Wyden Releases Draft Legislation to Secure U.S. Phone Networks Following Salt Typhoon Hack
Secure American Communications Act Demands the FCC Issue Cybersecurity Regulations Required by Federal Law; Wyden Urges Senate to Pass Three Bills to Finally Protect U.S. Communications Against Foreign Hackers and Spies
Washington, D.C. – U.S. Senator Ron Wyden, D-Ore., released a draft bill to secure U.S. phone and wireless networks, following the massive breach of the American telecommunications system by Chinese-government hackers.
Wyden’s Secure American Communications Act requires the Federal Communications Commission to fix its own failure to fully implement telecom security requirements already required by federal law. In 1994, Congress required telecom providers to design their systems to permit the government to obtain communications and call-identifying information with a court order or other lawful authorization. That law required providers to secure their systems from unauthorized interceptions, and gave the FCC the authority to issue regulations to implement this requirement. However, in the years since, the FCC has never fully implemented this provision.
“It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cybersecurity rules,” Wyden said. “Telecom companies and federal regulators were asleep on the job and as a result, Americans’ calls, messages, and phone records have been accessed by foreign spies intent on undermining our national security. Congress needs to step up and pass mandatory security rules to finally secure our telecom system against an infestation of hackers and spies.”
Donald Trump, JD Vance and a host of other high-ranking officials were reportedly targeted as part of the hacking campaign. Call records, real-time phone calls and personal communications were all reportedly accessed as part of the hack.
The Secure American Communications Act is one of three proposals Wyden has released to shore up vulnerable American communications networks. Earlier this year, Wyden released legislation requiring the government to adopt secure communications software, which would have shielded officials’ texts and calls despite the phone network breach. He has also proposed bipartisan legislation to block the export of Americans’ personal information to unfriendly nations, making it more difficult for foreign spies to target Americans for hacking and spying.
“When the FBI and CISA warn consumers that they should use encrypted messaging apps to prevent hackers from accessing the content of their texts because of a massive incursion by Chinese hackers into U.S. telecommunications networks, it is past time to ensure that those networks are secure,” said Justin Brookman, Director of Technology Policy for Consumer Reports. “Consumer Reports supports the Secure American Communications Act and believes it is a good first step in securing the communications networks that American consumers rely upon every day.”
"The Salt Typhoon attack exposed huge vulnerabilities in our nation’s telecommunications infrastructure, but these problems were not a surprise. Much needs to be done to strengthen cybersecurity at telecom companies. The Secure American Communications Act is an important piece of securing our nation’s communications systems and EPIC is happy to support this legislation," said Caitriona Fitzgerald, Deputy Director of Electronic Privacy Information Center (EPIC).
The Secure American Communications Act would require the FCC to finally issue binding cybersecurity rules for telecommunications systems, including requiring telecom carriers to:
- Implement specific cybersecurity requirements as designed by the FCC, in consultation with the Director of CISA and the Director of National Intelligence, to prevent unauthorized interceptions by any person or entity, including by an advanced persistent threat (APT).
- Conduct annual testing to evaluate whether their systems are susceptible to unauthorized interceptions by any person or entity, including by an advanced persistent threat; take such corrective measures as indicated by the test; and document the findings and all corrective measures taken in response.
- Contract with an independent auditor to conduct an annual assessment of compliance with FCC cybersecurity rules; and document the audit findings, including areas of noncompliance.
- Submit annually to the FCC:
- the documentation from annual tests and audits.
- a written statement signed by the CEO and CISO (or equivalent) stating that the telecom carrier is in compliance with FCC cybersecurity rules.
View the one-pager here.
View the draft bill here.
###
Next Article Previous Article