US Cyber Watchdog Can’t Guarantee Security of Military Phone Network: Senator

A letter authored by Senator Ron Wyden (D-Ore.) dated April 12 (pdf) reveals that the US’s primary cyber security agency has no assurance of the security of FirstNet, the military and first responders’ cell phone network.

Senator Wyden, a Senate Intelligence Committee member, voiced his concern regarding the agency’s admission in a 2022 briefing that it had not been provided with the outcomes of cyber security audits carried out on the government-only network. As a result, Wyden urged the government to conduct annual cyber security audits on this network.

The letter, which was sent to the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), was also copied to other government offices, including the Office of National Cyber Director, the Federal Communications Commission, and the Office of Management and Budget.

Currently, CISA is refusing to comment, stating that it will address Wyden directly. Messages to the NSA have not yet been returned. Questions concerning the matter were referred by an employee of FirstNet to AT&T Inc., who in turn referred them to a FirstNet executive. At the time of publishing, the executive had also not replied.

The letter also noted that the Signaling System No. 7 protocol used by phone companies to exchange information with each other can be traced back decades and is susceptible to hacking or spying. Both hackers and foreign states could gain access to sensitive information or text messages. According to Wyden, these SS7 vulnerabilities were exploited to track people in the US, and technology companies sell software that can exploit these vulnerabilities to “target phones anywhere in the world.”

Wyden also called out the US Government for not doing enough to compel wireless carriers to deal with these vulnerabilities, making Americans vulnerable to hacking and foreign intelligence services’ surveillance. He urged the US Government to make it mandatory for carriers to address these security loopholes.