[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
BOLSTERING DATA PRIVACY
AND MOBILE SECURITY:
AN ASSESSMENT OF IMSI CATCHER THREATS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
JUNE 27, 2018
__________
Serial No. 115-68
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
30-878PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California ZOE LOFGREN, California
MO BROOKS, Alabama DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois SUZANNE BONAMICI, Oregon
BILL POSEY, Florida AMI BERA, California
THOMAS MASSIE, Kentucky ELIZABETH H. ESTY, Connecticut
RANDY K. WEBER, Texas MARC A. VEASEY, Texas
STEPHEN KNIGHT, California DONALD S. BEYER, JR., Virginia
BRIAN BABIN, Texas JACKY ROSEN, Nevada
BARBARA COMSTOCK, Virginia CONOR LAMB, Pennsylvania
BARRY LOUDERMILK, Georgia JERRY McNERNEY, California
RALPH LEE ABRAHAM, Louisiana ED PERLMUTTER, Colorado
GARY PALMER, Alabama PAUL TONKO, New York
DANIEL WEBSTER, Florida BILL FOSTER, Illinois
ANDY BIGGS, Arizona MARK TAKANO, California
ROGER W. MARSHALL, Kansas COLLEEN HANABUSA, Hawaii
NEAL P. DUNN, Florida CHARLIE CRIST, Florida
CLAY HIGGINS, Louisiana
RALPH NORMAN, South Carolina
DEBBIE LESKO, Arizona
------
Subcommittee on Oversight
RALPH LEE ABRAHAM, Louisiana, Chair
BILL POSEY, Florida DONALD S. BEYER, JR., Virginia
THOMAS MASSIE, Kentucky JERRY McNERNEY, California
BARRY LOUDERMILK, Georgia ED PERLMUTTER, Colorado
ROGER W. MARSHALL, Kansas EDDIE BERNICE JOHNSON, Texas
CLAY HIGGINS, Louisiana
RALPH NORMAN, South Carolina
LAMAR S. SMITH, Texas
C O N T E N T S
June 27, 2018
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Ralph Lee Abraham, Chairman,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 4
Written Statement............................................ 6
Statement by Representative Eddie Bernice Johnson, Ranking
Member, Committee on Science, Space, and Technology, U.S. House
of Representatives............................................. 8
Written Statement............................................ 10
Statement by Representative Donald S. Beyer, Jr., Ranking Member,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 12
Written Statement............................................ 14
Witnesses:
Dr. Charles H. Romine, Director, Information Technology
Laboratory, National Institute of Standards and Technology
Oral Statement............................................... 17
Written Statement............................................ 19
Dr. T. Charles Clancy, Director, Hume Center for National
Security and Technology, Virginia Tech
Oral Statement............................................... 25
Written Statement............................................ 27
Dr. Jonathan Mayer, Assistant Professor of Computer Science and
Public Affairs, Princeton University
Oral Statement............................................... 33
Written Statement............................................ 35
Discussion....................................................... 49
Appendix I: Answers to Post-Hearing Questions
Letter submitted by Representative Ralph Lee Abraham, Chairman,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives 62
Articles submitted by Representative Donald S. Beyer, Jr.,
Ranking Member, Subcommittee on Oversight, Committee on
Science, Space, and Technology, U.S. House of Representatives 64
BOLSTERING DATA PRIVACY
AND MOBILE SECURITY:
AN ASSESSMENT OF IMSI CATCHER THREATS
----------
WEDNESDAY, JUNE 27, 2018
House of Representatives,
Subcommittee on Oversight
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittee met, pursuant to call, at 2:17 p.m., in
Room 2318 of the Rayburn House Office Building, Hon. Ralph
Abraham [Chairman of the Subcommittee] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. The Subcommittee on Oversight will come
to order. Without objection, the Chair is authorized to declare
recesses of the Subcommittee at any time.
Good afternoon and welcome to today's hearing entitled
``Bolstering Data Privacy and Mobile Security: An Assessment of
IMSI Catcher Threats.''
I recognize myself for five minutes for an opening
statement.
