In a letter dated March 28, 2017, Senator Ron Wyden, D-Ore., and Representative Ted Lieu, D-Calif., urged the Federal Communications Commission (“FCC”) to address cybersecurity vulnerabilities in the cell phone industry, which the lawmakers said has thus far been unsuccessfully policing itself. The letter states that the industry has failed to protect itself effectively and has taken a “lax approach to cybersecurity” that requires the FCC to step in and take “swift action” to fill the gaps.
One of those gaps in cybersecurity protection, called Signaling System No. 7, or SS7, was highlighted in a report released earlier this month by a working group of the FCC’s Communications Security Reliability and Interoperability Council (“CSRIC”). SS7 is an inter-carrier network that allows cell phones to communicate with each other and, for example, roam from one cell phone network to another. The interconnectivity of SS7 also presents major cybersecurity concerns because it may let hackers record phone calls and access a cell phone user’s information using only the user’s phone number.
Wyden’s and Lieu’s letter specifically identified SS7 as a cybersecurity threat and stated that vulnerabilities to mobile phones “are no less dangerous than those cybersecurity threats that receive far more attention from other government agencies.” The lawmakers stressed that “industry self-regulation isn’t working when it comes to telecommunications cybersecurity.”
The CSRIC working group suggested several methods to reduce exposure, including a layered approach to security and improved firewalls to stop SS7 attacks. The working group’s charter expired on March 18, and the lawmakers’ letter urged the FCC to establish a new CSRIC working group to explore broader security issues beyond the scope of the previous group’s mandate.
The letter said that the FCC can no longer afford to neglect cybersecurity threats and instead must (1) force the cellular industry to address serious cybersecurity vulnerabilities in its systems; (2) warn the American public that their movements, communications, and devices may be vulnerable to foreign governments and hackers; and (3) promote the use of end-to-end encryption apps, which can be used to mitigate some of the SS7 risks.