Last week, Sen Warner (D,VA) introduced S 4443, the Intelligence Authorization Act for Fiscal Year 2025. This bill extends various intelligence agency authorizations and provides congressional directives and oversight to those agencies. The bill contains a number of cybersecurity provisions that may be of interest outside the intelligence community.
Sections addressing cyber security issues of potential concern include:
§313. Report on sensitive commercially available information.
§401. Strategy and outreach on risks posed by People's Republic of China smartport technology.
§510. Management of artificial intelligence security risks. (similar to S 4230)
§511. Protection of technological measures designed to verify authenticity or provenance of machine-manipulated media.
§512. Sense of Congress on hostile foreign cyber actors.
§513. Designation of state sponsors of ransomware and reporting requirements.
§514. Deeming ransomware threats to critical infrastructure a national intelligence priority.
§1203. Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing Act of 2024. (similar to HR 7447)
Sensitive Information
Section 313 would require each intelligence agency to provide an annual report to congress on “the access to, collection, processing, and use of sensitive commercially available information [definition link added] by the respective element.” The Director of National Intelligence would (every 2-years) be required to publish a public report on “the policies and procedures of the intelligence community with respect to access to and collection, processing, and safeguarding of sensitive commercially available information.”
The report would include (along with 23 other requirements) a “description of procedures for restricting dissemination of the sensitive commercially available information, including deletion of information of United States persons returned in response to a query or other search unless the information is assessed to be associated or potentially associated with the documented mission-related justification for the query or search.”
In a left-handed way, this specifically allows the intelligence community to request information on “United States persons” from commercial sources. This could include information that might normally only be available via a court order.
Detecting Deep Fakes
Section 511 [link updated 7-1-24, 7:47 am EDT] would provide protections for technological measures “designed to verify the authenticity, modifications, or conveyance of machine-manipulated media, or characteristics of the provenance of the machine-manipulated media, by generating information about the authenticity of a piece of content that is knowingly false.” The language does not define the ‘technological measures’ being protected, nor even provides guidance on what measures developed by what entities. It does, however, specifically provide prohibitions on:
The section does not provide for criminal enforcement, but provides that the Attorney General may take civil actions to enforce these prohibitions with fines of $200 to $2,500 per violation and treble damages for repeated subsequent violations.
Countering Ransomware
Section 512 provides ‘sense of Congress’ determination that eighteen specific ransomware groups should be considered ‘foreign cyber actors’ and that “covered nations abet and benefit from the activities of these actors”. This determination would provide some legal cover for intelligence agencies to surveil, track, and potentially take covert actions (under congressional oversight, of course) against these specific groups.
Section 513 would require the State Department and the DNI to annually compile a list of countries designated as a state sponsor of ransomware. That designation would be based upon the determination that the country has “provided support for ransomware demand schemes (including by providing safe haven for individuals engaged in such schemes) [emphasis added]”. The President would then be required to apply the same sanctions to such designated sponsors as those “imposed with respect to a state sponsor of terrorism.”
Section 514 would require the DNI to “deem ransomware threats to critical infrastructure a national intelligence priority component to the National Intelligence Priorities Framework.” It would also require a report to congress on “the implications of the ransomware threat to United States national security.”
Moving Forward
While this bill has now been cleared for consideration in the Senate, it is not likely to come to the floor for direct consideration. In recent years it was incorporated into either a consolidated spending bill or the National Defense Authorization Act as a Division of that bill. In the case of the NDAA, the language from this bill (likely with modifications) would be added to the substitute language when the House passed NDAA was considered. In the case of a spending bill, the intelligence authorization division would be added to the drafted bill behind closed doors, it would be some sort of amalgam of this bill, the House version of the bill and other provisions added as needed.