Good afternoon again. Welcome to today's Oversight
Subcommittee hearing ``Bolstering Data Privacy and Mobile
Security: An Assessment of IMSI Catcher Threats.'' The purpose
of today's hearing is to examine the threats that IMSI catchers
and other similar technologies pose to mobile security and user
privacy.
IMSI catchers and rogue base stations, commonly known by
their brand name ``Stingray,'' are devices used for
intercepting cellular traffic and data. Today we will hear from
government and academic experts about the basics of the
technology, the ways in which it can be used by both legitimate
and illegitimate actors, and potential methods to mitigate the
risks these devices pose.
Regrettably, although they were invited, the Department of
Homeland Security, DHS, declined to provide a witness today and
instead provided a briefing to Members and staff last week.
While this was helpful in giving some context to the matter, it
was no substitute for a public discussion on such a serious
issue. It would have been substantially more helpful for DHS to
have been present today, to be part of the dialogue, inform the
American public, and answer questions about their work in this
area. With that said, I would like to thank our witnesses for
participating today and taking time out of their schedules to
testify on this very important matter.
Historically, the use of IMSI catcher technology has been
limited to law enforcement, Department of Defense, and
intelligence services. This was due in large part to the high
cost of acquiring the equipment. However, as sophisticated
technologies have become more commonplace and advances in
manufacturing have made the production of highly technical
products easier and cheaper, IMSI catcher technology and
nefarious actors looking to exploit it have been proliferated.
While awareness is important, it is simply not enough to
acknowledge an issue that needs to be addressed. Instead, we
must also gain an understanding of the technology--the nature
of the technology, the complexity of the technology, and the
disruptive ability like IMSI catchers challenge, and the
challenges they present. This is a responsibility the Committee
takes seriously, and one which the Committee has a long history
of meeting through vigorous oversight of emerging forms of
research and technology. I believe today's hearing will yet add
another important chapter to that history.
As with much of technology in the modern age, IMSI catchers
are a double-edged sword. On one hand, when used for legitimate
law enforcement purposes, these technologies have the potential
to positively impact society in a substantive and meaningful
way. The ability to covertly track a suspect or intercept their
data has the potential to help law enforcement coordinate safer
arrests and certainly put more criminals behind bars, keeping
our men and women in uniform, as well as our communities, safe.
However, as we have seen with many new technologies and law
enforcement tools, striking the appropriate balance between
safety and privacy is not always easy. Just this past week, the
Supreme Court ruled in Carpenter v. United States that cell
phone location records are protected under the Fourth
Amendment, previously a legal grey area. While this ruling does
not purport to apply to real-time data tracking, the type IMSI
catcher technology could provide, it raises the question of
what the appropriate balance is between protecting privacy and
empowering law enforcement to do their job.
Similarly, we must consider what defenses we can and should
employ to protect our privacy and national security. IMSI
catcher technology is ripe for exploitation by foreign nations
seeking to spy on American government officials and is likely
already being used to do so. The cryptographic standards and
methods used to protect U.S. government officials and important
government information are something the National Institute of
Standards and Technology is well positioned to produce, but
this too creates a dilemma.
As we saw with the San Bernardino terrorist's iPhone,
sophistication--sophisticated encryption meant to protect user
data and privacy brings with it a set of different, but no less
consequential, issues. In the case of IMSI catcher
technologies, to what degree should the general public be able
to shield themselves from being caught in a foreign
intelligence operation? To what degree might techniques meant
to shield data from prying eyes prevent law enforcement from
doing their jobs? How much privacy should we trade for security
at the civilian and governmental levels? These are fundamental
questions that must be asked.
While I doubt we will hear an easy answer to these
questions during today's hearing, we will hear informed
perspectives from our witnesses on these and other important
questions. It is my hope that we will leave here not only with
a better understanding of this technology, but with forward-
looking thoughts about possible answers to, and solutions for,
these tough questions. Again, I want to thank our witnesses for
agreeing to be here to highlight this important topic.
[The prepared statement of Chairman Abraham follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. At this time, I'd ask unanimous consent
that we include in the record the letter--I've got it here--
that was sent to the Subcommittee this morning by the
Electronic Privacy Information Center, or EPIC. Although I'm
not sure I agree with the entirety of their statement, we will
include this letter in the record.
