By Raphael Satter
WASHINGTON (Reuters) – America’s cybersecurity watchdog has no confidence that the cellular network used by American first responders and the military is secure against digital intrusions, U.S. Senator Ron Wyden said in a letter released Wednesday.
The letter from the Oregon Democrat, a member of the intelligence committee, was addressed to the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA). It concerns FirstNet, a dedicated mobile network for public safety officials such as emergency workers, firefighters and law enforcement.
Wyden’s staff was told by an unidentified CISA expert last year that “they had no confidence in the security of FirstNet, in large part because they have not seen the results of any cybersecurity audits conducted against this government-only network,” the letter said, arguing that it was time for the authority to share its internal audits with CISA, NSA and Congress.
CISA declined to comment, saying it would respond to Wyden directly. NSA did not immediately return messages seeking comment. An employee of FirstNet, which was built by AT&T Inc, referred questions to the telecommunications company, which in turn referred questions to a FirstNet executive. The executive didn’t immediately return messages late on Tuesday.
Wyden’s letter makes reference to Signaling System No. 7 (SS7), a decades-old protocol that allows international cellular networks to exchange information – for example when cell phone users are roaming. The protocol can easily be abused, security experts say, allowing spies or hackers to intercept text messages or pinpoint users’ real time locations.
Although the security problems with SS7 are well-documented, Wyden said the lack of clarity around the safety measures at FirstNet – which was set up in the wake of the Sept. 11, 2001 attacks to provide a robust line of communication for first responders – was particularly worrying.
“These security flaws are also a national security issue, particularly if foreign governments can exploit these flaws to target U.S. government personnel,” his letter said.
Gary Miller, an expert on mobile network security with the University of Toronto-based Citizen Lab, said that Wyden’s concerns were well founded, adding that he too was worried by the “very troubling” opacity around audits.
Wyden called on FirstNet to share any security audits with the NSA and CISA or – alternatively – for the government to commission audits of its own.
The Federal Communications Commission, the White House, and the Office of Management and Budget – all of whom were copied on the letter – did not immediately respond to requests for comment.
(Reporting by Raphael Satter; Editing by Jamie Freed)
