from the exceptions-apply dept
Steven Aftergood of the Federation of American Scientists directs us to a recently-released document issued by James Clapper (DNI) that formalizes something that the US has long held in principle, but had yet to commit to paper.
Intelligence agencies that discover a threat to a person’s life or safety are obliged to alert the intended target in most cases as long as they can do so without compromising intelligence sources and methods, a new intelligence community directive instructs.The directive also covers, remarkably, non-US persons. The broad wording that pulls a lot of non-person "persons" under the "duty to warn" umbrella raises some questions about the included agencies' (FBI, NSA, CIA) duty to warn private companies about attacks of the "cyber" variety. Marcy Wheeler of emptywheel:
A U.S. intelligence agency “that collects or acquires credible and specific information indicating an impending threat of intentional killing, serious bodily injury, or kidnapping directed at a person or group of people shall have a duty to warn the intended victim or those responsible for protecting the intended victim, as appropriate,” the new directive states. “This includes threats where the target is an institution, place of business, structure, or location.”
As I have noted, NSA has secretly defined “serious bodily harm” to include threat to property — that is, threats to property constitute threats of bodily harm.It would appear to order the NSA and other government intelligence agencies to be forthcoming about impending (or ongoing) attacks. If interpreted in this fashion by the ODNI, it would appear to make CISA-ordained sharing redundant and ask the intelligence community to put aside its own interest in exploitables and preserving "means and methods" in favor of a "duty to warn."
If so, a serious hack would represent a threat of bodily harm (and under NSA’s minimization procedures they could share this data). While much of the rest of the Directive talks about how to accomplish this bureaucratically (and the sources and methods excuses for not giving notice), this should suggest that if a company like Sony is at risk of a major hack, NSA would have to tell it (and the Directive states that the obligation applies for US persons and non-US persons, though Sony is in this context a US person).
So shouldn’t this amount to a mandate for cybersharing, all without the legal immunity offered corporations under CISA?
Or not. There are several exceptions.
a. The intended victim, or those responsible for ensuring the intended victim's safety, is already aware of the specific threat;So, this voluntary assumption of a mostly-moral obligation to warn others of danger does not cover most criminals (apparently, the ODNI is fine with criminals killing/harming each other) or any situation where warning an entity of an impending attack would compromise intelligence agencies and their objectives. This would seem to eliminate warnings of cyberattacks, seeing as most relevant information would be hopelessly entangled in the cybersecurity efforts of multiple government agencies.
b. The intended victim is at risk only as a result of the intended victim's participation in an insurgency, insurrection, or other armed conflict;
c. There is a reasonable basis for believing that the intended victim is a terrorist, a direct supporter of terrorists, an assassin, a drug trafficker, or involved in violent crimes;
d. Any attempt to warn the intended victim would unduly endanger U.S. government personnel, sources, methods, intelligence operations, or defense operations;
e. The information resulting in the duty to warn determination was acquired from a foreign government with whom the U.S. has formal agreements or liaison relationships, and any attempt to warn the intended victim would unduly endanger the personnel, sources, methods, intelligence operations, or defense operations of that foreign government; or
f. There is no reasonable way to warn the intended victim.
Marcy Wheeler points out that these exceptions could explain the FBI's lack of interest in warning Occupy Wall Street members of an assassination plot. Of course, the directive didn't officially take effect until July 21, 2015. At the point the FBI decided against warning certain American citizens of assassination threats, the "duty to warn" was nothing more than an altruistic ideal. It was under no legal obligation to do so, and its investigation of Occupy Wall Street probably justified its unwillingness to keep these "insurrectionists" out of harm's way.
The new directive doesn't really make this any more mandatory than it was back when it was unwritten and completely voluntary. Steven Aftergood points out the DNI's directive mentions both the National Security Act of 1947 and Executive Order 12333, but neither of these contain any wording that would legally compel intelligence agencies to honor a "duty to warn."
That being said, there's at least some anecdotal evidence that intelligence agencies have carried out their "duty to warn" in the past. Aftergood's post links to a former intelligence officer's recounting of exercising the "duty to warn" in Iraq.
A US citizen who was mixing good deeds (water supply work) with proselytizing (handing out Bibles to Iraq citizens) found himself the target of the Iranian Islamic Revolutionary Guards Corp. The IRGC implemented a Bible "buy-back" program, offering $5 for every Bible handed out by this "do-gooder." Iraqis soon turned this into a revenue stream, selling Bibles to the Guards and heading back to the missionary for fresh copies. The IRGC then decided it was sick of spending money to make
So, I get the tasking to warn Doug under the "duty to warn" policy. I gather up a few of our Kurdish guard force and another American to go to the village and pass the warning on to Doug. I can imagine his confusion. We roll into town, something like a cross between the Rat Patrol and Pancho Villa, Toyota pickups with mounted 12.7mm’s, Alanis Morissette blaring on the CD player - you get the picture.So, altruism exists. And inasmuch as it doesn't interfere too greatly with national security aims and/or ongoing investigations, people will be warned. But the ODNI's new "directive" doesn't add any additional obligations that weren't in place earlier. In fact, it seems to have been put down on paper mainly to explicitly list all the times the intelligence community won't be obligated to warn others of danger.
I knocked on the door (I asked the locals, "Wayn al-Amrikan?" [Where's the American?]) and a gringo answers. I ask if he is Doug so-and-so. He says he is, but looking at our obviously loaded-for-bear entourage, asks who we are.
I reply, "We’re from the State Department."
He looks at us, AK-47’s and Browning High-Powers all over the place.
I quietly said, "Just work with us here, Doug."
"What exactly do you want?" he asks. Obviously he was not a fan of the CIA mucking around in "his" area.
I explain, "We have information that the Iranians, who believe you are proselytizing Christianity, are planning to kill you. We are advising you to leave Iraq for your own safety and that of your family (he had actually brought his Dutch wife and 10-year old son with him)."
Incredulously, he asked me, "Do you have anything more specific, more concrete than the fact they plan to kill me?"
I was a bit taken aback - "The IRGC is going to kill you - Doug so-and-so. How much more specific do we have to be?"