[The information appears in Appendix I]
Chairman Abraham. I now recognize Ranking Member of the
Full Committee, Ms. Johnson, for an opening statement.
Ms. Johnson. Thank you very much, Chairman Abraham.
Cell-site simulators, also known as Stingrays, or IMSI
catchers, is a technology that can be used to locate cellular
devices and possibly intercept voice calls, text messages, and
data communications from the cellular device. It is a valuable
tool for our law enforcement and intelligence communities.
It is also, undoubtedly, a technology used by foreign
intelligence services operating here in the United States.
Indeed, the genesis of today's hearing were recent press
reports that a Department of Homeland Security pilot program
found rogue cell sites throughout Washington, D.C., including
near the White House, FBI headquarters, and the Pentagon.
It is clear that foreign intelligence agencies are seeking
to use cell-site simulators to collect intelligence on federal
officials. What are we as a government doing to counter this
particular threat? Unfortunately, neither the Department of
Homeland Security nor the Federal Bureau of Investigation is
here today to help provide some answers to these questions.
It is also unfortunate that President Trump appears to be
taking no safeguards to protect himself from these cyber
threats, and the Science Committee has taken no steps to use
our oversight authority to investigate the White House's lack
of cybersecurity precautions that we expect all other federal
agencies to follow. I reiterate that Mr. Beyer's call and his
statement and request that we hold a hearing on this subject in
the near future.
I am glad though to have our witness panel here today, who
can provide us with advice on what Congress should be doing to
protect federal officials and federal agencies from cell-site
simulators that exploit our cybersecurity vulnerabilities,
particularly those that impact our national security interests.
Cell-site simulator technology also has implications for
the privacy of Americans, as a law enforcement operation
utilizing a cell-site simulator could be gathering data from
thousands of nearby innocent citizens. In Baltimore, for
instance, police used this technology without obtaining a
warrant thousands of times in violation of the Fourth Amendment
of the U.S. Constitution regarding an unreasonable search. Last
week, the U.S. Supreme Court weighed in on this issue requiring
police to obtain a warrant to gather cell phone location data.
However, their decision did not specifically apply to cell-site
simulators. So, it is unclear how these key privacy issues will
be addressed by law enforcement agencies in the future.
I am glad Dr. Jonathan Mayer from Princeton University--a
lawyer and a computer scientist--is here today. He is uniquely
qualified to speak on these important privacy issues, as well
as the wider implications of this technology and the dangers it
poses to our national security and our privacy. I look forward
to hearing from him and other witnesses about how we can
protect our national security and the privacy of our citizenry
from attack by these rogue cell sites and other cyber threats
that can target our mobile devices.
Thank you, Chairman Abraham, and thanks all of our
witnesses for being here.
[The prepared statement of Ms. Johnson follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Thank you, Ms. Johnson.
I now recognize the Ranking Member of the Oversight
Subcommittee, the gentleman from Virginia, Mr. Beyer, for an
opening statement.
Mr. Beyer. Thank you, Chairman Abraham, very much, and
thank you for your initiative to create this hearing.
Cell-site simulators, or IMSI catchers, pose risks to both
our national security and our personal privacy. These devices
are about the size of a laptop computer and can be placed in a
van, hotel room, drone aircraft, or operated by someone sitting
on a park bench. These rouge cell stations masquerade as
legitimate cell towers and gather the data of cell phones in
their proximity. They are powerful tools employed by both
friendly and hostile intelligence agencies, criminals and
others. They also play an important role in the operations of
U.S. law enforcement and the U.S. intelligence community.
However, U.S. law enforcement agencies have not always obtained
appropriate authorization from the courts before they have
employed these tools against suspected criminals, and this has
led to improper incursions into the private lives of hundreds
of American citizens.
Last week, the Supreme Court ruled that the government must
now obtain a warrant when collecting cell phone data in certain
cases. The court found, and I quote, ``A cell phone faithfully
follows its owner beyond public thoroughfares and into private
residences, doctor's offices, political headquarters, and other
potentially revealing locales. Accordingly, when the government
tracks the location of a cell phone it achieves near perfect
surveillance, as if it had attached an ankle monitor to the
phone's user.'' However, the court added that it was a narrow
ruling, specifically stating, ``We do not express a view on
matters not before us: real-time CSLI, Cell-Site Location
Information, or tower dumps.'' Unfortunately, it seems the
constitutionality of cell-site simulator use by law enforcement
agencies without a warrant remains unsettled.
