Washington D.C. – U.S. Senator Ron Wyden, D-Ore., today called on the Biden Administration to address the threat posed by wireless carriers’ lax cybersecurity, which expose U.S. citizens to surveillance by foreign governments. The letter to President Biden urges the administration to set minimum cybersecurity standards for carriers, and to direct government agencies to take further action to protect U.S. citizens and foreign journalists, dissidents, and human rights activists from surveillance by authoritarian foreign governments, like China, Russia, and Saudi Arabia through companies that offer phone company hacking services.
“Surveillance companies and their authoritarian foreign government customers have exploited lax security in U.S. and foreign phone networks for at least a decade to track phones anywhere in the world,” Wyden said in his letter addressed to President Biden. “Authoritarian governments have abused these tools to track Americans in the United States and journalists and dissidents abroad, threatening U.S. national security, freedom of the press, and international human rights.”
Wyden detailed the vulnerability of wireless phone carriers: “These phone company hacking services exploit flaws in two obscure technologies, known as Diameter and Signaling System 7 (SS7). These two technologies are used by wireless carriers around the world to deliver text messages between phone companies, and for roaming by their customers traveling abroad. For the last decade, cybersecurity researchers and investigative journalists have highlighted how wireless carriers’ failure to secure their networks against rogue SS7 and Diameter requests for customer data has been exploited by authoritarian governments to conduct surveillance.”
“Effectively addressing this threat will require a whole-of-government effort, and diplomatic partnership with our allies. To that end, I urge you to direct the National Cyber Director to coordinate action among agencies and provide Congress with updates at least twice a year until this threat is meaningfully addressed,” Wyden concluded.
Wyden’s letter reveals that the Administration confirmed the existence of a gap in U.S. export control rules, which do not apply to surveillance services offered in the cloud, and that are accessible via a web browser. That revelation builds on prior press reports highlighting that Chinese AI companies are exploiting gaps in US export control law by renting AI chips by the hour from U.S. cloud computing companies.
The letter also highlights the existence of an unclassified report commissioned by the Cybersecurity and Infrastructure Security Agency in 2022, which the agency has refused to give to Wyden or to make public.
Finally, Wyden’s letter also reveals that the Swiss government has proposed that allied western countries control such surveillance services, through a recent proposal to the Wassenaar Arrangement.
In addition to urging the administration to regulate wireless carriers to protect U.S. citizens data, Wyden also recommended the following actions:
- Protect U.S. government employees by setting minimum cybersecurity standards.
- Protect Americans by directing the Federal Communications Commission (FCC) to set mandatory minimum cybersecurity standards for wireless carriers
- Expand U.S. export rules to cover phone company hacking services so that U.S. companies selling such surveillance services to foreign governments must first seek U.S. government approval.
- Ensure that U.S. government agencies are not giving taxpayer money to surveillance mercenary companies that have enabled human rights abuse by applying restrictions to spyware companies to also apply to phone hacking services.
- Apply Global Magnitsky financial sanctions to foreign surveillance companies, denying them access to the U.S. financial system.
- Encourage other allied countries to regulate the sale of phone company hacking services.
Wyden has been the Senate’s foremost defender of Americans’ rights and smart policies on technology and security. This letter accompanies Wyden’s past calls for the FCC and phone companies to act on mobile phone network vulnerabilities caused by SS7. Wyden again called attention to this national security threat after remote SS7 attacks and spying near the White House were uncovered by the Department of Homeland Security as far back as 2018. Wyden has also called for annual cybersecurity audits of FirstNet, the AT&T-run cellular networks used by first responders and the military, to identify security weaknesses and protect national security.
The full text of the letter is here.