NSA-bashing bills could hamstring cybersecurity info sharing

The raft of stories inspired by the Edward Snowden leaks of NSA eavesdropping has done major damage to America’s international relations and stirred up no little ruckus in the United States about illegal wiretapping and government overreach. So far, however, it’s not caused any irreparable splits between government and the IT industry. Big concerns, yes, but no concrete effects yet.

That could change, in a hurry. Bills introduced recently at the state level, if they become law, could bar many technology companies from doing business not only with the NSA, but also with state and local government entities. Even worse, any companies that subcontracted with companies doing business with the NSA or its partners could be affected. These bills also  threaten the sharing of information between industry and government that is crucial to U.S. cybersecurity, one of the nation’s top technology priorities.

California is probably the most important state so far to propose one of these bills, given that it’s the center of the U.S. high-tech industry, and so many of the companies there have some tie-in to civilian and military agencies. Ted Lieu, a Democratic state senator, and Republican Senator Joel Anderson, introduced Senate Bill 828 on Jan. 6 seeking  to throttle the NSA’s activities there.

In a statement the same day , Lieu said that “state-funded public resources should not be going toward aiding the NSA or any other federal agency from indiscriminate spying on its own citizens and gathering electronic or metadata that that violates the Fourth Amendment.” 

Other states that have so far introduced similar bills include Washington, Arizona, Maryland, Missouri, Oklahoma, Tennessee and Vermont. 

It’s not so much the fact that the bills have been introduced that has raised flags but that the language they use is so potentially far reaching. The California bill, for example, would “ban state agencies, officials and corporations providing services to the state from giving any material support, participation or assistance to any federal agency to collect electronic or metadata of any person, unless there has been a warrant issued that specifically describes the person, place and thing to be searched or seized,” according to Lieu.

It’s that “material support” bit that is concerning industry. In a letter to Lieu obtained by GCN, the IT Alliance for Public Sector (ITAPS), formed late last year by the Information Technology Industry Council, said the legislation could effectively ban companies from doing certain business, prohibit state funds going to companies and prevent the state or political subdivisions from providing incentives for companies to invest in California.

Given the vague language the bill uses you can’t get a firm idea on how far down the pipeline this could reach, according to Carol Henton, ITAPS’ vice president of state, local and education, public sector. The fear is that it will affect subcontractors and others who do business with government contractors, including the likes of counties and school districts, “and that could potentially sweep in oodles of activity.”

That includes such things as information sharing. It’s taken years to build the level of trust that’s needed for the kind of sharing about cybersecurity threats faced by industry and government organizations and that pose dangers for critical infrastructure. Companies and state entities such as law enforcement now regularly share information with the NSA. The bills proposed by California and other states could ban that.

And it’s not a straight one-to-one sharing. The NSA shares information back and forth with agencies such as the Department of Homeland Security, the FBI and the military. Would companies also be prohibited from doing business with those government agencies, since under the wording of the legislation that could well be construed as giving “material help” to the NSA? And since the legislation also forbids public universities in the state from being research facilities for the NSA, or acting as a recruiting grounds for it, would that also affect agencies that work with the NSA?

It’s unclear yet how far all of this will go. There are already indications that, given the fears expressed by ITAPS and other industry bodies, California lawmakers are already having second thoughts about pushing ahead with their legislation. Other states aren’t so reticent. An Arizona state senate committee voted out its version of the legislation on Feb. 24 , and it now moves to the full Senate for a vote.

And it seems unlikely this will go away any time soon. The legislation that’s already proposed is apparently based mainly on a template developed by Off Now, a coalition of national and state groups that’s aimed at “nullifying” NSA activities, and it seems to be gaining support from across the political spectrum. As California showed, the bills have some bipartisan support. 

Given that we are moving into what will be contentious mid-term elections, and then will go straight into the buildup for an even more contentious 2016 presidential election, something that’s as popular now as NSA bashing will be an attractive target at least until then. 

What that means for critical government IT and cybersecurity efforts still has to be worked out.