US Cyber Watchdog Can’t Guarantee Security of Military Phone Network: Senator

US Cyber Watchdog Can’t Guarantee Security of Military Phone Network: Senator
Senator Ron Wyden (D-Ore.) speaks during a Senate Finance Committee hearing in the Dirksen Senate Office Building on Capitol Hill in Washington on Oct. 19, 2021. Mandel Ngan/Pool via Reuters
Efthymis Oraiopoulos
Updated:
0:00
The top U.S. agency for cyber security has no confidence in the safety of FirstNet, the nation’s military and first responders cellphone network, according to a letter written by Sen. Ron Wyden (D-Ore.) and published April 12 (pdf).

Wyden, a member of the Senate Intelligence Committee, expressed concerns about the fact that an expert from the Cybersecurity and Infrastructure Security Agency (CISA) told Wyden’s staff in a 2022 briefing that the agency had not seen the results of any cybersecurity audits conducted on the government-only network.

Wyden then called for the government to perform annual cybersecurity audits on the network.

The letter was addressed to the National Security Agency (NSA) and CISA, and copied to the Office of National Cyber Director, the Federal Communications Commission, and the Office of Management and Budget.

CISA declined to comment, saying it would respond to Wyden directly. The NSA did not immediately return messages seeking comment. An employee of FirstNet referred questions to AT&T Inc., which in turn referred questions to a FirstNet executive. The executive didn’t respond before press time.

Wyden’s letter mentions Signaling System No. 7 (SS7), a protocol used by telephone companies to exchange information with each other. The protocol was developed decades ago and is vulnerable to hackers or spies. A hacker or a foreign government could retrieve text messages or access sensitive information, according to FCC Chairwoman Jessica Rosenworcel, Wyden wrote.

According to Wyden, vulnerabilities involving SS7 were exploited to track people in the United States. Also, technology companies sell software that can exploit these vulnerabilities to “target phones anywhere in the world.”

“To date, the U.S. government has done little to force wireless carriers to fix these vulnerabilities, leaving Americans vulnerable to surveillance by hackers and foreign intelligence services,” Wyden said.

He called for the American government to force carriers to have a minimum cybersecurity standard, as other countries have done.

Agencies Questioned

The National Telecommunications and Information Administration informed Wyden’s office that the Commerce Department cannot share any information about independent audits of FirstNet—including whether any vulnerabilities discovered have been fixed—due to a nondisclosure provision in the contract it negotiated with AT&T.

AT&T was unwilling to share any information on the issue with CISA, NSA, other government agencies, or Congress, according to Wyden’s letter.

“Concealing vital cybersecurity reporting is simply unacceptable,” Wyden wrote.

“As the lead agencies responsible for the government’s cybersecurity, CISA and NSA need to have access to all relevant information regarding the cybersecurity of FirstNet and Congress needs this information to conduct oversight,“ he wrote. ”If the Department of Commerce is unable to share the results of the FirstNet audits commissioned by AT&T, CISA and NSA should conduct or commission their own annual audits and deliver the results to Congress and the FCC.”

Gary Miller, an expert on mobile network security with the University of Toronto-based Citizen Lab, said that Wyden’s concerns were well founded, adding that he too was worried by the “very troubling” opacity around audits.

The FCC, the White House, and the Office of Management and Budget did not respond to requests for comment before press time.

Reuters contributed to this report.
Efthymis Oraiopoulos
Efthymis Oraiopoulos
Author
Efthymis Oraiopoulos is a news writer for NTD, focusing on U.S., sports, and entertainment news.
Related Topics