out with the cyber policy outcomes, picturing the negotiations in the context of a zero-sum game.2
Cyber Threat Intelligence Integration Center (CTIIC)
Matters escalated in early 2015 with President Obama’s directive to the DNI to create the Cyber Threat Intelligence Integration Center (CTIIC). The CTIIC is tasked with providing all-source intelligence analysis regarding foreign cyber threats and incidents, to support USG centers responsible for cybersecurity, and to facilitate and support USG efforts to fight against foreign cyber threats.3
According to Mr. Shedd, DNI Jim Clapper remains unenthusiastic about the CTIIC and concerned about its ill-defined mission. Mr. Shedd believes that, to some extent, the CTIIC is adding a layer of redundancy and is unlikely to improve the current trends in the IC. He maintains that the IC does share cyber intelligence, most closely among the CIA, NSA, FBI, and DHS. While he acknowledges that the situation could be improved, he is unconvinced that a middleman such as the CTIIC is the answer to the cyber questions pertaining to policy.
The Obama administration equates the CTIIC with the National Counterterrorism Center (NCTC).4 However, the term cyber threat is not on the same taxonomical tier as the term terrorism. In a taxonomical sense, cyber threat could be paired with car bombing—both are means to an end, such as terrorism. While cyber threats to the US are much greater than car bombing threats, the reality remains that both are tools used to attack. They are not the ultimate objective of the attack. By disembodying a cyber threat from its context, the whole picture of the scenario is more likely to drop from view, certainly a disadvantageous outcome. Cyber needs to be understood within the larger threat atmosphere confronting the US.
However, to what people term the “public eye,” the government has done little to confront cyber threats. Though EO 12333 gives the DNI authority to create centers and policy as the IC needs them, there has been no large, publicized change as to how the IC operates in regards to cyber intelligence. President Obama, for good or ill, has stepped in to force the DNI’s reluctant hand—though much of the real work of creating the CTIIC remains with the DNI.3, 4
Should Cyber be an Intelligence Discipline?
Cyber is not only a target of collection, but it enables collection as well. In addition, not all cyber information is gained by cyber means. Human intelligence can play a large role in gaining cyber information and other intelligence disciplines can make great use of cyber tools to accomplish their ends. Cyber’s unique situation and cross-discipline relevance mean that setting it aside as an official intelligence discipline could lead to convoluted definitions, confusion and turf wars regarding cyber authority, and poor policy. Policymakers would be wise to understand the nature of cyber and how it fits into the overall threat. This is something the CTIIC does not achieve.
EO 12333 in its amended form does provide a framework for creating an IC cyber intelligence policy. Though threadbare, the framework has enough flexibility to last and is probably the best Mr. Shedd and his team could have created at the time. The USG needs to recognize the “threadbare” reality of the current framework, the complexity of the cyber issue, the nature of the IC and the DNI, and the relationship between the IC and policymakers to provide the proper context for understanding current cyber intelligence sharing within the IC. The goal should be policy that plays to the IC’s strengths. Policy should also avoid redundancy, vague terminology, and window dressing aimed merely at public relations. EO 12333 is a starting point calling for improvement, but the present vision of the CTIIC is not the answer.
- Executive Order 12333: United States Intelligence Activities (As amended by Executive Orders 13284 (2003), 13355 (2004) and 13470 (2008)), http://fas.org/irp/offdocs/eo/eo-12333-2008.pdf.
- Interview with David Shedd
- The White House, “FACT SHEET: Cyber Threat Intelligence Integration Center,” The White House, 25 February 2015, https://www.whitehouse.gov/the-press-office/2015/02/25/fact-sheet-cyber-threat-intelligence-integration-center.
- Cheryl Pellerin, “New Threat Center to Integrate Cyber Intelligence, “DoD News, Defense Media Activity, 11 February 2015, http://www.defense.gov/News-Article-View/Article/604093.