It’s zero hour on 702

Dec 11, 2023

— With help from Jordain Carney and Maggie Miller

Driving the Day

— Ahead of a high-stakes vote on Tuesday, lawmakers, top officials and outside advocates are scrambling to sell the House on their pick of two bills to re-up a controversial spy tool. The X’s and O’s of either proposal could make all the difference.

HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! I spill a lot of words on FISA today. Bonus points to whoever spots the world’s most boring surveillance pun.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find Joseph (our now-vacationing MC host) on X at @JGedeon1 or email him at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

Today's Agenda

Sen. Todd Young (R-Ind.), Rep. Bob Latta (R-Ohio) and FCC Commissioner Brendan Carr participate in a Center for Strategic and International Studies virtual discussion on 5G technology. Noon.

POLITICO AT CES® 2024: We are going ALL IN On at CES 2024 with a special edition of the POLITICO Digital Future Daily newsletter. The CES-focused newsletter will take you inside the most powerful tech event in the world, featuring revolutionary products that cut across verticals, and insights from industry leaders that are shaping the future of innovation. The newsletter runs from Jan. 9-12 and will focus on the public policy-related aspects of the gathering. Sign up today to receive exclusive coverage of the show.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Surveillance

LET’S GET DOWN TO BUSINESS — Almost a full year since we started writing about the looming expiration of Section 702 of the Foreign Intelligence Surveillance Act, we’ve finally hit our first major fork in the road.

On Tuesday, the House will weigh radically different visions for the future of the surveillance program, with lawmakers set to make a do-or-die choice between brand-new bills — each approved overwhelmingly late last week — out of the Intelligence and Judiciary committees.

While the long-raging debate may have seemed set in stone, the release of the two bills sent D.C.'s policy and legal elite scrambling to scour either package in search of fatal defects — and then delivering briefings, penning letters and, yes, badgering reporters with grist they hope can tilt the high-stakes Tuesday referendum.

Here’s a breakdown of what will stick, what might and what probably shouldn’t.

What probably shouldn’t — On Friday, senior national security officials from the Biden administration briefed Democratic staffers on the myriad problems they see in the Judiciary Committee’s “catastrophic” bill, as I reported at the time.

But one concern that probably shouldn’t carry the day? A typo that would have short-circuited the legal foundation of Section 702 altogether. Russell Dye, a spokesperson for the Judiciary Committee, acknowledged to MC that the language included in that part of the bill — Section 21D — was a “just a typo.” He said it would be fixed before Tuesday.

But the bill's opponents don’t think the mishap should go completely forgotten. “How fundamentally does that speak to the hasty craftsmanship in the bill and the sense that this is not the right way to go about it?” a senior administration official, granted anonymity to talk openly about Section 702, told MC.

What might #1 — A little-noticed part of the HPSCI bill could greatly expand the range of business required to provide the government with communications data under Section 702, as a pair of lawyers first pointed out Friday.

Asked about that text — found in Section 504 of the bill — a staffer for the Intelligence Committee, granted anonymity to speak candidly about it, called the interpretation “wildly off.” While the exact justification remains classified, the individual said, it “relates to getting intelligence on high-priority foreign intelligence targets overseas, with no impact on Americans.”

The staffer also argued the executive branch shared the committee’s “extremely narrow” interpretation of Section 504, something the administration official seconded. But privacy advocates are clearly skeptical — and fired up. “There’s just no question that Section 504 creates a massive expansion in Section 702 surveillance,” Elizabeth Goitein, the senior director of the Brennan Center for Justice’s Liberty & National Security Program, told MC.

What might #2 — The Judiciary Committee bill would prevent U.S. law enforcement agencies from buying Americans’ data from third-party data brokers.

It's a popular idea among a wide swathe of Americans. But the politics behind it remain surprisingly complicated — in part because the data remains up for grabs to U.S. adversaries, and in part because many state and local law enforcement groups oppose it.

Expect the White House and its allies to lean heavily into the idea that it’s dangerous to slap one complex and disputed law on top of another — especially given how fast everything is unfolding. “That is a full project unto itself,” the senior administration official said.

What will — The House Judiciary bill would mandate that U.S. intelligence agencies acquire a warrant before searching through Section 702 data to suss out whether Americans are conspiring with — or being targeted by — foreign spies, terrorists and cyber criminals. Depending on how you see it, the proposal is the greatest asset — or biggest liability — of the bill.

Dye, the communications director, said the warrant is the only way to rein in the FBI, which has a history of violating internal guardrails meant to protect Americans’ privacy rights.

