CJS funding bill would limit high-tech surveillance

The House passed a $51.4 billion Commerce, Justice and Science funding bill for fiscal 2016 on June 3 that would pare back the government's authority to conduct surveillance on communications.

Taken together, they constitute something of a follow-on to the USA Freedom Act, just signed into law, which put new rules on the bulk collection and searching of telephone metadata by spy agencies.

The bill, passed 242-183, includes:

*An amendment by Ted Poe (R-Texas) that would prohibit funding for government to require technology companies to build in support for tapping encrypted communications. The provision would put the brakes on efforts by FBI Director James Comey to guarantee that law enforcement agencies have access to encrypted communications. The amendment was adopted by voice vote.

* An amendment by Darrell Issa (R-Calif.) that would bar funding of efforts by federal law enforcement to use "stingray" devices, which simulate the activity of cell towers to capture location and identifying information from mobile phones, to collect data in bulk without a court order. The amendment was adopted by voice vote.

* An amendment by Jared Polis (D-Colo.) that would ban the Drug Enforcement Administration from collecting phone records in bulk. The amendment was adopted by voice vote.

* An amendment by Thomas Massie (R-Ky.) that would bar the National Institute of Standards and Technology from coordinating on encryption or computer security standards with the CIA and the National Security Agency, except for the purposes of improving information security. The Massie amendment was a response to revelations from former NSA contractor Edward Snowden and other sources about collaboration between NIST and the intelligence community to insert flaws into highly complex encryption standards – revelations that led NIST to ultimately disavow the standards. The amendment was adopted 383-43.

"Don't you want the best security available that the minds in this country can create ... to safeguard your health records, maybe to safeguard your gun records, maybe to safeguard your bank accounts and your credit cards? We are more safe when we have better security and better encryption, so it makes no sense for [NIST] to work with the NSA to weaken our encryption software," Massie said.

Supply chain, census, other IT measures

The bill would renew federal policy requiring supply-chain vetting for the acquisition of high-impact and moderate-impact IT systems, including an assessment from the FBI or other appropriate agency to evaluate cyber risks posed by any system whose manufacture is touched by firms controlled or subsidized by the Chinese government, or other sources identified by the U.S. as posing a cybersecurity threat. The House bill would extend the language of the measure to encompass the renewal as well as the acquisition of systems.

Appropriators are worried about the looming 2020 census. The bill includes $848 million in funding for the count, but there are some strings attached related to IT delivery. The bill would mandate that half the IT funding for the 2020 census be withheld pending the Census Bureau's delivery of a spending plan for the large-scale Census Enterprise Data Collection and Processing project, which would put all the census data gathering, analytics and dissemination technology under a single system for the first time.

The bill would deliver drastic cuts to the National Strategy for Trusted Identities in Cyberspace, a Commerce Department program designed to fund pilot projects to create new methods of online authentication that go beyond simple usernames and passwords. Under the bill, funding of new grants would cease, and second-year awards under 2015 grants would be canceled, with the allowed funding being used to wind up the program.

The White House issued a veto threat before the bill went up for a vote. On the IT side, the Obama administration is particularly concerned about census IT funding, the NIST appropriation, Internet governance transition work being performed by the National Telecommunications and Information Administration at Commerce, funding for Commerce’s digital service team, and budget requests by NASA and the National Science Foundation to comply with the Digital Accountability and Transparency Act.