United States Department of Defense, Delegation of Authority to Negotiate and Conclude International Agreements on Cooperation in Information Assurance and Computer Network Defense , March 5, 2002. Unclassified.

Source: United States Department of Defense, Delegation of Authority to Negotiate and Conclude International Agreements on Cooperation in Information Assurance and Computer Network Defense , March 5, 2002. Unclassified. Date: Mar 5, 2002 Archive: FOIA Request Collection: Cyber Vault: Delegation of Authority Oct 25, 2017

Editorial Analysis

Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.

A New Diplomatic Tool for the Cyber Age

On 5 March 2002 Deputy Secretary of Defense Paul Wolfowitz signed a memorandum that formally delegated to the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence (ASD(C3I)) the power to negotiate and conclude international agreements on information assurance and computer‑network defense. The memo is not a policy statement so much as a bureaucratic authorization, yet its timing and language reveal how the Department of Defense was reshaping its diplomatic machinery to meet an emerging strategic threat.

The early 2000s saw the United States grappling with the first large‑scale cyber‑incidents that crossed national borders—most famously the 2000‑01 “Mafiaboy” attacks on major web sites and the 2001 cyber‑espionage campaign that compromised U.S. government networks (later identified as the Titan Rain series). Those events, together with the September 11 attacks, convinced senior defense officials that cyberspace had become a domain of war requiring not only technical defenses but also a coordinated international posture. The 2002 delegation therefore sits at the intersection of two broader shifts: the institutionalization of cyber‑security as a core defense function, and the recognition that no single nation could protect its critical infrastructure in isolation.

The memo’s distribution list—secretaries of the military departments, the Chairman of the Joint Chiefs, under secretaries, the General Counsel, and heads of research, testing, and field activities—signals that cyber cooperation was to be a whole‑of‑government effort. By naming the ASD(C3I) as the primary negotiator, the Department placed the authority within the office traditionally responsible for command‑and‑control systems, reflecting an understanding that network defense is inseparable from the very architecture of military communications. The requirement that the authority “may not be redelegated” underscores the sensitivity of sharing classified network data with foreign partners; the DoD wanted a single, accountable point of contact.

The memorandum also references two existing policy frameworks: DoD Directive 5530.3 on international agreements and DoD Directive 5230.11 on the disclosure of classified information. By tethering the new delegation to these directives, the Department ensured that any cyber‑focused treaty would be subject to the same rigorous review as conventional arms‑control or intelligence‑sharing accords. This linkage hints at the anticipated content of such agreements: exchange of threat alerts, joint exercises, staff exchanges, and possibly reciprocal access to each other’s critical infrastructure monitoring tools. While the memo does not list specific partners, the phrasing “military and defense officials of other nations and international organizations” suggests a focus on NATO allies and key regional powers such as Japan, South Korea, and Australia—countries with which the U.S. already conducted extensive joint training.

What the document does not say is equally telling. It makes no mention of private‑sector actors, even though much of the United States’ critical infrastructure—energy, finance, telecommunications—is owned by corporations. The omission reflects the pre‑2003 mindset that cyber‑defense was primarily a military concern, a view that would later be challenged by the rise of public‑private partnerships after the 2007 cyber‑attacks on Estonia and the 2010 Stuxnet incident. Moreover, the memo’s reliance on existing classification rules implies that the DoD anticipated the exchange of highly sensitive technical data, raising questions about how the United States would balance operational security with the need for transparency in multinational cooperation.

The legacy of this delegation is evident in the subsequent wave of bilateral and multilateral cyber‑security agreements. Within a few years the U.S. signed the U.S.–UK Cyber‑Security Memorandum of Understanding (2005) and the U.S.–Japan Cyber‑Security Cooperation Framework (2008). Those accords echo the categories listed in Wolfowitz’s memo—information sharing, joint exercises, and staff exchanges—demonstrating that the 2002 authorization was not merely procedural but a foundational step that enabled a new diplomatic genre. It also set a precedent for later executive orders (e.g., EO 13636 in 2013) that explicitly called for international collaboration on critical infrastructure protection.

In sum, the 5 March 2002 delegation of authority is a concise bureaucratic artifact that opens a window onto the early institutional response to cyber‑warfare. It reveals a defense establishment eager to embed cyber‑cooperation within its existing diplomatic apparatus, wary of uncontrolled dissemination of classified data, and still largely focused on state actors. Its influence persists in today’s network‑defense alliances, making it a pivotal, if often overlooked, milestone in the evolution of U.S. cyber‑security strategy.

(1)

THE DEPUTY SECRETARY OF DEFENSE
WASHINGTON, D.C. 20301

MAR 5 2002

MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS
CHAIRMAN OF THE JOINT CHIEFS OF STAFF
UNDER SECRETARIES OF DEFENSE
DIRECTOR, DEFENSE RESEARCH AND ENGINEERING
ASSISTANT SECRETARIES OF DEFENSE
GENERAL COUNSEL OF THE DEPARTMENT OF
DEFENSE
INSPECTOR GENERAL OF THE DEPARTMENT OF
DEFENSE
DIRECTOR, OPERATIONAL TEST AND EVALUATION
ASSISTANTS TO THE SECRETARY OF DEFENSE
DIRECTOR, ADMINISTRATION AND MANAGEMENT
DIRECTORS OF THE DEFENSE AGENCIES
DIRECTORS OF THE DOD FIELD ACTIVITIES

[413.51]

SUBJECT: Delegation of Authority to Negotiate and Conclude International Agreements
on Cooperation in Information Assurance and Computer Network Defense

Subject to the provisions of DoD Directive 5530.3, *International Agreements*, the
Assistant Secretary of Defense (Command, Control, Communications, and Intelligence),
in coordination with the Under Secretary of Defense (Policy), the General Counsel, Under
Secretary of Defense (Comptroller), and the Chairman, Joint Chiefs of Staff, is delegated
the authority to negotiate and conclude agreements with military and defense officials of
other nations and international organizations to engage in cooperative activities
concerning information assurance, critical infrastructure protection, and computer
network defense, including the exchange of information, exchange of alert, warning and
response data, staff exchanges, and combined military exercises. This authority may not
be redelegated. All DoD personnel involved in the negotiation or performance of such
agreements shall ensure that their actions comply with the policies and procedures
established in DoD Directive 5230.11, *Disclosure of Classified Military Information to
Foreign Governments and International Organizations*, and related activities.

[5 Mar 02]

Paul Wolfowitz

U03181-02