Attacks and Vulnerabilities
News
Regulation, Standards and Compliance
Threat Landscape

Senator Wyden introduces legislation to boost government collaboration technology security, interoperability

April 10, 2024
Senator Wyden introduces legislation to boost government collaboration technology security, interoperability

U.S. Senator Ron Wyden introduced draft legislation on Tuesday to eliminate federal reliance on insecure, proprietary software following a series of detrimental breaches in government systems. The legislative move is set to bring mandatory cybersecurity standards, save taxpayers money, and break the anti-competitive lock-in effect caused by proprietary, walled-garden software. It will enhance national security, improve government efficiency, and save taxpayer dollars by requiring the government to purchase collaboration technology that is interoperable, end-to-end encrypted, and built on open standards.

Titled ‘Secure and Interoperable Government Collaboration Technology Act,’ the legislation would require the government to set new secure, open standards for collaboration software, which would also promote competition and save taxpayer dollars. The draft legislation is endorsed by Accountable Tech, Demand Progress, Fight for the Future, Proton, Nym, the Matrix.org Foundation, and Cory Doctorow.

Wyden, a Democrat representing Oregon, highlighted that his move follows numerous damaging hacks of U.S. government systems attributed to inadequate cybersecurity practices by major tech companies offering services to the government. He also pointed to the most recent incident where the Department of Homeland Security Cyber Safety Review Board identified a ‘cascade’ of errors by Microsoft, allowing Chinese hackers to breach federal email systems.

The Secure and Interoperable Government Collaboration Technology Act would ensure the federal government is procuring and using collaboration technology that is based on interoperable, secure standards – meaning an employee from an agency using Teams could call someone from an agency using Zoom, or send a message to another agency that uses Slack. 

It also requires the use of end-to-end encryption technology, which is critically important to protect government communications from snooping by foreign adversaries but has been unevenly adopted by the major video calling platforms used by government agencies. It also would require collaboration software used by the government to allow agencies to comply with federal record-keeping requirements – a growing concern as an increasing share of agency business is conducted through new collaborative software systems.

“Collaboration technology providers who sell to the government should not be locking users into their walled product gardens using proprietary data standards,” it added. “Government agencies, including the National Security Agency, Marines, and Navy, have endorsed the use of standards-based technology and security practices like end-to-end encryption– it’s time for these principles to be reflected in the collaboration technology the federal government procures and uses.”

“My bill will secure the U.S. government’s communications from foreign hackers while protecting taxpayer wallets. Vendor lock-in, bundling, and other anticompetitive practices result in the government spending vast sums of money on insecure software,” Wyden detailed in a media statement. “It’s time to break the chokehold of big tech companies like Microsoft on government software, set high cybersecurity standards, and reap the many benefits of a competitive market.”

The Secure and Interoperable Government Collaboration Technology Act would require the National Institute of Standards and Technology (NIST) to identify a set of interoperable standards, requirements, and guidance for each of these collaboration technology features, based on a set of required collaboration technology features identified by the General Services Administration (GSA). 

It would also require that, to the fullest extent possible, the standards use end-to-end encryption and other technologies to protect U.S. government communications from foreign surveillance.

Additionally, the Act would require that collaboration technologies used by federal agencies enable those agencies to comply with federal record-keeping requirements. Four years after NIST identifies the standards requires that collaboration technology procured by the federal government to be capable of communicating using the NIST standards. 

The Act also tasks the Department of Homeland Security with conducting cybersecurity reviews of collaboration technology products widely used by the federal government. Lastly, it prescribed creating a GSA and Office of Management and Budget working group to produce biennial reviews of collaboration technology used by the federal government to suggest additions or improvements to the standards.

“Interoperability – the ability to plug something new into a technology, with or without permission from the manufacturer – is the key to defeating Big Tech,” said Doctorow. “This bill will require public funds to be spent on technology that anyone can fix, extend, or improve, preventing tech companies from locking in and ripping off the US government. The most amazing part is that this isn’t already the way it’s done.”

“Through this legislation, the federal government has the opportunity to set an example for workplaces, organizations, and institutions across the country on how to fundamentally improve online safety,” said Leila Nashashibi, campaigner at Fight for the Future. “Protecting digital communication with end-to-end encryption is essential to data privacy and security, and should be the standard across the board. Without it, messages can be intercepted and abused by hackers, repressive law enforcement agencies, foreign governments, or the company that owns the platform itself.”

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure