OFFICIAL USE ONLY THE DIRECTOR CENTRAL INTELLIGENCE AGENCY WASHINGTON, 20505 27 January 2014 The Honorable Dianne Feinstein Select Committee on Intelligence United States Senate Washington, D.C. 20510 Dear Madam Chairman: I am in receipt of your 23 January 2014 letter regarding our 15 January 2014 meeting. I wholeheartedly agree that the Executive and Legislative branches must respect the Constitution's separation of powers and that the events that led up to our meeting go not only to the heart of that respect, but also to the effectiveness and integrity of the oversight process. As I have noted in the past, I believe in and strongly support the necessity of effective Congressional oversight, while also desiring to protect the Executive branch's legitimate prerogatives. In order to give you a sense of my perspective on these developments, I have outlined them below and propose a possible path forward. In short, I believe your idea of some sort of independent review is worth exploring, as it is my hope that we can find a way to address these events in a mutually satisfactory way that respects the very separation of powers principles we both seek to uphold. As I relayed to you and Vice Chairman Chambliss during our I5 January meeting, I recently received information suggesting that sensitive CIA documents that were the subject of a pending request from the Committee may have been improperly obtained and/or retained on the SSCI staff side of a CIA local area network, which was set up exclusively for the Committee's RDI review and which contains highly classified information. Consequently, I asked for a meeting with you and the Vice Chairman as soon as possible to share that information and to discuss the need for a review of the system in order to assess what happened. As we know, both branches have taken great care to establish an accommodation regarding the Committee's access to Executive branch information on the RDI program, and we need to ensure that what is shared is as agreed between the branches. At the same time, and most importantly, if the integrity of our network is flawed, we must address the security problem immediately.1 1 To ensure we have a common understanding of the agreement governing the SSCI staff's access to and use of a portion of the relevant CIA facility's network, I will transmit under separate classified cover a copy of the agreed--upon Standard Operating Procedures, a copy of the materials used in OFFICIAL USE ONLY OFFICIAL USE ONLY The Honorable Dianne Feinstein During our 15 January meeting, I explained how it came to our attention that these documents were on the SSCI staff side of the network. As I indicated, recent statements made by Committee staff suggested they had in their possession a document that you requested in a 26 November 2013 letter. In your correspondence, you asked for "several summary documents" from what you termed an "internal review" of the CIA RDI program initiated by Director Panetta that purportedly came to conclusions similar to those contained in the Committee's study on the RDI program. Senator Udall made a similar reference to, and a request for, these materials during the open hearing on Caroline Krass's nomination to be the CIA's General Counsel. Senator Udall repeated his request for these documents in a 6 January 2014 letter that he wrote to the President. In response, I explained to both you and Senator Udall that these requests raised significant Executive branch confidentiality interests and outlined the reasons why we could not turn over sensitive, deliberative, pre--decisional CIA material. These documents were not created as part of the program that is the subject of the Committee's oversight, but rather were written in connection with the CIA's response to the oversight inquiry. They include a banner making clear that they are privileged, deliberative, pre--decisional CIA documents, to include attorney- client and attorney work product. The Executive branch has long had substantial separation of powers concerns about congressional access to this kind of material. CIA maintains a log of all materials provided to the Committee through established protocols, and these documents do not appear in that log, nor were they found in an audit of CIA's side of the system for all materials provided to SSCI through established protocols. Because we were concerned that there may be a breach or vulnerability in the system for housing highly classified documents, CIA conducted a limited review to determine whether these files were located on the SSCI side of the CIA network2 and reviewed audit data to determine whether anyone had accessed the files, which would have been unauthorized. The technical personnel conducting the audit review were asked to undertake it only if it could be done without searching audit data relating to other files on the SSCI side of CIA's network. That review by IT personnel determined that the documents that you and Senator Udall were the security briefing given to all Committee staff granted access to the CIA network, and other relevant documents. 2 The system is designed to preclude looking for file names across the entire network, thus precluding a single "network wide" review. Thus, absent finding and exploiting a vulnerability, the CIA personnel working on the RDI review should not be able to access any information on the SSCI side, and the SSCI staff working on the RDI review should not be able to access any information on the CIA side of the network. 2 OFFICIAL USE ONLY OFFICIAL USE ONLY The Honorable Dianne Feinstein requesting appeared to already be on the SSCI staff side of CIA's local area network and had been accessed by staff. Only completion of the security review will answer how SSCI staff came into possession of the documents. After sharing this information with you and explaining that I did not know how the materials would have appeared on the SSCI staff side of the network, I requested that you return any copies of these highly sensitive CIA documents located either in the Committee reading room at the CIA facility or in the Committee's own offices. You instructed your staff director to collect and provide to you any copies of the documents. I informed you that I had directed CIA staff to suspend any further inquiry into this matter until I could speak with you. I stated that I had asked for the meeting because I wanted Committee leadership to be fully aware of what had been brought to my attention before I directed the appropriate IT personnel to begin a full computer security review. I informed you that the staff who would conduct the security review would need to conduct computer forensics on the CIA documents that appear to be on the SSCI side of the system. I further informed you that the individuals assigned to conduct this security review would be "walled off" from the CIA personnel who have been involved in reviewing the Committee's study on the RDI program in order to protect the SSCI's legitimate equities in its deliberative materials and work product. I made clear during our meeting that I wanted to conduct this security review with your consent and, furthermore, that I welcomed the participation of the Committee's Security Director in this effort. You informed me that you were not aware that the Committee staff already had access to the materials you had requested in your letter. Soon after our meeting, you requested by letter that I suspend any investigation or further access to the computers or computer networks until you could consider the matter further. You also pledged in your letter that SSCI staff would not access those computers or computer networks for this same period. I reached you by telephone the next day to inform you that the CIA would temporarily suspend the security review in light of your request. I trust that you continue to believe that Committee staff should not access any of the computers on CIA's local area network while we work through this matter. As I stated in our meeting, the existence of these sensitive Executive branch documents on the SSCI side of the CIA facility of which were created outside the agreed time period for document significant concerns about the integrity of a highly classified CIA computer system and whether the protocols developed between the SSCI and the CIA in relation to CIA files are being followed. You indicate in your most recent 3 OFFICIAL USE ONLY OFFICIAL USE ONLY The Honorable Dianne Feinstein letter that these documents were provided to Committee staff at the CIA--leased facility, but, as I noted above, we have no record of having done so under the process by which we have regularly provided documents. As I noted at our meeting, this is a very serious matter, and it is important that both the CIA and the Committee get to the bottom of what happened. We should be able to do this in a way that preserves our institutional equities. I renew my invitation to have the Committee's security officer fully participate with CIA security professionals in a security review of the local area network dedicated to the RDI study. Your 23 January letter indicates that an independent review of these events also may be appropriate. I would welcome an independent review that explores CIA's actions and how these documents came to reside on the Committee's side of the CIA facility network. If you are amenable, I will have my Acting General Counsel reach out to the Committee's Majority and Minority Counsel to discuss options for such an independent review. However we proceed, the security review must be completed in a timely manner. It is imperative to learn whether or not a breach or vulnerability exists on this network and was exploited. I trust that you share my concerns and that we can work together to carry out a security review that answers these important questions while respecting the important separation of powers concerns of both branches. Sincerely, O. John O. Brennan cc: Members, Senate Select Committee on Intelligence The Honorable Jim Clapper, Director of National Intelligence Ms. Ruemmler, White House Counsel 4 OFFICIAL USE ONLY