Telecom Cybersecurity Transparency Act

Floor Speech

BREAK IN TRANSCRIPT

Mr. WYDEN. Mr. President, for several years now, I have urged the release of an unclassified report by independent cybersecurity experts that is titled ``U.S. Telecommunications Insecurity 2022.''

Congress and the American people deserve to be able to read this report. And I may be the only Senator who has read this report. This report contains shocking details--let me repeat that--shocking details about national security threats to our country's phone system that require immediate action.

The Cybersecurity and Infrastructure Security Agency permitted my staff to read the report at their office, and this was done in 2023. However, they have marked this unclassified report ``For Official Use Only'' and have refused to provide copies of the report to Congress or to make it public in response to Freedom of Information Act requests.

So I asked then-Director Easterly to release the report. When she didn't act on my request, I wrote to President Biden--that was in February of 2024--urging him to address the serious national security threat posed by foreign governments exploiting U.S. phone carriers' weak cybersecurity. The Biden administration took no action.

CISA's top telecommunications security expert was so concerned, he actually filed a whistleblower report with the Federal Communications Commission. He cited his access to nonpublic reports and other ``very concerning information,'' and told the Federal Communications Commission that ``there have been numerous incidents of successful, unauthorized attempts to access the network user location data of communications service providers operating in the USA.''

He added that foreign surveillance went beyond location tracking and included ``the monitoring of voice and text messages'' and ``the delivery of spyware to targeted devices.''

CISA's multiyear coverup of the phone companies' negligent cybersecurity enabled foreign hackers to perpetrate one of the most serious cases of espionage--ever--against our wonderful country. Had this report been made public when it was first written in 2022, Congress would have had ample time to demand mandatory cybersecurity standards for phone companies in time to prevent the Salt Typhoon hacks.

CISA and the Federal Bureau of Investigation have confirmed that the Chinese Government hacked multiple phone companies and accessed vast troves of sensitive call records. They even co-opted the system designed for law enforcement to conduct wiretaps and accessed phone calls of politicians and other high-value targets.

Vice President Vance said his communications and President Trump's were compromised in this hack. The press reported that then-Leader Schumer was also targeted. This espionage incident was the direct result--the direct result--of phone carriers' failure to follow cybersecurity best practices, such as installing security updates and using multifactor authentication.

I know the Presiding Officer is very interested in this technology area as well. This is Cybersecurity 101--101--and yet Federal Agencies failed to hold these companies accountable.

As far as I am aware, and I touched on this, I may be the only one in the Senate to have read this report. But the contents of the report directly impact Congress, both regarding the security of the Senate's communications and issues that have been the subject of prior Congressional oversight. When Chinese Government hackers broke into the major phone networks last year, their targets included several Senators.

The report also directly discusses issues that have been the subject of oversight by Senators. In 2021, I wrote to the Federal Communications Commission, with several of our colleagues, raising concerns about foreign companies remotely administering rural U.S. telecommunications carriers.

Our group said:

We are also concerned by media reports suggesting that managed service providers may be partnering with for-profit surveillance companies, creating the possibility that these companies could provide their authoritarian clients with trusted access to U.S. telecommunications networks.

I am going to close with this. None of these security vulnerabilities have been addressed--that is the bottom line--either by government or the private sector. The Federal Government still does not even require U.S. phone companies to meet minimum cybersecurity standards. So, in my judgment, we are sitting here now recognizing that it is too late to prevent the Salt Typhoon hack, but there sure is an urgency to prevent the next horrendous incident.

2480.
BREAK IN TRANSCRIPT

Source