Ron Wyden, Senator for the US State of Oregon (pictured) has written to President Joe Biden to call for sweeping reforms of how the government ensures the privacy of phone users. A statement on the Senator’s website begins by calling on Biden to…
…address the threat posed by wireless carriers’ lax cybersecurity, which expose U.S. citizens to surveillance by foreign governments. The letter to President Biden urges the administration to set minimum cybersecurity standards for carriers, and to direct government agencies to take further action to protect U.S. citizens and foreign journalists, dissidents, and human rights activists from surveillance by authoritarian foreign governments, like China, Russia, and Saudi Arabia through companies that offer phone company hacking services.
Wyden’s concerns focus upon the abuse of SS7 and Diameter signaling by spies-for-hire that appear to be making routine requests for data needed to provide services to mobile phones but who are actually infringing a user’s privacy by monitoring their activities on behalf of a government or organized crime. There is wide appreciation within the telecoms sector that protocols like SS7 were created with the assumption that telcos can trust each other, and that this trust is exploited by bad actors with access to networks. Only modest steps have been taken towards closing some of the back doors that bad actors have opened, including Deutsche Telekom promising to be the first major telco to honor a new industry code of conduct for global title leasing. Wyden wants to accelerate the pace of change by mandating minimum security standards for US mobile operators and by using the USA’s sophisticated sanctions regime to punish the spy-for-hire companies dotted around the planet.
The Senator warns the President about the failings of US telcos right from the very outset.
I write to request that you address the grave threats posed by wireless carriers’ lax cybersecurity practices, which are not regulated, but should be.
The spies that have infiltrated networks sell their espionage services for profit, and their location does not limit who they can spy upon.
Surveillance technology companies sell access to phone company hacking services, through which their foreign government customers can enter any phone number and track the device associated with it, wherever it is in the world.
Wyden refers to the comprehensive research into the abuse of network signaling.
For the last decade, cybersecurity researchers and investigative journalists have highlighted how wireless carriers’ failure to secure their networks against rogue SS7 and Diameter requests for customer data has been exploited by authoritarian governments to conduct surveillance.
Only telcos can prevent this form of surveillance.
…these services cannot be detected or prevented by Google and Apple — which make the most popular Android and iOS mobile operating systems — nor by third party security tools installed on a phone. Whether or not a given person can be surveilled using such services depends entirely on the security of their wireless carrier.
Wyden says the onus is on government to demand security.
There is a simple reason for the wireless industry’s failure to protect subscribers, including federal agencies: the U.S. government has failed to set minimum cybersecurity standards for wireless carriers like AT&T, T‑Mobile, and Verizon. The FCC, Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) have all acknowledged the serious threat of SS7 surveillance and of the importance of securing America’s communications networks. Yet no official or agency has taken responsibility for this problem, and consequently, very little has been done.
Wyden also criticizes CISA for not transparently pursuing a solution.
In addition to not taking responsibility for this problem, CISA is actively hiding information about it from the American people. The agency commissioned an independent expert report on this topic in 2022 which it permitted my staff to read at CISA’s office in the fall of 2023. CISA refuses to publicly release this unclassified report, which includes details that are relevant to policymakers and Americans who care about the security of their phones.
The letter then proposes a six-point plan, beginning with the tightening of the government’s own security.
First, to protect U.S. government employees from surveillance by foreign governments, the Office of Management and Budget (OMB), in consultation with CISA and NSA, should establish minimum cybersecurity standards for wireless services purchased by federal agencies.
Wyden calls for the Federal Communications Commission to set standards on behalf of the public, and demonstrates some awareness of the need for better visibility of who gains access to signaling infrastructure through the leasing of global titles.
…the FCC should exercise its authority to establish minimum cybersecurity requirements for U.S. wireless carriers and aggregators that deliver SS7 and Diameter messages to and from carriers. The FCC should also require companies buying access to SS7 and Diameter by leasing Global Titles to comply with registration and know your customer requirements.
The UK’s Telecommunications Security Code is cited as an example that the USA should copy from, and Wyden wants compliance with any new standards to be independently assessed each year. Such assessments of signaling security should involve red teams emulating the methods used by bad actors. Wyden then shifts focus to preventing the supply of comms surveillance services through trade controls.
Third, to prevent the abuse by foreign governments of phone company hacking services offered by American companies, such as Florida-based Titan-Geo and California-based SS8, the Department of Commerce’s Bureau of Industry and Security (BIS) should expand U.S. export rules to cover phone company hacking services. BIS informed my office by email on January 10, 2022, that while exports of some surveillance software and hardware are restricted and require a license from the U.S. government, software that is remotely controlled through a web browser is not.
Wyden wants to extend the remit of a 2023 Presidential order that prohibits the US government from using commercial spyware.
Fourth… you should expand the scope of Executive Order 14093 so that the same restrictions that you created for spyware companies also apply to firms that sell phone company hacking services.
Wyden also wants spy-for-hire businesses to be hit with Magnitsky sanctions, a form of sanction that targets specific perpetrators of human rights violations and acts of corruption by denying them the ability to purchase goods and services from American businesses.
Specifically the government should sanction the major players in this industry, including Circles, Cognyte, the Rayzone Group and Defentek. The government should also investigate for potential sanctions FlowLive and Inno Networks, two foreign telecommunications companies that press reports have alleged are fronts for surveillance companies.
Finally, Wyden wants the US to use its diplomatic resources to foster broad international collaboration on tackling these issues.
…BIS and the Departments of State and Defense should support efforts at the Wassenaar Arrangement — a multi-country forum for collaboration on export controls — to regulate phone company hacking services.
Wyden stands out as the Senator who knows most about the use of comms networks to undermine privacy, and is the most eager to stop it happening. He does not always get the support he needs. The current US President does not have an exemplary record when it comes to protecting individuals from unjustified surveillance, and it was only a few months ago that Wyden criticized Biden’s administration for using obscure channels to fund potentially illegal surveillance enabled by AT&T’s excessive hoarding of data. But even if Wyden does not get immediate success, he has laid down an important marker. He has identified credible steps to inhibit network signaling surveillance. The US government should act on Wyden’s advice, as should any other government that wants its people to be free.
A summary of Wyden’s letter to Biden about network signal surveillance can be found on his website here, and the complete text of the letter is here.
