Senator demands security audits for emergency cell network used by first responders

The emergency phone network used by first responders and the military is vulnerable to attack, Oregon Sen. Ron Wyden (D) warned Tuesday.

In a letter to the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), Wyden demanded annual cybersecurity audits of the AT&T-backed network FirstNet due to previously uncovered vulnerabilities in the system that allow “criminals and foreign governments … to track mobile users.”

FirstNet is used by emergency workers, firefighters and law enforcement across the country to communicate during crises. The federal government was inspired to create the system after the September 11 terrorist attacks and contracted AT&T to finish building it in March 2017. All 50 states and two territories joined the wireless broadband network in December 2017.

Wyden said that in a February briefing about the issue, “CISA’s subject matter expert told my staff that they had no confidence in the security of FirstNet, in large part because they have not seen the results of any cybersecurity audits conducted against this government-only network.”

Wyden said AT&T and the Commerce Department are refusing to share completed independent audits of FirstNet with CISA, NSA, Congress and other government agencies.

AT&T declined to comment and the Commerce Department did not respond to requests for comment.

FirstNet said it prioritized cybersecurity when the emergency network was created, and it continues to be a top priority. "The FirstNet Authority performs robust and ongoing cybersecurity reviews of the network and will continue to work with its contractor, AT&T, as well as our public safety and federal partners, to deliver a highly secure, reliable network for America’s first responders," it said.

The Commerce Department’s National Telecommunications and Information Administration (NTIA) reportedly told Wyden’s office that it is unable to share the results of the audits of FirstNet because it is “bound by a non-disclosure provision in the contract it negotiated with AT&T.”

The contract bars NTIA and FirstNet from sharing how often AT&T commissions the audits, what the results were and whether the vulnerabilities found have been fixed.

“Concealing vital cybersecurity reporting is simply unacceptable. As the lead agencies responsible for the government's cybersecurity, CISA and NSA need to have access to all relevant information regarding the cybersecurity of FirstNet, and Congress needs this information to conduct oversight,” Wyden said.

“If the Department of Commerce is unable to share the results of the FirstNet audits commissioned by AT&T, CISA and NSA should conduct or commission their own annual audits and deliver the results to Congress and the FCC [Federal Communications Commission].”

Wyden also criticized CISA for failing to provide his office with a copy of a 2022 report on the security of telecommunications channels which the agency had said it is conducting.

CISA declined to comment on the letter, telling The Record that it “will respond directly to the Senator.”

Much of the letter is focused on the general insecurity of phone networks overall, citing past reports from both CISA and the FCC spotlighting efforts by hackers and foreign actors to spy on U.S. residents through the exploitation of vulnerabilities.

Wyden specifically highlighted vulnerabilities in SS7 and Diameter – two systems that telephone companies use to share information with each other. The FCC told Congress in 2019 that vulnerabilities in the SS7 system can be used to “track mobile users, intercept calls and texts, and even steal sensitive information available on devices.”

Wyden cited a report from the Department of Homeland Security that said "all U.S. carriers are vulnerable to these exploits, resulting in risks to national security, the economy, and the Federal Government’s ability to reliably execute national essential functions."

In 2018, Wyden said he wrote a letter to the FCC about a carrier that informed his staff of reported data breaches involving SS7 vulnerabilities and the tracking of people in the U.S.

“To date, the U.S. government has done little to force wireless carriers to fix these vulnerabilities, leaving Americans vulnerable to surveillance by hackers and foreign intelligence services,” he said.

The senator urged the FCC “address this market failure and protect Americans’ privacy” by moving beyond “studies and voluntary recommendations.”

Wyden said the FCC needs to issue new regulations forcing the carriers to meet minimum cybersecurity standards akin to what several other countries have done.

“These security flaws are also a national security issue, particularly if foreign governments can exploit these flaws to target U.S. government personnel,” he said.