CCIA’s Don’t Break What Works Campaign to Congress, Administration: Don’t Weaken U.S. Cybersecurity

Washington, D.C. (04/14/2022) – While concerns about cybersecurity continue to mount, some members of Congress are focused on passing the American Innovation and Choice Online Act (S. 2992), legislation that targets U.S. tech companies and that would make American user data vulnerable to certain foreign competitors.

Read more:

“At a time when our elected leaders in Washington should be strengthening U.S. national security and supporting the innovative American companies that protect our online infrastructure and data, some members of Congress are pushing legislation that would undermine our country’s cybersecurity goals,” said Chandler Smith Costello, a spokeswoman for the Don’t Break What Works Campaign, about the danger S. 2992 poses to Americans’ privacy and data security. 

Since S. 2992’s introduction, defense experts have been ringing the alarm bell, and members of Congress have voiced their concerns about the effects this bill would have on our national security.

S. 2992 would reduce American national security capabilities by: 

  • forcing American digital services to share user data and interoperate with foreign firms unless those firms are on sanctions lists or are labeled as a national security risk. Many bad actors including fraudsters and counterfeiters will likely not be on any government sanctions lists or sanctioned by the U.S. national security apparatus.
  • targeting American companies, but leaving Chinese companies, like Baidu and Alibaba, and Russian firms, including Yandex, untouched, hurting American competitiveness on the world stage.
  • forcing American firms to provide foreign companies with access to sensitive user data. 

What others are saying: 

  • Senator John Cornyn: “China, as we know, wants access to American consumer and business information. They are a vacuum cleaner when it comes to hoovering up data. Chinese companies, under this bill, would likely have the right to interoperate with the American platforms and have access to the features and the business data that are proprietary for these businesses.”
  • Tatyana Bolton and Brandon Pugh, R Street Institute: “On the whole, it is difficult for security experts to encourage resilience and diligence for platforms and networks along with the uptake of strong cybersecurity practices. It is even harder to convince businesses that cyber risk is a business risk, or encourage them to develop products with security in mind. While this is not a strict cybersecurity bill, it adds obstacles and restrains the application of security safeguards by platforms, which creates adverse incentives. This bill would punish companies with a business model that focuses on security. From a policy perspective, we should encourage—not discourage—more companies to include more stringent security for all products, especially software that is sold at scale to millions of users. Forced interoperability, narrow requirements and obstacles for security updates through requirements for affirmative defense, as well as patchy security exclusions, create a recipe for weaker cybersecurity and should be reconsidered, amended or removed before any further movement on this legislation.”
  • Graham DuFault, The App Association: “Limiting the universe of bad actors subject to removal to those that appear on lists ‘maintained by the Federal Government’ is laughably inadequate and irresponsible cybersecurity policy. The new language only protects token cybersecurity activity, shielding platforms if they rely on the lists of prohibited persons and businesses from the federal government. Cybercriminals adapt quickly and take a variety of measures to prevent detection. Requiring platforms to wait for threat identification and addition to a federal government list gives criminals an enviable new advantage and would expose consumers to a fresh wave of new threats that mobile devices can easily avoid at present.”
  • Klon Kitchen, American Enterprise Institute and Jamil Jaffer, National Security Institute: “Foreign tech companies will not be bound by these rules and so, if passed, S.2992 will hamstring American companies while leaving global competitors with greater agility. This bill is about more than a few U.S. tech companies being brought down a peg; it’s about us voluntarily ceding critical technological and economic advantage to countries like China at a time when leading in key technologies and tech markets is critical for our nation’s long-term thriving.” 

The Don’t Break What Works campaign is powered by the Computer and Communications Industry Association (CCIA). Learn more here