Rogue cell-site simulators have not only affected our
privacy, but they have endangered our national security. Last
year, a Department of Homeland Security pilot project
identified several rogue cell-site simulators near the White
House and Pentagon, raising the specter of foreign intelligence
agencies using IMSI catchers to target senior U.S. government
officials right here in our Nation's Capital.
Ironically, at the same time we are holding an oversight
hearing on the threat to mobile security of these sorts of
rogue cell sites, President Trump continues to ignore basic
cybersecurity practices. This has created a threat not only to
his own personal privacy but also to our national security. A
headline from a CNN story in April read, ``Trump ramps up
personal cell phone use.'' In May, POLITICO summed up the
President's attitude towards the cybersecurity issues we're
discussing today. The headline read ``Too Inconvenient--Trump
Goes Rogue on Phone Security.'' And making matters worse,
President Trump recently said that he provided his direct phone
number to North Korean dictator Kim Jong-un. Doing this has
opened up an additional threat known as a Signaling System
Seven, or SS7, attack that may permit access to President
Trump's personal cell phone remotely by North Korean
intelligence operatives. Earlier this month, WIRED magazine
published a story with the headline ``Trump Says He Gave Kim
Jong-un His Direct Number. Never Do That.''
I am attaching all three articles to my statement.
Ongoing use of a reportedly unsecure cell phone by the
President of the United States raises serious cybersecurity
issues that this Committee should be examining. The Majority's
Oversight Plan said the Science Committee would investigate
cybersecurity incidents and compliance with ``federal
information security standards and guidelines'' ``regardless of
where they may be found.'' Let me repeat, quote, ``regardless
of where they may be found.'' I wrote to Chairman Smith with
Ranking Member Johnson and Mr. Lipinski in February of this
year pointing out numerous cybersecurity practices of serious
concern at the White House that warranted investigation.
Unfortunately, we have not yet seen efforts by this Committee
to uphold its oversight responsibilities to the American public
and investigate these issues.
My good friend Chairman Abraham, I am asking you again,
let's look at holding this hearing and investigating the
potential threat by holding--by rogue cell-site simulators, but
while we do this, we can't ignore the specific threats within
blocks of the White House and President Trump's own failure to
abide by cybersecurity best practices.
You know, In January 2018, the White House Chief of Staff
Kelly banned the use of personal cell phones in the West Wing
by White House employees. Yet, multiple media stories have
continued to report that the President refuses to give up his
personal cell phone or take proper cybersecurity measures to
help identify and diminish cybersecurity threats. The President
should not be held to a different standard than the rest of the
federal government and our Committee should help the Executive
Branch protect Mr. Trump from foreign adversaries, even if the
President won't.
So I look forward to hearing from all of our witnesses
today who help us explore ways to enhance our cybersecurity. It
is unfortunate we don't have anyone from DHS or the
telecommunications, but I hope we will be able to hear from
them in the future. Successfully addressing these issues is
going to take a collective effort and a continued commitment
from a wide range of stakeholders.
Thank you, Chairman Abraham, and I yield back.
[The prepared statement of Mr. Beyer follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. And now I will introduce our witnesses.
Our first witness is Dr. Charles H. Romine, director of the
Information Technology Laboratory at NIST. Dr. Romine joined
NIST in 2009 as an associate director for the program
implementation. In November 2011, Dr. Romine became the
director of Information Technology Laboratory at NIST. Dr.
Romine received both his bachelor of arts degree in mathematics
and his Ph.D. in applied mathematics from the University of
Virginia. Welcome.
Dr. T. Charles Clancy, our next witness, he is the director
of Virginia Tech's Hume Center for National Security and
Technology. Dr. Clancy has worked with Virginia Tech since 2010
as a professor. Prior to that he worked at the National
Security Agency from 2000 to 2010. He holds a bachelor's degree
in computer engineering from Rose-Hulman Institute of
Technology, and a master's degree in electrical engineering
from the University of Illinois, Urbana-Champaign. Dr. Clancy
also received a doctorate from the University of Maryland,
College Park, in computer science.
