from the FAS Project on Government Secrecy
Volume 2017, Issue No. 73
October 16, 2017

Secrecy News Blog:


Four months after President Trump issued his National Security Presidential Memorandum 5 on US policy towards Cuba and ordered it to be published in the Federal Register, that has still not been accomplished.

The Memorandum, posted on the White House web site on June 16, states that "The Secretary of State is hereby authorized and directed to publish this memorandum in the Federal Register."

That was never done. Why not?

The State Department says it did not receive the Cuba directive in the proper form.

"The Federal Register requires the signed original be submitted for publication," a State Department spokesman said last week. "The Department of State does not yet have the original document. We refer you to the White House for further information."

For its part, the White House said the State Department spokesman was misinformed, that a certified copy had been promptly delivered to the executive secretariat within the Office of the Secretary of State, and that the document was ripe for publication in the Federal Register.

The fact remains that four months after its issuance NSPM 5 has yet to appear in the Federal Register as ordered by the President.

That kind of delay in publication is unusual. The previous National Security Presidential Memorandum, NSPM 4, was issued on April 4, 2017, and it was published in the Federal Register two days later on April 6.

What's even more peculiar is that the whole notion of publishing the directives in the Federal Register seems to be based on a misunderstanding.

Prior to the Trump Administration, national security directives were never published in the Federal Register. But because the Trump directives were styled as "National Security Presidential Memoranda" it appears that they were drafted by White House officials using a template for ordinary (non-national security) "presidential memoranda," which are routinely published in the Federal Register every few days.

Perhaps belatedly recognizing that fact, the latest NSPM 7 on "Integration, Sharing, and Use of National Security Threat Actor Information to Protect Americans" that was issued on October 4 and posted on the White House website is the first unclassified Trump NSPM that does not mandate publication in the Federal Register. (A classified annex to NSPM 7 listing attributes of "national security threat actors" was not released.)

Meanwhile, the sequential gap between NSPM 5 and NSPM 7 points to the existence of an NSPM 6. It is a classified document that has not been disclosed.

The Washington Post reported on September 30 that "Trump signed [a] presidential directive ordering actions to pressure North Korea." But as far as could be determined, that reported directive was not NSPM 6 and apparently was not a "National Security Presidential Memorandum" at all, raising the possibility that the Trump White House is using some other yet-unidentified instrument of presidential authority to implement national security policy.


What constitutes an act of war in the cyber domain?

It's a question that officials have wrestled with for some time without being able to provide a clear-cut answer.

But in newly-published responses to questions from the Senate Armed Services Committee, the Pentagon ventured last year that "The determination of what constitutes an 'act of war' in or out of cyberspace, would be made on a case-by-case and fact-specific basis by the President."

"Specifically," wrote then-Undersecretary of Defense (Intelligence) Marcel Lettre, "cyber attacks that proximately result in a significant loss of life, injury, destruction of critical infrastructure, or serious economic impact should be closely assessed as to whether or not they would be considered an unlawful attack or an 'act of war.'"

Notably absent from this description is election-tampering or information operations designed to disrupt the electoral process or manipulate public discourse.

Accordingly, Mr. Lettre declared last year that "As of this point, we have not assessed that any particular cyber activity [against] us has constituted an act of war."

See Cybersecurity, Encryption and United States National Security Matters, Senate Armed Services Committee, September 13, 2016 (published September 2017), at p. 85.

See related comments from Joint Chiefs Chairman Gen. Joseph Dunford in U.S. National Security Challenges and Ongoing Military Operations, Senate Armed Services Committee, September 22, 2016 (published September 2017), at pp. 56-57.

In January 2017, outgoing Obama DHS Secretary Jeh Johnson for the first time designated the U.S. election system as critical infrastructure. "Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law," he wrote. It follows that an attack on the electoral process could now be considered an attack on critical infrastructure and, potentially, an act of war.

"Russia engaged in acts of war against America, not with bullets and bombs, but through a modern form of warfare, a cyberattack on our democracy," opined Allan Lichtman, a history professor at American University, in a letter published in the latest issue of the New York Review of Books.

Not so fast, replied Noah Feldman and Jacob Weisberg: "The US is not now in a legal state of war with Russia despite that country's attempts to affect the 2016 election."

The current issue of the US Army's Military Intelligence Professional Bulletin (Oct-Dec 2017) includes an article on Recommendations for Intelligence Staffs Concerning Russian New Generation Warfare by MAJ Charles K. Bartles (at pp. 10-17).


Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists.

The Secrecy News blog is at:

To SUBSCRIBE to Secrecy News, go to:


OR email your request to

Secrecy News is archived at:

SUPPORT the FAS Project on Government Secrecy with a donation here: