Countdown to shutdown:

Senate bill would tighten up Zoom, Teams security for government use.

A bill sponsored by Sen. Ron Wyden (D-Ore.), would require vendors of online collaboration tools, like Zoom or Slack, to boost their security.

A bill sponsored by Sen. Ron Wyden (D-Ore.), would require vendors of online collaboration tools, like Zoom or Slack, to boost their security. It would require the National Institute of Standards and Technology to come up with the standards, as well as have Homeland Security make sure the companies comply. For analysis, the Federal Drive with Tom Temin spoke with Miller and Chevalier attorney, and former CIA attorney, Ashley Powers.

Interview Transcript: 

Tom Temin And this bill, what is it they’re trying to accomplish here in your estimation?

Ashley Powers Well, the bill itself doesn’t explicitly call this out. The press releases that came along with the release of the proposed bill seemed to make clear that the proposed bill takes aim at Microsoft and the security breaches that it had about a year ago. And on its face, the proposed bill sounds like a great idea. It increases competition, which has the dual benefit of creating better products for the federal government and also making them more reasonably priced. And then the other benefit is that it’s aimed at enhancing security of the government data and communications that are transmitted across these platforms.

Tom Temin Well, how does it do that? That is to say, how can you increase competition when it seeks to make everyone comply with the same standards and kind of commoditize those platforms?

Ashley Powers So my initial concerns with it were once you move past the surface reaction of okay, let’s enhance competition and enhance security, those are both perfectly honorable objectives. Is this going to increase competition or is it going to deter companies from wanting to do business with the government? And will these requirements make the technology more secure? So, to the first question and to your question, the more we regulate these companies, the less likely they want to do business with the federal government. And I think that’s for a couple of reasons. One, it obviously makes doing business with the government more expensive. And it also makes it riskier because in addition to this proposed bill, as we’re all aware, there are a lot of cybersecurity requirements coming out of Congress, out of the White House, out of OMB. And it just creates a regulatory landscape that is fraught with potential issues, either reporting requirements, litigation, those sorts of things. I think one of the other things that this bill does, and I’m admittedly not a software engineer, but to the extent the bill wants to create these general standards and enforce interoperability between these platforms, I’m curious what that means for a company’s intellectual property and source code. And that’s another issue that a lot of companies face when they’re contemplating doing business with the government, is what’s going to happen to my intellectual property.

Tom Temin Well, I’m wondering what they mean by interoperability. I mean, right now you and I are speaking on happens to be the zoom platform. Sometimes people want the team’s platform. I can’t imagine why it’s not as good as the other one, but you’re using one or the other. I’m not sure what the meaning of interoperability is in that context.

Ashley Powers Well, the way I read it, and I could be wrong, but the way I read it is you should be able to use zoom, and if I wanted to, I should be able to use teams. And those two platforms should be able to communicate with one another. So, for example, all agencies should not be obligated to purchase the same platform. Different agencies should be able to purchase whatever platform they think suits them best. And that will theoretically create more competition. Now, of course, there are some people who say, well, the government’s bargaining power operating as a collective federal government is what sometimes gives it more authority to negotiate better pricing. So, would that undercut there? But the way I read it is that the underlying point is we don’t want people to just have to use zoom. And then the other party also has to use zoom or one-party use teams, the other party has to use teams and be locked into each other that way.

Tom Temin We’re speaking with Ashley Powers. She’s an attorney with Miller and Chevalier and also a former senior counsel at the CIA. Again, in a practical standpoint, if you don’t have that program, you just open it in your browser. And so, if you don’t have teams on, there’s a Teams browser version and vice versa for zoom. So, I guess I’m sort of rhetorically questioning what they mean by that. But I wanted to ask you about, in your experience from the government side, how does the government in general look at the security of a platform like this, when in the case of teams, it’s part of a much larger enterprise? License agencies are likely to have through office 365 that many of them have as their standard for all of the collaboration. Tools with the Microsoft Cloud because it happens to work pretty well for them.

Ashley Powers Well, and I think that highlights one of the big problems about this proposed bill is that doesn’t necessarily reflect the current commercial reality of these products, and that Microsoft is not generally selling teams on a one-off basis. It’s part of, as you said, it’s part of the Microsoft suite of products. So, will Microsoft or other companies be willing to break apart that suite of products to sell them off piecemeal in response to this bill? I’m not sure in terms of how government agencies view the security. I don’t speak for the government writ large, but different agencies have different protocols for assessing the security of the systems and asking for certain representations and certifications. And certainly, that’s becoming more and more true now that we’re going to have a FAR part 40 soon. And I think that that is just part of the competitive landscape.

Tom Temin But in the intelligence community, for example, again, just speaking in general terms, if they decide, one of the IC agencies decides this is secure enough for our use in communicating, you know, point A to point B, I would think that interoperability with third party type of software would be something they would not desire, because that opens up more vulnerabilities than they were dealing with simply with one platform.

Ashley Powers Yes, and that is certainly something that I was concerned about as well, is as you force companies to create these platforms that are based on publicly available open standards and then require this interoperability. Does that in fact defeat the cybersecurity? And again, I’m not a software engineer. I can’t, but logically speaking, that would seem to make sense to me.

Tom Temin And watching this bill as it develops, as you and the firm are, does it seem to be gaining from your standpoint, a lot of cohorts, or is it just one of those gambits?

Ashley Powers I haven’t heard anything one way or the other, but perhaps it is gaining traction. It’s not something that I’ve heard spoken a lot about. I’ve mentioned it to a couple of my colleagues, either on the government side or at other law firms, and it’s not something they were familiar with.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories