Sen. Ron Wyden, D-Ore., unveiled draft legislation on Monday that would require the Federal government to set new cybersecurity and interoperability standards for collaboration software such as Microsoft Teams, Slack, and Zoom.
The senator unveiled the draft Secure and Interoperable Government Collaboration Technology Act following the Cyber Safety Review Board’s (CSRB) recent report that attributed the success of the summer 2023 Microsoft Exchange Online intrusion to “a cascade of security failures at Microsoft” and an “inadequate” security culture at the company.
In its report, the CSRB concludes that the China-based hack – which compromised the email accounts of several U.S. government officials, including Commerce Secretary Gina Raimondo – “was preventable and should never have occurred.”
“My bill will secure the U.S. government’s communications from foreign hackers, while protecting taxpayer wallets. Vendor lock-in, bundling, and other anticompetitive practices result in the government spending vast sums of money on insecure software,” Sen. Wyden said in an April 8 press release.
“It’s time to break the chokehold of big tech companies like Microsoft on government software, set high cybersecurity standards, and reap the many benefits of a competitive market,” he added.
The senator explained that Federal agencies often use different collaboration technologies. For example, if one government official is on Teams and the other on Slack, there’s no way for the two to talk to each other.
Sen. Wyden’s proposed bill is looking to change that by ensuring Federal agencies are procuring collaboration technology that is based on interoperable, secure standards. It would task the National Institute of Standards and Technology (NIST) to set the standards, requirements, and guidance for collaboration technologies – based on a list of required collaboration technology features identified by the General Services Administration (GSA).
It would also require the technologies to use end-to-end encryption and other technologies to protect U.S. government communications from foreign surveillance.
Four years after NIST develops the standards, the bill would then require collaboration tech procured by the Federal government to “be capable of communicating using the identified standards, so that it’s interoperable with other products used within the government.”
Additionally, it would create a GSA and Office of Management and Budget working group to produce a review of the standards every two years. The bill would also task the Department of Homeland Security with conducting cybersecurity reviews of commonly used collaboration tech products.
The draft bill is endorsed by Accountable Tech, Demand Progress, Fight for the Future, Proton, Nym, the Matrix.org Foundation, and Cory Doctorow.
“Through this legislation, the Federal government has the opportunity to set an example for workplaces, organizations, and institutions across the country on how to fundamentally improve online safety,” said Leila Nashashibi, a campaigner at the nonprofit Fight for the Future. “Protecting digital communication with end-to-end encryption is essential to data privacy and security, and should be the standard across the board.”
“The issue of data privacy has never been more urgent, and decisive lawmaker action is needed in this moment to bring about tech platform policies that truly center our privacy and needs as users – not corporate profits,” Nashashibi added.
For those interested, Sen. Wyden is accepting feedback on the draft legislation at SecureTech@wyden.senate.gov.
