A new report from the House Intelligence Committee recommends Congress update the Foreign Intelligence Surveillance Act — a law that dictates procedures for electronic surveillance of persons engaged in espionage on behalf of nation states or terrorist entities ― to cover malicious international cyber actors.
The recommendation comes as part of the House Intelligence Committee’s final report on its investigation into alleged Russian meddling efforts in the 2016 presidential election.
The House panel’s final report, which is roughly 250 pages and heavily redacted, notes that Congress sought to address cyber concerns as part of this year’s statutory reauthorization of the FISA. Revising the bill is part of a highly contentious process more commonly referred to as Section 702.
The committee used the April 27 report as an opportunity to reassert its suggestion to modify FISA earlier this year.
“Given the difficulty in attributing a specific cyber actor, the lines between independent hacker and government cyber operator are often blurred,” the report states. “U.S. adversaries are consistently attempting to obfuscate their identity and location in order to evade detection. Unfortunately, current national security authorities are inadequate to counter the growing cyber threat.”
The report notes that this proposed change, which required an addition to the law’s “foreign power” definition, didn’t make the final proposal given “concerns that such a designation would dilute the key distinction between two different legal purposes: intelligence collection and law enforcement.”
The committee noted that while this concern is understandable, it fails to account for the changing threat environment as exemplified by Russia’s attempts to interfere in the U.S. election.
“Adding this new entity to the definition of ‘foreign power’ would permit the IC to target international cyber groups without having to connect that group to a foreign government or terrorist organization, so long as the cyber entity is threating US. national security or defense,” the report said. “Such an addition provides the IC with much needed flexibility and will help keep the United States ahead of its adversaries.”
This could mean hacking collectives or groups threatening U.S. security would then fall under the surveillance law’s purview.
The NSA has noted in the past that Section 702, among other things, is used to fight cyberthreats; however, little detail on that point has been provided.
“ODNI admits today that they are using section 702 for ‘cybersecurity.’ That is a topic that the Privacy and Civil Liberties Oversight Board did not study. We do not know anything about how selectors are chosen for cybersecurity, or what the resulting database of information looks like,” Jennifer Granick, Surveillance and Cybersecurity Counsel at the ACLU’s Project on Speech, Privacy and Technology, wrote in a post for the legal blog Just Security in April 2017.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.