Dr. Jonathan Mayer, our last witness, assistant professor
at Princeton University's Department of Computer Science, and
the Woodrow Wilson School of Public and International Affairs.
Dr. Mayer previously worked for Senator Kamala Harris as a
technology advisor in 2017. Prior to that he worked for the
Federal Communications Commission Enforcement Bureau as a chief
technologist from 2015 to 2017. He holds a bachelor's degree in
public and international affairs from Princeton University. Dr.
Mayer also received his juris doctorate and Ph.D. from Stanford
University.
I now recognize Dr. Romine for five minutes to present his
testimony.
TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,
INFORMATION TECHNOLOGY LABORATORY,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Dr. Romine. Chairman Abraham, Ranking Member Beyer, Ranking
Member Johnson, and Members of the Subcommittee, I am Charles
Romine, director of the Information Technology Laboratory at
the National Institute of Standards and Technology, known as
NIST. Thank you for the opportunity to appear before you today
to discuss our role in mobile device security.
In the cybersecurity realm, NIST has worked with federal
agencies, industry, and academia since 1972, and NIST's role
has been expanded to research, develop, and deploy information
security standards and technology to protect the federal
government's information systems against threats, as well as to
facilitate and support the development of voluntary industry-
led cybersecurity standards and best practices for critical
infrastructure.
Today, I'd like to talk about our work related to rogue
base stations and the NIST Special Publication 800-187, Guide
to LTE Security, released in December 2017.
Rogue base stations are unlicensed, cellular devices that
are not owned or operated by a duly-licensed mobile network
operator. They're known by many names, such as cell-site
simulators, Stingrays, or International Mobile Subscriber
Identity, or IMSI, catchers. Rogue base stations act as a cell
tower and broadcast a signal pretending to be a legitimate
mobile network that may trick an individual's device into
connecting to it. The necessary hardware to build a rogue base
station is inexpensive, easily obtained, and the software
required is freely available.
Rogue base stations exploit the fact that mobile devices
will connect to whichever base station is broadcasting as a
device's preferred carrier network and is transmitting at the
highest power level. Therefore, when a rogue base station is
physically near a mobile device that is transmitting at higher
power levels than the legitimate antenna, the device may
attempt to connect to that malicious network.
The threats from rogue base stations can come from their
performing a passive attack, known as IMSI catching. This
attack collects mobile device identities without the user's
knowledge. It poses a significant threat to user privacy and
security and safety because a malicious actor can determine if
a subscriber is in a given location at a given time.
Unfortunately, IMSI catching is no longer an advanced or
complex attack only accessible to a small number of
individuals.
A more advanced attack that can be executed using a rogue
base station is a type of man in the middle attack in which a
malicious actor can force a user to downgrade to an older and
less secure mobile network technology, such as 2G or 3G, that
exposes that user to less robust security protections that
exist in older versions of mobile networks, tricking the device
into connecting to the rogue base station.
A complex denial of service attack can occur when a mobile
device first connects to a network when certain messages can be
sent to a device by a rogue base station, essentially fooling
the device to into the equivalent of airplane mode. This can
cause a denial of service that may persist until a hard reboot
is done.
Since 2012, NIST has been working in cybersecurity aspect
of telecommunications, focusing on 4G LTE networks used by
public safety. This work enabled NIST to develop the guide to
LTE security, which serves as a guide to the fundamentals of
how LTE networks operate. It explores the LTE security
architecture, and it provides an analysis of the threats posed
to LTE networks and supporting mitigations. The guide is
intended to educate federal agencies and other organizations
that rely on 4G LTE networks as part of their operational
environment.
NIST has been an active participant in the working group of
the Standards Development Organization responsible for security
and privacy of 3G and 4G LTE, and recently, 5G. Active
participation with the mobile network ecosystem developing
security standards for future networks is an important way NIST
works to address security vulnerabilities in mobile networks
today.
