The Senate Intelligence Committee quietly approved a measure last week that would require the Director of National Intelligence to submit a report to Congress on the threats posed by foreign governments’ and entities’ use of commercially available surveillance software.
The DNI’s report, which would be sent to Congress 180 days after the Intelligence Authorization Act for 2021 passes, would include information on how the U.S. — and other countries — can work to reduce the threats of commercial spyware, including through export controls, diplomatic pressure, trade agreements, and work with the technology and telecommunications sectors to better secure consumers’ software.
The committee wants the DNI to specifically address the threat posed to U.S. citizens, in addition to those living abroad or employed by the U.S. government.
The report request comes nearly one year after the United Nations Special Rapporteur David Kaye called for a moratorium on the creation and sale of surveillance technology until there are more human rights guardrails established to protect people’s privacy. The calls to investigate companies behind spyware have only grown since then — Amnesty International in recent months has asked Israel to revoke the export license of an Israeli software surveillance firm that has been accused of creating and selling technology that has enabled the surveillance of journalists and human rights activists around the world. The technology of the company, NSO Group, has also been accused of targeting associates of American journalist Jamal Khashoggi prior to his murder.
Kaye told CyberScoop he thinks Congress should examine the threats spyware production and use poses to people around the world, and not just U.S. citizens.
“I would encourage Congress to broaden the scope of the required report to include threats posed to human rights worldwide, in particular threats to journalists, activists, and others in dissent,” Kaye told CyberScoop.
The measure was just one of several cybersecurity-related issues the committee put into the bill, the text of which was released publicly Thursday. The bill also would require the intelligence community to gain a better understanding of the cybersecurity threats posed by foreign adversaries’ telecommunications companies, Chinese disinformation and cyber-operations, and the status of U.S. cybersecurity defenses.
Other cybersecurity measures
The cyber-focused portions of the bill outline reporting requirements for the U.S. intelligence community that would likely touch on Chinese cyber-operations.
The bill would require the directors of the CIA, the National Security Agency and the Defense Intelligence Agency to report to Congress any attempts by foreign adversaries to provide telecommunications and cybersecurity services or equipment to the U.K., Australia, Canada, and New Zealand, all of which are members of a special intelligence-sharing relationships with the U.S. as members of the “Five Eyes” alliance.
For years now, the U.S. has been lobbying officials in allied countries, especially those in the U.K., to bar 5G technology from Chinese telecommunications company Huawei over concerns that Huawei could contribute to Beijing-backed espionage efforts. The report from the intelligence agencies would also be required to include an assessment of whether U.S. intelligence has been degraded or compromised as a result of those countries’ work with adversarial telecommunications firms.
In the past, the U.S. has threatened to reduce intelligence-sharing if allies work with Huawei, over concerns shared intelligence could not be protected from prying eyes in China. And although the U.K. has begun to review whether it should allow Huawei in its 5G networks, the future of Huawei in Britain remains uncertain.
The committee is also interested in receiving intelligence reporting on China’s government’s efforts to conduct cyber-operations related to the novel coronavirus, which comes one month after warnings from the Department of Justice and Department of Homeland Security that Chinese hackers have targeted health care entities working on vaccines or treatments for the virus.
The bill would also mandate the DNI furnish Congress with information on how Chinese government officials have worked to suppress information on the viral outbreak in Wuhan, China.
According to the Alliance for Securing Democracy, Chinese ambassadors and state-backed media have spread, without evidence, narratives that the virus did not originate in Wuhan, China.
If passed, the Office of the Director of National Intelligence and the Departments of Homeland Security, Defense, Commerce, and Energy would also be required to provide Congress a report on the Cybersecurity Solarium Commission, the bipartisan committee that issued its own report on various cybersecurity policy improvements.
Some of the recommendations in the commission’s report have already gotten the Senate Armed Services Committee’s stamp of approval. The committee’s executive summary of the NDAA for 2021, issued Thursday, contains 11 recommendations from the commission’s report in all, including an assessment on the feasibility and advisability of creating a National Cyber Director role. The role, which the commission has said should be Senate-confirmed, would be the cybersecurity chief at the White House, a role that currently does not exist.