Wyden Requests Annual Cybersecurity Audits of Phone Network For First Responders and Military Personnel

Given Documented Vulnerabilities in Mobile Phone Networks, Wyden Calls on NSA and CISA to Study Cybersecurity of the FirstNet Network

Washington, D.C. – U.S. Senator Ron Wyden, D-Ore., called for annual cybersecurity audits of the federal government’s cellular network used by first responders and the military, in order to identify security weaknesses that could be exploited by criminals and foreign governments

Cybersecurity experts have called for upgrades to U.S. phone networks for years, due to security weaknesses in the systems used to exchange information between different carriers’ networks, known as SS7 and Diameter. These security flaws can be exploited to track phones, intercept calls and texts, and deliver spyware. As the press has previously reported, several surveillance companies openly sell products that exploit these flaws to governments around the world. 

In the letter, Wyden revealed that a cybersecurity expert at the Cybersecurity and Infrastructure Security agency (CISA) informed Senator Wyden’s office last year that those vulnerabilities may also affect the mobile network known as FirstNet, which is operated by AT&T under contract with the federal government for the military and first responders. According to that official, CISA had no confidence in FirstNet’s security, because AT&T and FirstNet have been unwilling to share the results of security audits with CISA.

“These security flaws are also a national security issue, particularly if foreign governments can exploit these flaws to target U.S. government personnel. I am particularly concerned about FirstNet, the phone network for first responders and the military, which is operated by AT&T under contract with the U.S. government. In a briefing on February 11, 2022 focused on this issue, CISA’s subject matter expert told my staff that they had no confidence in the security of FirstNet, in large part because they have not seen the results of any cybersecurity audits conducted against this government-only network,” Wyden wrote to the leaders of CISA and the National Security Agency (NSA). 

The National Telecommunications and Information Administration informed Sen. Wyden’s office that the Commerce Department cannot share any information about independent audits of FirstNet – including whether any vulnerabilities discovered have been fixed – due to a nondisclosure provision in the contract it negotiated with AT&T. 

“Concealing vital cybersecurity reporting is simply unacceptable,” Wydenwrote. “As the lead agencies responsible for the government’s cybersecurity, CISA and NSA need to have access to all relevant information regarding the cybersecurity of FirstNet and Congress needs this information to conduct oversight. If the Department of Commerce is unable to share the results of the FirstNet audits commissioned by AT&T, CISA and NSA should conduct or commission their own annual audits and deliver the results to Congress and the FCC.”

The full letter is here.

A web version of this release is here