Security standards for 5G are, in fact, seeking to address
issues surrounding rogue base stations through the introduction
of optional privacy functionality. Once this functionality
standard is developed for future networks, its implementation
by mobile network operators will have the potential to
eliminate the threat of today's passive sniffing IMSI catchers.
In addition, the use of the optional security settings and next
generation 5G technologies will go a long way to mitigate the
usage of rogue base station technology.
Much work still needs to be done to ensure secure
deployments. NIST will continue its research and development in
the security of telecommunications, the publication of
guidelines and best practices, and our work with international
standards bodies and technical committees.
Thank you for the opportunity to testify on NIST's work
regarding telecommunications security, and I will be pleased to
answer any questions you may have.
[The prepared statement of Dr. Romine follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Thank you, Romine--Dr. Romine.
All right, I now recognize Dr. Clancy for five minutes to
present his testimony.
TESTIMONY OF DR. T. CHARLES CLANCY,
DIRECTOR, HUME CENTER FOR NATIONAL SECURITY AND TECHNOLOGY,
VIRGINIA TECH
Dr. Clancy. Chairman Abraham, Ranking Members Beyer and
Johnson, Subcommittee Members, my name is Charles Clancy and I
am a professor of electrical and computer engineering at
Virginia Tech where I direct the Hume Center for National
Security and Technology. My current research sits at the
intersection of 5G wireless, the internet of things,
cybersecurity, and artificial intelligence. Prior to joining
Virginia Tech, I led a portfolio of wireless research and
development programs at the National Security agency.
It is my distinct pleasure to address this Committee on
topics of critical national importance.
Security of wireless infrastructure is critical. These
devices, wireless base stations, and core network
infrastructure are a key part of our critical infrastructure
ecosystem. While each generation of cellular technology
improves security and privacy, the backward compatibility
challenge means that even if we deploy highly secure 5G
networks, most phones can still connect to insecure 2G
networks, even though many of the national carriers in the
United States have already decommissioned their 2G
infrastructure.
This mixture of old and new technologies means that
insecurity will always be part of the cellular ecosystem.
Combatting threats to wireless network infrastructure requires
a risk management approach that constantly evaluates potential
vulnerabilities, observes threats, engineers countermeasures,
and communicates best practices.
Specifically with respect to IMSI catchers, as we've heard,
IMSI catchers, also known as Stingrays, have come to symbolize
a wide range of different cellular surveillance technologies.
Rogue base stations, a particular class of surveillance
technology, also known as a cell-site simulator, are devices
that act like cell towers. 2G technology is particularly
susceptible to these threats because authentication in 2G is
weak and the encryption has been cracked. 2G rogue base
stations are able to lure a phone into connecting, eliciting
that phone's identity, also known as IMSI, prevent it from
disconnecting, query the phone's precise GPS location, and in
certain cases, intercept voice, data, and SMS content. 3G and
4G rogue base stations are less capable because the underlying
standards are more secure; however, they are still able to
elicit a phone's identity.
Earlier this year, 5G adopted a proposal known as IMSI
encryption, which prevents 5G rogue base stations from
successfully eliciting a phone's identity, which was seen
generally as a very positive step forward.
Rogue base stations can be used for a variety of
applications, but are most commonly associated with IMSI
catching. They interact with a phone for a few milliseconds to
learn the phone's identity, and then pass that phone back to
the real network.
Another class of device is a more generic cell phone
interception system. These devices are purely passive. They
don't transmit anything. They don't pretend to be a cell tower.
However, particularly for 2G standards, which have been
cracked, they are able to intercept in bulk voice, SMS, and
data traffic that is traversing those networks. For 3G and 4G
networks that are protected by stronger encryption, there are
much fewer capabilities that are possible.
However, these technologies can be used together, for
example, in conjunction with a jammer. Imagine jamming the 3G
and 4G signal spectrum, which causes a phone to downgrade to
2G, and then is vulnerable to the widest range of potential
attacks. So these downgrade attacks undermine the improved
security features that we see in the newer cellular standards.
