Technology

Senator demands telecom cybersecurity standards overhaul to curb abuses

Sen. Ron Wyden (D-Ore.) addresses reporters during a press conference on March 9, 2023, to discuss President Biden’s budget.

Sen. Ron Wyden (D-Ore.) sent a letter to President Biden and his Cabinet demanding wireless carriers’ cybersecurity standards be regulated as to not further exploit “lax security” in the United States’s phone networks.

“I write to request that you address the grave threats posed by wireless carriers’ lax cybersecurity practices, which are not regulated, but should be,” Wyden wrote in the letter. “Surveillance companies and their authoritarian foreign government customers have exploited lax security in the U.S. and foreign phone networks for at least a decade to track phones anywhere in the world.”

Wyden argued that authoritarian governments have abused tools to track Americans in the United States, and reporters and dissidents who are abroad, which has threatened the country’s national security, freedom of the press and international human rights.

The senator stated in his letter that surveillance technology companies sell access to phone hacking services, and foreign government customers can enter any phone number and track it, no matter where it is in the world.

“In contrast to spyware-based surveillance, these services do not interact with the target’s phone. Instead, they trick wireless carriers’ servers into revealing the information,” he wrote.

Google and Apple, the most popular operating systems, can’t track the services, and the tracking depends entirely on the security of a person’s wireless carrier, he said.

The phone hacking companies exploit flaws in two obscure technologies, known as Diameter and Signaling System No. 7 (SS7), he said. The two technologies are used by global wireless carriers for text messaging.

Wyden highlighted that several federal agencies have noted the serious threat SS7 surveillance poses, and the “importance of securing America’s communications networkers.” No official or agency has taken responsibility for the problem, and very little has been done to address it, he claimed.

Wyden accused the Cybersecurity and Infrastructure Security Agency of “actively hiding information from the American people” about the threat.

The senator said his staff was permitted to read an independently conducted report for the agency last fall, but it refuses to release the unclassified information “which includes details that are relevant to policymakers and Americans who care about the security of their phones.”

John Marinho, vice president of CTIA, a trade association representing the wireless communications industry, said he is proud of the collaboration with the U.S. government to enhance security and make the country’s wireless networks the most secure in the world.

“We appreciate that the Senator shares our goals of ensuring America’s wireless networks are secure and protecting consumers’ privacy,” he said in a statement to The Hill, adding that they’ve worked with federal agencies “hand-in-hand” for years.

Marinho said the organization is committed to working to keep the networks secure and that there “is no need for new and inflexible regulations or requirements to protect consumers.”

Wyden asked the Biden administration to work on the threat and provide Congress with updates twice a year until it’s meaningfully addressed, among several other requests for the government to ensure security for Americans’ wireless communication.