On February 9, 2009, President Obama gave his National Security and Homeland Security Advisors 60 days to conduct a Cyberspace Policy Review.1 The stated purpose of this “60-Day Review” was to provide a comprehensive assessment of U.S. policies for cybersecurity.2 According to a White House press release, the review would “develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector.”3
The 60-Day Review was an ambitious project and, in the end, took more than 60 days to complete.4 When the final report was issued on May 29, 2009, it offered a careful assessment of the current situation and a broad vision of what the United States must accomplish to secure our digital future. This vision, however, was not fundamentally different from previous iterations of cybersecurity strategy that the U.S. government has issued over the past 12 years.
The 60-Day Review undoubtedly represents a critical step toward addressing the many challenges the United States faces in working to secure its public and private information systems. However, it is important to place this document in proper context and understand what it accomplishes and what business it leaves unfinished. Before much progress can be made in improving cybersecurity, there are some tough policy decisions that have to be made.
The 60-Day Review does not take on many of those decisions. Rather, it provides an accurate and troubling picture of what the country is up against. It offers a glimpse of the daunting but important tasks of trying to harmonize the cybersecurity programs within government, establishing an effective partnership with the private sector, and developing strong relationships with other nations to combat cyber crime. It recommends…
For more than 30 years, our country has struggled to delineate the boundaries of domestic intelligence operations. Americans tend to regard those government components exercising national security powers within the borders of the United States (whether under clear authority or not) with an inherent suspicion bolstered by historical experience.
We tolerate the existence of such components but insist that they be highly regulated, particularly with respect to any activities that impinge upon civil society. Historical circumstances influence, but never erase, this regulatory imperative. Despite this imperative, components may occasionally escape regulation – at least for a time – because they are unknown, their missions remain mysterious or only partially understood, or because (intentionally or not) a convincing illusion of sufficient regulation is presented to the examining eye.
In the fall of 2001, the Bush administration was looking for a place to imprison and interrogate alleged al Qaeda members away from the prying eyes of other countries and insulated from the supervision of United States courts. The Defense Department believed that the Naval Base at Guantánamo Bay, Cuba might work, so it asked the Justice Department’s Office of Legal Counsel (OLC) whether federal courts would entertain habeas corpus petitions filed by prisoners at Guantánamo, or whether they would dismiss such petitions as beyond their jurisdiction. On December 28, 2001, OLC responded with a thorough and balanced analysis of how the federal courts were likely to resolve the jurisdictional question. The memorandum prepared by OLC explained the arguments against such jurisdiction, but it also explored possible strengths in the opposing position. The memorandum predicted that federal courts would not exercise jurisdiction but explained the risk of a contrary ruling. Acting in reliance on this memorandum, the government started imprisoning and interrogating alleged al Qaeda members at Guantánamo the following month, cognizant of the risk that a federal court might find habeas jurisdiction.