Cisa Caves To Wyden, Agrees To Release Us Telco Insecurity Report But Won’tsay When
The US Cybersecurity and Infrastructure Security Agency on Tuesday finally agreed to make public an unclassified report from 2022 about American telecommunications networks’ poor security practices.
“CISA intends to release the US Telecommunications Insecurity Report (2022) that was developed but never released under the Biden administration in 2022, with proper clearance,” CISA Director of Public Affairs Marci McCarthy said in an emailed statement to The Register.
“CISA has worked with telecommunications providers before, during, and after Salt Typhoon — sharing timely threat intelligence, providing technical support and continues to have close collaboration with our federal partners to safeguard America’s communications infrastructure,” the statement continued.
The agency declined to answer The Register‘s specific questions, including when it intends to release the contentious report.
The release of an unclassified, three-year-old document sounds like a minor deal. But this report has been the bane of US Senator Ron Wyden’s (D-OR) existence for years, and has put the nomination of would-be CISA boss Sean Plankey in limbo for months.
Senator Wyden intends to keep his hold in place until CISA has released the report
Wyden, back in April, blocked Plankey’s nomination in an attempt to force the report’s release. This tactic worked for the Democrat from Oregon back in 2018 when he put a hold on Trump’s first CISA director nominee, Chris Krebs, until Homeland Security agreed to hand over information about surveillance on Americans’ mobile devices.
This time around, the feds have pushed saying anything about the document’s release right up to the 11th hour, with the Senate Homeland Security and Governmental Affairs Committee scheduled to vote on Plankey’s nomination during a Wednesday meeting.
And on Monday, the full Senate, without any dissenting votes, passed legislation to require CISA to release the report within 30 days of being signed into law. The bill still needs US House approval and must be signed by President Trump before it takes effect.
Wyden says he’s not lifting his block on Plankey’s nomination just yet.
“CISA has not told Sen. Wyden’s office when they plan to release the report, or explained what ‘proper clearance’ means,” the senator’s deputy policy director Keith Chu told The Register. “Senator Wyden intends to keep his hold in place until CISA has released the report.”
“There was unanimous support for releasing that report in the Senate last night, and Sen. Wyden intends to keep pushing until Americans are able to see the threats to the phone system for themselves,” Chu said.
Wyden, a senior member of the Senate Intelligence Committee, has been urging CISA to release the report since July 2022. While America’s lead cyber-agency finally allowed the senator’s staff to read the missive in 2023, the full document has yet to be disclosed to the public.
“Congress and the American people must read this report,” Wyden told his fellow senators ahead of the Monday vote. “It includes frankly shocking details about national security threats to our country’s phone system that require immediate action.”
American carriers’ weak security poses a threat to national security — and prompted one of CISA’s lead telecommunications security experts to file a whistleblower report with the Federal Communications Commission. Wyden said of the whistleblower:
Citing his access to non-public reports and other ‘very concerning information,’ the CISA official told the FCC that ‘there have been numerous incidents of successful, unauthorized attempts to access the network user location data of communications service providers operating in the USA.’ He added that foreign surveillance went beyond location tracking and included the monitoring of voice and text messages and ‘the delivery of spyware to targeted devices.’
What Wyden describes as “CISA’s multi-year cover up of the phone companies’ negligent cybersecurity” also enabled China’s Salt Typhoon cyberspies to hack into telecom companies’ networks in “one of the most serious cases of espionage — ever — against our country,” the senator said.
“Had this report been made public when it was first written in 2022, Congress would have had ample time to require mandatory cybersecurity standards for phone companies, in time to prevent the Salt Typhoon hacks,” according to Wyden.
How these and other Beijing-backed spies managed to break into US government and telecommunications networks and maintain their footholds inside the companies’ systems was also the subject of a Cyber Safety Review Board (CSRB) investigation prior to the board’s dissolution on the day President Trump resumed office.
Last week, US Senator Maria Cantwell (D-WA) demanded that Google-owned incident response firm Mandiant hand over the Salt Typhoon-related security assessments of AT&T and Verizon that, according to the lawmaker, both operators have thus far refused to give Congress. ®
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
