From election security to the data security and privacy of millions of Americans, Sen. Ron Wyden, a senior member of the Senate Intelligence Committee, has been a key player in some of the most pressing cybersecurity policy showdowns on Capitol Hill. CyberScoop recently sat down with the Oregon Democrat for a frank discussion of the state of play on these issues.
CyberScoop: In June, some big phone companies said they would not share customer location data with several third parties after you drew attention to the issue. What’s next in this struggle for data privacy and security?
Sen. Ron Wyden: The carriers have now written me letters promising to clean it up. But I got to tell you, I think what we have to do is make sure that we have something that really can be enforced and has some teeth.
What I’m going to be saying is if the [Federal Communications Commission] does not move here and move in a hurry, I’m going to push for congressional action on this. And there would be ways in which you could, in effect, codify a real requirement that [the phone companies] not share this information, [that] there be consequences if they did — and consumer protections.
The reality is, this is just the tip of the iceberg because we have so much of our information — particularly [from] telephones — out in the open that part of what I’m going to be doing for the longer term is trying to make sure that we have a real enforceable regime of consumer protection for the entire ecosystem of companies that sell consumer data.
CS: Are you worried that data collection is too ingrained in the phone companies’ business model for them to effectively give up these practices?
RW: I’m certainly concerned that, absent real enforcement, these companies can say, “Hey, we got the PR out of it. We wrote a senator and said we’re not going to do it anymore. But you know, those people in Congress, they have the attention span of a tsetse fly, and they’ll move on to something else.”
So you bet. [But] people who know me know that that’s not the case.
CS: Another issue you’ve focused on is election security. Election Systems and Software (ES&S), a top voting-machine manufacturer, has conceded to you that it installed remote-access software in some of its election management systems from 2000 to 2006. What is the significance of that revelation, and how far are we from a clear public understanding of voting-equipment vendors’ security practices?
RW: These voting machine [vendors] just think they’re above the law. They have stonewalled and bobbed and weaved for years with their products. And the ES&S [response] is just the most outrageous because the letter basically says for five, six years, they were actually offering a product with remote access software — a tremendous gift to hackers and hostile foreign governments. [I]f you wanted to do something with similar impact, just go put our ballot boxes out on the streets of Moscow.
And I’m committed to reining [voting-equipment vendors] in. I’ve introduced a bill that requires paper ballots, it requires audits, and I’m really going to go to the mat for this.
These guys are milking a cash cow. There’s a lot of money in this. And I’ve taken on some cash cows, and we’re really going to go to the mat on this.
CS: The issue of so-called Stingrays — cell-tower simulators that can vacuum up caller data — became all the more intriguing after the Department of Homeland Security acknowledged to you in March that it had detected what appeared to be rogue Stingray in the D.C. area. How can these cheap and proliferating surveillance devices be combatted?
RW: We think [the FCC has] the clear authority to protect Americans’ telecommunications cybersecurity, and every time I’m out there raising hell to [FCC Chairman Ajit] Pai, he just shrugs it off.
The [Supreme Court] in the Carpenter [decision] held that the government needs a warrant to get location data from phone companies. But they really didn’t answer the question whether the government needs a warrant to use a Stingray. So, I have a bill on that, my GPS bill, that requires a warrant to use Stingrays. And given what happened in Carpenter, we’re going to update our bill to address the issues the court didn’t get into, including Stingrays, and location tracking — when the government gets less than a week of information from the phone companies – and a few other things.
This is real pick-and-shovel kind of work. And so often what we find is we start in a big hole and then we go out and really work [on] it so people really see what’s at stake.