But the administration has argued for months that a warrant would dramatically undercut one of its most effective spy tools. And it will surely make that case tonight, when five of its most senior-ranking intelligence officials give a classified briefing on Section 702 to Democratic lawmakers.

It’s all on the line — Neither bill will become law exactly as is. But if nothing else, all the hair-splitting over them just goes to show how intense the vote 36 hours from now will be.

“Do we want to rein in, expand or leave Section 702 the same?” asked Jake Laperruque, the deputy director at the Center for Democracy and Technology, and a strong critic of the Intelligence panel’s proposal.

The senior administration official countered: “I can't emphasize strongly enough that the Judiciary Committee bill has elements that would be quite devastating for national security.”

On the Hill

CISA, CSRB GO UNDER THE MICROSCOPE — A pair of hearings on Tuesday will give lawmakers a chance to check the pulse of two important new DHS-led cyber policy projects.

Can CISA secure AI? — First, the House Homeland Security Committee’s cyber subcommittee will haul in four experts from the private sector to explore what DHS and CISA, a DHS component, can do to help prevent artificial intelligence from going off the rails.

Last month, CISA released a roadmap outlining how it plans to fulfill a range of new responsibilities under the Biden administration’s new executive order on AI. The document described five “lines of effort,” from protecting critical infrastructure against the malicious use of the breakthrough tech to embedding security into the design of AI systems.

Watch for lawmakers and witnesses to focus on the fifth line of effort: expanding AI expertise at CISA. Given the scarcity of AI skill generally, it stands to reason that both CISA and DHS will be hard-pressed to find, recruit and retain the top-tier talent needed to satisfy the EO.

Reviewing the reviewers — On Thursday, the Senate Homeland Security and Government Affairs Committee will hold a hearing on the Cyber Safety Review Board — the two-year old cyber incident review panel housed within DHS.

The Board has garnered strong feedback for its first two investigations: one into a ubiquitous open-source software bug that nearly brought down the internet, and another into a prolific teenage hacking gang that developed a playbook that continues to haunt some of the world’s wealthiest companies. But the CSRB is now probing the summer breach at the State and Commerce departments — an investigation that could put it on a collision course with Microsoft.

Is Microsoft cooperating? Can the humble CSRB really conduct an effective investigation into one of the world’s most powerful tech companies? The answers to those questions could be uncomfortable. Or, they could be spun to support the Biden administration’s recent pitch for Congress to codify and beef up the board.

At the Agencies

BE PREPARED — U.S. intelligence agencies are gearing up to protect next year’s national elections against potential cyber threats, an unfortunately common problem in recent elections, NSA and Cyber Command leader Gen. Paul Nakasone said Friday.

Nakasone noted that both agencies have “already stood up our election security group,” which is run by top officers from the NSA and Cyber Command, and is prepared to learn lessons from the last three federal elections during which Nakasone has led the agencies.

“We are going to rely on the methodology that we used in 2018, 2020 and 2022,” Nakasone said during a breakfast event hosted by the Intelligence and National Security Alliance. “We’re going to generate information, we’re going to share intelligence and information, and we’re going to take action … with a series of partners operating outside the United States.”

Nakasone, who took over the leadership role in 2018, warned of the evolution of threats to elections from nation-states in the past five years, expanding from a mainly Russia-centric issue to include Iran and China, both of which have been linked to efforts to interfere in elections around the world. Artificial intelligence technologies could also pose a potent threat, the general warned.

Tweet of the Weekend

Cyber experts are starting to feel the Christmas spirit:

Quick Bytes

FRIENDS ACROSS THE POND — Officials from the U.S. and the European Union met last week to bolster cybersecurity relations on numerous topics, including support for Ukraine, as part of the 9th U.S.-EU Cyber Dialogue.

FBI GUIDANCE ON BREACH REPORTING EXEMPTIONS — FBI has released guidelines for companies that opt to request national security delays before reporting breaches to the SEC under its new rule, as The Record’s Jonathan Greig and Martin Matishak report.

BINANCE, AN INVESTIGATOR’S BEST FRIEND? — Binance’s $4.3 settlement with the DOJ requires that it share years of crypto transaction data with regulators and cops — a potential “bonanza” for both, as Wired’s Andy Greenberg reports.

Chat soon.

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).

JOIN WOMEN RULE ON 12/12: For centuries, women were left out of the rooms that shaped policy, built companies and led countries. Now, society needs the creativity and entrepreneurship of women more than ever. How can we make sure that women are given the space and opportunity to shape the world’s future for the better? Join POLITICO's Women Rule on Dec. 12 for Leading with Purpose: How Women Are Reinventing the World to explore this and more. REGISTER HERE.