Rep. Ted Lieu, D-Calif., and Sen. Ron Wyden, D-Ore., sent a letter to Federal Communications Commission Chairman Ajit Pai last week requesting that the agency take concrete steps to plug serious vulnerabilities in U.S. mobile phone networks.
“The continued existence of these vulnerabilities–and the industry’s lax approach to cybersecurity–does not just impact the liberty of Americans, it also poses a serious threat to our national and economic security,” they wrote. “As such, the FCC must take swift action to address fundamental security threats to our mobile phones, which are no less dangerous than those cybersecurity threats that receive far more attention from other government agencies.”
In particular, the letter addresses vulnerabilities in Signaling System 7 (SS7), a commonly used cell interconnection system in which multiple security researchers have found cybersecurity weaknesses. The FCC’s Communications Security, Reliability, and Interoperability Council (CSRIC) was tasked with examining the SS7 vulnerabilities last year, and released a report on March 15, 2017.
Though the letter acknowledges the CSRIC report as a good first step in addressing cell vulnerabilities, it notes that the FCC has not yet taken action on the working group’s recommendations, and that the CSRIC charter expired on March 18, 2017.
“We urge you to establish a new CSRIC working group and to expand its scope to examine the remaining issues that were not previously explored,” the letter said.
FCC officials have stated in the past that their statutory role is limited when it comes to data privacy issues in similar areas, such as Internet service providers. The letter acknowledges FCC’s reluctance to regulate data security issues, stating that “cybersecurity has not traditionally been a regulatory priority for the FCC.” However, the letter continues that allowing the cellular industry to police itself has led to continued vulnerabilities and unaware consumers.
“It is clear that industry self-regulation isn’t working when it comes to telecommunications cybersecurity,” the congressmen wrote. “We urge you to take swift action in this area in three ways. First, by forcing the cellular industry to address these serious cybersecurity vulnerabilities. Second, by warning the American public that their movements, communications, and devices may be vulnerable to foreign governments and hackers. And third, by promoting the use of end-to-end encryption apps, which, as the CSRIC working group stated, can be used to mitigate some of the SS7 risks.”
Lieu and Wyden also sent a letter on the SS7 vulnerability to the Department of Homeland Security on March 15, 2017, requesting that the department answer questions by the end of March about what resources they have allocated to the threat and what assistance the wireless carrier industry has provided. As of publication, DHS has not responded to that letter, according to Lieu’s staff.