Last month, Rep Eshoo (D,CA) introduced HR 1123, the Understanding Cybersecurity of Mobile Networks Act. The bill would require the Department of Commerce to prepare a report to Congress on that examines “the cybersecurity of mobile service networks and the vulnerability of such networks and mobile devices to cyberattacks and surveillance conducted by adversaries.” The bill authorizes $500,000 for the preparation of this report.
NOTE: The GPO print of this bill is now available.
Definitions
Section 2(g) of the bill defines eight key terms used in the legislation, two of which are defined by reference to existing statute. The key technical term used in this bill is ‘mobile service’, the two components of which are defined in 47 USC.
The Report
Section 2(b) outlines the matters that DOC is expected to address in the report. These include:
An assessment of the degree to which providers of mobile service have addressed, are addressing, or have not addressed cybersecurity vulnerabilities identified by academic and independent researchers, multistakeholder standards and technical organizations, industry experts, and Federal agencies,
A discussion of the degree to which customers (including consumers, companies, and government agencies) consider cybersecurity as a factor when considering the purchase of mobile service and mobile devices,
A discussion of the commercial availability of tools, frameworks, best practices, and other resources for enabling such customers to evaluate cybersecurity risk and price tradeoffs,
A discussion of the degree to which providers of mobile service have implemented cybersecurity best practices and risk assessment frameworks,
A discussion of the barriers for providers of mobile service to adopt more efficacious encryption and authentication algorithms and techniques and to prohibit the use of older encryption and authentication algorithms and techniques with established vulnerabilities in mobile service, mobile communications equipment or services, and mobile phones and other mobile devices,
An estimate and discussion of the prevalence, usage, and availability of technologies that authenticate legitimate mobile service and mobile communications equipment or services to which mobile phones and other mobile devices are connected,
An estimate and discussion of the prevalence, costs, commercial availability, and usage by adversaries in the United States of cell site simulators (often known as international mobile subscriber identity catchers) and other mobile service surveillance and interception technologies.
The report is also specifically required to include an estimate and discussion of the prevalence and efficacy of encryption and authentication algorithms and techniques used in each of the following:
Mobile service,
Mobile communications equipment or services
Commonly used mobile phones and other mobile devices, and
Commonly used mobile operating systems and communications software and applications.
The bill would specifically preclude DOC from the consideration of 5G protocols and networks in the report. The report would be produced in unclassified form with a classified annex. The legislation would also require DOC to “redact potentially exploitable unclassified information from the report required by subsection (a) but shall provide an unredacted form of the report to the committees described in such subsection”.
Moving Forward
As I mentioned this morning, the House is scheduled to take up the bill tomorrow under the suspension of the rules process. This means that there will be limited debate, no floor amendments will be allowed, and a super majority will be required for passage. The House leadership generally schedules bills under this process when they expect there to be substantial bipartisan support for the bill. The bill was not taken up by the Energy and Commerce Committee to which it was assigned for consideration.
It is obvious that the House leadership considers this bill to be important enough to move the bill forward this quickly, and without committee consideration. It is unclear if the Senate will have the same appreciation of the bill’s import. This bill is not significant enough to be considered under regular order, but the leadership could attempt to bring it forward under the unanimous consent process.
Commentary
With the increasing use of mobile network communications in geographically distributed control system, I am disappointed that the crafters of this legislation did not include specific mention of this technology in the scope of the report. I would have added a new paragraph in §2(b):
(8) An estimate and discussion about the prevalence of the use of mobile technology in geographically distributed control systems such as pipelines, power distribution systems, positive train control systems and traffic control systems, including the cybersecurity risks associated with that use.
It is interesting to see the crafters of this bill include an authorization for $500 thousand (not million or billion). Typically, such a small amount of money is beneath the notice of Congress. But, with the Republicans in the House threatening to defund any program that does not specifically have funding authorized by Congress, I suspect that we are going to see more bills with similar authorization levels. This is probably a good thing, since it makes people aware of the cost of government.
Finally, I am disturbed this bill specifically tells DOC to ignore potential security issues with 5G mobile service. While 5G is still being ‘introduced’ in some areas of the country, it is in widespread use. Large portions of the public are rapidly moving to 5G phones, so any security issues will be potentially affecting more and more people. By the time it becomes the ‘standard’ cell service, those early security issues that are being ignored by DOC at congressional behest will be affecting real people and businesses.
The whole point of requiring a report to Congress is to provide legislators with the information that is necessary to craft effective legislation. Giving Congress the tools necessary to craft 4G mobile security rules is the classic case of closing the barn door after the animals have runoff.