Can Congress do anything to address SS7 risks? Some say yes
Can Congress do anything to address SS7 risks? Some say yes

Politicians are becoming increasing aware and concerned about cybersecurity issues.  One need look no further than two recent letters written by Senator Ron Wyden (D-Ore), senior member of the Senate Intelligence Committee, and Representative Ted Lieu (D-Calif.).  Both are leading congressional advocates for stronger cybersecurity and privacy measures.

The first letter was sent on March 15, 2017 to John Kelly, Secretary of Homeland Security.  The second letter was sent on March 28, 2017 to Ajit Pai, Chairman of the Federal Communications Commission.  The letters focus on the specific risks introduced by Signaling System 7 (SS7), suggesting that the executive branch may not be moving fast enough to address this risk, and asserting, among other things, that the "FCC has not to date, prioritized cybersecurity."

SS7 is a set of 1970s era protocols used by most of the world's telephone networks.  Its original purpose was to establish and disconnect calls made over the public switched telephone network (PSTN).  Today, SS7 protocols are used in providing a broad array of mobile device services, including global roaming and SMS text messaging. 

In early 2006, a major flaw in the SS7 protocol, allowing sophisticated hackers to intercept cell phone conversations, data and text messages, was exposed.  This led the FCC to open up an investigation into the SS7 flaw, and, on March 15, 2017, an expert report commissioned by the FCC -- Communications Security, Reliability and Interoperability Council (CSRIC) V working group 10 Final Report (“Final Report”) -- confirmed that bad actors, including criminals, hackers, and foreign countries, readily could exploit a number of SS7 vulnerabilities to track, surveil and hack Americans' mobile phones. (For a copy of the Final Report, go to https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf).

The letter to DHS is an unambiguous statement of Congress' concern that DHS is failing to adequately warn the public about the threats posed by SS7 surveillance.  The letter asserts that "most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones."  Sen Wyden and Rep Lieu also question whether DHS is devoting sufficient resources to protecting private and public sector communications.

The FCC letter raises concerns similar to those raised by the DHS letter, stating that “the American people have largely been kept in the dark about the fact that their calls, texts and movements are vulnerable to spying by foreign governments and hackers.”  It then notes several other concerns, among them that "5G networks may be as vulnerable.”  Importantly, the FCC letter references with approval a number of the recommendations set forth in the Final Report.  Specifically, Wyden and Lieu urge the FCC to (1) force cellular carriers to take action on these issues; (2) warn the American public about the risks they face; and (3) promote the use of end-to-end encryption to protect the voice communications and message content..

It appears that Congress is waking up to the risks posed by systemic flaws in the American telecommunications network, and is demanding more action from the executive branch in securing that network and protecting consumer privacy. This is a positive development that should be encouraged.

Co-authored with Daniel Garrie, Executive Editor, Journal of Law and Cyberwarfare