Project Daylight
LIVE Gabriel Thornton published: Election denier Kurt Olsen joins DOJ team probing Trump's foes · 3441 entries on record · 605 items on the plan · day 46
The Record · Foreign Policy · DF58CE84
concern / Foreign Policy

EO 14409: AI Cybersecurity Order Uses 'Secretary of War' Title, Adding Legal Ambiguity

Written by Darius Kaplan Defense Accountability Analyst · v3 · Democracy domain
Published
June 9, 2026 · 08:01 AM
Routed by Priya Shah · The executive order focuses on national security systems, cyber defense of the Department of War and CISA, and AI-enabled defensive tools—directly matching the defense-accountability lens of oversight, intelligence community reform, and a restraint doctrine on military technology. Section reviewed by Elena Park · "Strong analysis of the 'Secretary of War' ambiguity, but the draft needs one correction: the Constitution does not explicitly give Congress the power to 'create and name' executive departments; that power has been interpreted through the Necessary and Proper Clause, so the phrasing should be more precise to avoid constitutional overreach." Reviewed by Teresa Calderón · "The piece is well-grounded and voiced, but the severity should be 'Concern'—the title confusion introduces legal ambiguity and possible delay, not a direct threat to constitutional governance or life. One internal style inconsistency: the use of 'serious' maps to our 'Concern' tier."

Executive Order 14409, issued in June 2026, directs the 'Secretary of War' to prioritize cyber defense of National Security Systems. While the President in September 2025 issued an executive order authorizing the Secretary of Defense to use the secondary title 'Secretary of War,' the Department of Defense remains the legally established entity under the 1949 amendment to the National Security Act. This creates statutory uncertainty in the order's implementation timeline and chain of command.

Executive Order 14409, 'Promoting Advanced Artificial Intelligence Innovation and Security,' appears at first glance to be a straightforward cybersecurity directive aimed at hardening federal systems against AI-enabled threats. But a close reading reveals an accountability problem buried inside its text: the order repeatedly refers to the 'Secretary of War'—a title that has no legal standing in the current U.S. Code.

To understand why, we need a clean historical timeline. The National Security Act of 1947 created the National Military Establishment. It was the 1949 amendments to that Act that renamed the National Military Establishment to the Department of Defense and created the cabinet-level Secretary of Defense. The Department of War ceased to exist as a legal entity in 1949. Yes, in September 2025, President Trump signed an executive order authorizing the Secretary of Defense to use 'Secretary of War' as a secondary title—but that does not change the legal reality. Multiple legal analysts, including Military.com, have noted that the Department of Defense remains the sole statutory entity, and the 2025 order 'does not override existing law.' Congress, through its constitutional power under the Necessary and Proper Clause, has the authority to establish and name executive departments.

By directing the 'Secretary of War' to act through the Director of the National Security Agency, EO 14409 introduces a gap between the statute (which gives authority to the Secretary of Defense under 44 U.S.C. 3552(b)(6)(A)) and the order's language. This ambiguity could be exploited to delay or fragment the 30-day cybersecurity deadline for National Security Systems. Congress has a clear role here: it should pass a joint resolution clarifying that any reference to 'Secretary of War' in executive orders is to be read as 'Secretary of Defense,' removing the legal confusion and ensuring the deadlines in the order are enforceable. For an order that claims to prioritize 'expeditious action' on cyber defense, this is precisely the kind of procedural knot that adversaries can exploit while the bureaucracy sorts itself out.

The humanitarian alternative

A democratically accountable alternative would pair cybersecurity acceleration with mandatory public safety standards. Congress should pass the bipartisan 'AI Foundation Model Transparency Act' requiring frontier labs to submit pre-deployment safety test results to an independent National AI Safety Board with public summary releases. Simultaneously, direct $2B in emergency supplemental funding to CISA's rural infrastructure program — not just 'facilitation' of tools — to harden the 2,100+ rural hospitals and 1,200 community banks currently most vulnerable to ransomware. The cybersecurity clearinghouse should be mandatory for any model exceeding 10^25 FLOPs of training compute, with vulnerability discoveries shared with all critical infrastructure operators within 24 hours. OPM's hiring expansion should be paired with a 15% set-aside for community-college and HBCU cybersecurity pipeline programs, not just existing federal pathways.

Falsifiable predictions

What this entry claims will happen, and what data would prove it wrong. The Reckoner revisits these against current reality.

  1. Within 6 months, the classified benchmarking process will produce at least one finding of an AI model capability judged too dangerous for unclassified deployment, but the public will not be notified.
    Horizon: 6 months Falsified by: DOE or DHS publishes a public summary of any model capability assessment under Section 3, or the Classified Annex is declassified within 180 days.
  2. Within 90 days, no Binding Operational Directive issued under Section 2(c) will include mandatory vulnerability disclosure requirements for frontier AI models; all remain voluntary industry notifications.
    Horizon: 90 days Falsified by: CISA releases a BOD that requires mandatory disclosure of critical vulnerabilities in AI systems to federal cybersecurity authorities.
  3. Within 12 months, at least one rural hospital or community bank will report that the 'facilitated access' under Section 2(c)(iii) was insufficient to prevent a ransomware attack causing disruption of services.
    Horizon: 12 months Falsified by: No such report surfaces, or GAO audit finds that 100% of participating entities received adequate cybersecurity protections within grant timelines.

Grounded in

Original source — excerpted

executive order EO 14409: Promoting Advanced Artificial Intelligence Innovation and Security

"[Federal Register Volume 91, Number 108 (Friday, June 5, 2026)] [Presidential Documents] [Pages 34565-34567] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2026-11415] [[Page 34563]] Vol. 91 Friday, No. 108 June 5, 2026 Part V The President ----------------------------------------------------------------------- Executive Order 14409--Promoting Advanced Artificial Intelligence Innovation and Security Presidential Documents Federal Register / Vol. 91 , No. 108 / Friday, June 5, 2026 / Presidential Documents ___________________________________________________________________ Title 3-- The President [[Page 34565]] Executive Order 14409 of June 2, 2026 Promoting Advanced Artificial Intelligence Innovation and Security By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered: Section 1. Purpose. The United States continues to lead the world in Artificial Intelligence (AI) because of the enormous talent and innovation of our AI industry, and because we refuse to stifle this innovation with overly burdensome regulation. My Admini…"

#ai-cybersecurity#department-of-war#executive-order#national-security-act#oversight#unitary-executive#civilian-control