Wyden Calls out Lack of FCC Security Rules, Lax Cybersecurity by Telephone Companies and DOJ Failure to Hold Negligent Companies Accountable
Washington, D.C. — U.S. Senator Ron Wyden, D-Ore., pressed the Department of Justice (DOJ) and Federal Communications Commission (FCC) to stop hackers from breaching U.S. telephone and broadband companies’ wiretapping systems by setting mandatory security standards and doing more to hold companies accountable for negligent cybersecurity, in a letter today.
Wyden’s letter follows a report by The Wall Street Journal last week that suspected-Chinese government hackers may have breached major U.S. phone and broadband companies’ wiretapping systems, including AT&T, Verizon, and Lumen Technologies. This breach could allow China to identify targets of U.S. government surveillance and spy on Americans.
In the letter to FCC Chair Jessica Rosenworcel and DOJ Attorney General Merrick B. Garland, Wyden wrote, “The recently reported hack of U.S. telecommunications companies’ wiretapping systems should serve as a major wake-up call to the government. The outdated regulatory framework and DOJ’s failed approach to combating cyberattacks by protecting negligent corporations must be addressed. The security of our nation’s communications infrastructure is paramount, and the government must act now to rectify these longstanding vulnerabilities.”
The Communications Assistance for Law Enforcement Act (CALEA) was enacted in 1994 to require phone companies to install and secure wiretapping systems, but the government never adopted mandatory cybersecurity standards. Cybersecurity experts warned that building wiretapping technologies into phone and internet companies would create vulnerabilities that would be prime targets for hackers and intelligence services. However, the FBI and FCC have both dismissed experts’ concerns over these cyber risks, resulting in serious harm to national security.
Wyden requested the FCC to:
- Initiate a rulemaking process to update the CALEA regulations to fully implement the system security requirements in the law.
- Establish baseline cybersecurity standards for telecommunications carriers, enforced by steep fines.
- Require independent, annual third-party cybersecurity audits.
- Require board-level cybersecurity expertise.
- Require senior executives annually sign certifications of compliance with the cybersecurity standards.
Wyden requested DOJ to:
- Recognize the failure of its current approach to combating cyberattacks.
- Hold negligent corporations accountable rather than shielding and hiding information on data breaches from Congress, investors, and the public.
- Share information on corporate cyber negligence with federal regulators that have the authority to force the companies to address these security lapses.
- Prioritize corporate accountability for negligent cybersecurity over prosecuting foreign hackers who are almost never brought to justice.
The text of the letter is here.
###