Wyden pushes for information on federal agencies’ Zoom use, citing security concerns

Sen. Ron Wyden (D-Ore.) on Wednesday drilled the General Services Administration (GSA) over its ongoing approval of video conferencing app Zoom for government use, despite security vulnerabilities discovered by researchers. 

In a letter to acting GSA Administrator Katy Kale shared with The Hill, Wyden requested that the agency provide a copy of its “security package” detailing the decision by the GSA to approve Zoom for use by federal agencies through the Federal Risk and Authorization Management Program (FedRAMP).

“It is extremely concerning that after Zoom was cleared for government use by the General Services Administration in April 2019, security researchers discovered multiple serious vulnerabilities in the year that followed,” Wyden wrote. 

In light of the vulnerabilities, Wyden criticized the FedRAMP approval of Zoom for use first by U.S. Customs and Border Protection in 2019 and then for all other government agencies without allowing each agency to conduct their own security review of Zoom. 

“That researchers were able to discover so many serious security flaws in Zoom’s software after that software had been audited as part of the certification process for government use raised serious questions about the quality of FedRAMP’s audits,” Wyden wrote. 

“That is why in June 2020, I requested a copy of the security package provided by GSA to government agencies documenting the results of the audit and other relevant information regarding the steps taken to evaluate Zoom’s software,” he noted. “GSA refused my request. As there is now a new administration, and I now serve as Chairman of the Senate Committee on Finance, I am renewing the request.”

Zoom saw a huge spike in users during the COVID-19 pandemic, as Americans increasingly used the platform for school classes, work meetings and social gatherings. 

The company came under fire for a variety of security and privacy concerns in the early months of the pandemic, especially as “Zoom bombing” incidents increased. The incidents involved unauthorized users gaining access to meetings and disrupting them, often through indecent comments or photos. 

Zoom responded to the issues by implementing a range of security improvements, including end-to-end encryption on calls, the use of passwords and halting sharing data with Facebook last year. 

The GSA did not immediately respond to The Hill’s request for comment on Wyden’s concerns.

FedRAMP was established in 2011 to help facilitate the secure use of cloud technologies by federal agencies.