S 4443 Report Published - FY 2025 Intel Authorization
After initially ordering S 4443, the Intelligence Authorization Act for Fiscal Year 2025, reported without a written report, the Senate Intelligence Committee published their report on the bill. In addition to providing summaries of the requirements of various sections of the bill, the report provides two additional discussions about cybersecurity related topics.
Senate Cybersecurity Report
There is currently a requirement (2 USC 4111) for the GAO to prepare an annual report to the Intelligence committees on “cybersecurity and surveillance threats to Congress.” The discussion on pages 19-20, on a one-time basis, expands the statutory requirements for that study. The study expansion is specifically tasked with looking at:
The extent to which the cryptography used in Senate collaboration platforms is consistent with leading cybersecurity practices,
Challenges that prevent offices or committees from implementing strong cryptography, such as end-to-end encryption, on Senate collaboration platforms,
Efforts taken by the Senate Sergeant at Arms (SAA) to safeguard the personal accounts, devices, and information of Senators, their staffs, and immediate families, and
The techniques, means, and methods used by the Senate SAA to detect surveillance against, hacks of, and the deployment of spyware by foreign governments, on mobile devices subject to Senate SAA cybersecurity safeguards.
One interesting phrase is used in the description of the additional requirements; when asking to compare Senate efforts to other government agencies that have “statutory authority [emphasis added] to safeguard the personal accounts, devices or information of employees”. This would seem to imply that the Intelligence Committee staff does not think that there is adequate ‘statutory authority’ for the SAA to protect the personal devices of members and staff.
In the resulting report, the GAO is required to “include any resulting recommendations to improve Senate policies and programs to meaningfully address related cybersecurity and surveillance threats and to protect Senate information.” It will be interesting to see if the House Intelligence Committee includes similar language concerning reporting on House ‘collaboration platforms’.
Additional Views
Typically, the ‘Additional Views’ section at the end of a committee report provides a voice to the ‘loyal opposition’ party to call out their opinions (most often about shortcomings) about the reported legislation. This report contains one of those typical additional views {from Vice Chair Rubio (R,FL)} on pages 25-6. But it also includes a set of comments by Sen Wyden (D,OR). While Wyden’s comments are generally not negative, he closes with a discussion about §511, Protection of technological measures designed to verify authenticity or provenance of machine-manipulated media. Wyden notes that:
“Finally, the bill includes a provision granting the Attorney General new powers to police the labeling of AI-generated media. This provision is modeled on the Digital Millennium Copyright Act’s anti-circumvention provisions, which are extremely controversial and have chilled legitimate cybersecurity research. The use of this problematic legislative framework to address the cutting-edge issue of AI-generated media raises numerous First Amendment and other questions that need to be considered and debated in public.”
Moving Forward
As with most authorization bills, the Senate is not expected to take up S 4111, rather they will take up the House bill (HR 8512) which as just recently reported. The Senate will take up the House passed language of that bill and immediately off the language from S 4111 as substitute language for the purpose of the debate in the Senate. A conference committee will subsequently iron out the differences between the two versions of the legislation.