Wyden, a member of the Senate Intelligence Committee, expressed concerns about the fact that an expert from the Cybersecurity and Infrastructure Security Agency (CISA) told Wyden’s staff in a 2022 briefing that the agency had not seen the results of any cybersecurity audits conducted on the government-only network.
Wyden then called for the government to perform annual cybersecurity audits on the network.
The letter was addressed to the National Security Agency (NSA) and CISA, and copied to the Office of National Cyber Director, the Federal Communications Commission, and the Office of Management and Budget.
CISA declined to comment, saying it would respond to Wyden directly. The NSA did not immediately return messages seeking comment. An employee of FirstNet referred questions to AT&T Inc., which in turn referred questions to a FirstNet executive. The executive didn’t respond before press time.
Wyden’s letter mentions Signaling System No. 7 (SS7), a protocol used by telephone companies to exchange information with each other. The protocol was developed decades ago and is vulnerable to hackers or spies. A hacker or a foreign government could retrieve text messages or access sensitive information, according to FCC Chairwoman Jessica Rosenworcel, Wyden wrote.
According to Wyden, vulnerabilities involving SS7 were exploited to track people in the United States. Also, technology companies sell software that can exploit these vulnerabilities to “target phones anywhere in the world.”
“To date, the U.S. government has done little to force wireless carriers to fix these vulnerabilities, leaving Americans vulnerable to surveillance by hackers and foreign intelligence services,” Wyden said.
Agencies Questioned
The National Telecommunications and Information Administration informed Wyden’s office that the Commerce Department cannot share any information about independent audits of FirstNet—including whether any vulnerabilities discovered have been fixed—due to a nondisclosure provision in the contract it negotiated with AT&T.AT&T was unwilling to share any information on the issue with CISA, NSA, other government agencies, or Congress, according to Wyden’s letter.
“Concealing vital cybersecurity reporting is simply unacceptable,” Wyden wrote.
“As the lead agencies responsible for the government’s cybersecurity, CISA and NSA need to have access to all relevant information regarding the cybersecurity of FirstNet and Congress needs this information to conduct oversight,“ he wrote. ”If the Department of Commerce is unable to share the results of the FirstNet audits commissioned by AT&T, CISA and NSA should conduct or commission their own annual audits and deliver the results to Congress and the FCC.”
Gary Miller, an expert on mobile network security with the University of Toronto-based Citizen Lab, said that Wyden’s concerns were well founded, adding that he too was worried by the “very troubling” opacity around audits.
The FCC, the White House, and the Office of Management and Budget did not respond to requests for comment before press time.