Shouldn't Teams, Zoom, Slack all interoperate securely for the Feds? Wyden is asking
Doctorow: 'The most amazing part is that this isn't already the way it's done'
Collaboration software used by federal government agencies — this includes apps from Microsoft, Zoom, Slack, and Google — will be required to work together and be securely end-to-end encrypted, if legislation proposed by US Senator Ron Wyden (D-OR) passes.
That's a big if. Without a lot of bipartisan momentum behind it, his proposal isn't expected to make into law during this election year.
Wyden proposed the legislation, the Secure and Interoperable Government Collaboration Technology Act [PDF], on Tuesday. It intends to make products from competing vendors, such as Teams and Zoom, for example, talk to each other more securely.
Specifically, it would require the US government's General Services Administration (GSA) to create a list of collaboration technology features used by the federal government. Then the National Institute of Standards and Technology (NIST) would need to identify a set of interoperable standards and requirements for each of these.
The legislation would also require that, "to the extent practicable," end-to-end encryption and other technologies to protect government communications from foreign surveillance would have to be built in. These collaboration technologies must also comply with federal record-keeping requirements.
Four years after NIST selects the standards, all collaboration technology purchased by the federal government would be required to communicate using the identified standards, thus ensuring they are interoperable with other products used by federal agencies.
And finally, the legislation would require Homeland Security to review these products, and every other year a GSA and Office of Management and Budget working group would review the products in use and suggest updates to the standards.
"My bill will secure the US government's communications from foreign hackers, while protecting taxpayer wallets. Vendor lock-in, bundling, and other anticompetitive practices result in the government spending vast sums of money on insecure software," Wyden said in a statement.
"It's time to break the chokehold of big tech companies like Microsoft on government software, set high cybersecurity standards and reap the many benefits of a competitive market," he added.
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online
- US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products
- Microsoft cannot keep its own security in order, so what hope for its add-ons customers?
- Microsoft is a national security threat, says ex-White House cyber policy director
Stunningly, the bill identifies collaboration systems that would not be subject to the interoperability and security requirements. These include email, voice services, and national security systems.
So despite the proposal's attempt at landing a blow on Microsoft's mafia-like hold on government-procured tech, the latest Redmond email security breaches by Chinese and Russian cyberspies probably would have happened even with the Wyden-backed security standards being in place.
While those standards would likely face opposition from Big Tech, some digital rights and privacy organizations including Accountable Tech, Demand Progress, Fight for the Future, Proton, Nym, and the Matrix.org Foundation have already endorsed the draft legislation.
Author and activist Cory Doctorow has also thrown his support behind the proposal.
"Interoperability — the ability to plug something new into a technology, with or without permission from the manufacturer — is the key to defeating Big Tech," he said.
"This bill will require public funds to be spent on technology that anyone can fix, extend, or improve, preventing tech companies from locking in and ripping off the US government," Doctorow added. "The most amazing part is that this isn't already the way it's done." ®