So with respect to closing the gap, 2G, in my opinion,
represents one of the weakest links. The weak encryption and
authentication is a major security challenge with modern cell
phones. And interestingly, carriers have already decommissioned
much of the 2G infrastructure here in the United States. So if
carriers were able to push policies to phones that would
prevent phones from connecting to vulnerable 2G networks, this
would go a long way into addressing this issue. Currently
iPhones lack the ability to do this, and with android phones,
you have to know a secret number to type in that results in a
secret diagnostic menu that allows you to change this setting.
Not exactly user-friendly, and I think with improved user
interfaces and making this the default, we would make users
much more secure.
As we think about downgrade--sort of the decommissioning of
2G, we have to be careful though. Many rural networks still
rely on 2G, and there are many devices from vehicle telematics
to home alarm systems that rely on 2G networks to provide
connectivity.
Lastly would be is if we do want to try and identify the
tech and track rogue base stations, it's important to
understand the motivation for doing so. There certainly are
telltale signs that a base station is a rogue base station, and
phones are able to differentiate that with a variety of
hardware and software modifications. Also there are standards
within the cell phone networks that would allow cell phone
carriers to be able to track rogue base station activity. In
fact, the new 5G security standards makes a specific
recommendation about how this data can be used.
However, when we consider this, we must consider to what
end we seek to track down these base stations, to notify the
user, to notify the carrier, and if so, how that data should be
used.
So looking forward, I recommend the Subcommittee consider
the following: first, as 2G network infrastructure is
decommissioned, phones should not prefer 2G in any
circumstances; next, individuals who are likely targets of
foreign intelligence should use phones that meet the needed
security countermeasures; and finally, if you do seek to track
down IMSI catchers, first address to what end and how that data
will be used.
Thank you for the opportunity to address the Subcommittee
today, and I look forward to your questions.
[The prepared statement of Dr. Clancy follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Thank you, Dr. Clancy.
Dr. Mayer, five minutes.
TESTIMONY OF DR. JONATHAN MAYER, ASSISTANT PROFESSOR
OF COMPUTER SCIENCE AND PUBLIC AFFAIRS,
PRINCETON UNIVERSITY
Dr. Mayer. Chairman Abraham, Ranking Member Beyer, Ranking
Member Johnson, and Members of the Subcommittee, thank you for
the opportunity to address cell-site simulators and the broader
topic of communication security and privacy at today's hearing.
These issues were central to my recent service as chief
technologist of the Federal Communications Commission
Enforcement Bureau. They have been an essential component of my
computer science and legal research.
In last week's groundbreaking Carpenter v. United States
decision, the Supreme Court recognized that ``Cell phones and
the services they provide are such a pervasive and insistent
part of daily life that carrying on is indispensable to
participation in modern society.'' The private sector, the
public sector, and the American people all depend on our
communications infrastructure. The security and privacy
safeguards for that infrastructure have not kept pace with its
growing importance to the Nation. Our communications networks
have significant cybersecurity vulnerabilities that could be
exploited by criminals and foreign adversaries. And when law
enforcement agencies seek to conduct investigations using
wireless technology, the applicable federal law is imprecise,
outdated, likely unconstitutional, and leaves police
departments in legal limbo.
In this brief opening statement, I will focus on security
and privacy risks associated with cell-site simulators. My
written testimony highlights several other areas of
cybersecurity vulnerability, including insecure call and text
message routing, delayed mobile device software updates, and
unauthenticated caller ID, the last of which is responsible for
the nationwide explosion of fraudulent robocalls.
Cell-site simulators, commonly dubbed IMSI catchers,
Stingrays, or dirt boxes, are devices that exploit omissions
and mistakes in the trust between mobile devices and cellular
towers. A cell-site simulator mimics a legitimate cellular
tower and tricks nearby mobile devices into connecting to it.
The cell-site simulator then takes advantage of the connection
to extract information from those devices. The most serious
cell-site simulator risks are associated with second
generation, or 2G, wireless protocols which were initially
deployed in the 1990s and remain operational today to support
legacy devices and offer service in rural areas. The 2G
wireless protocols do not include authentication for cellular
towers. As a result, 2G cell-site simulators can fully mimic a
cellular tower, and these cell-site simulators can identify and
track nearby mobile devices, can intercept or block voice,
text, and data communications involving those devices.
While more recent 3G and 4G wireless protocols include
authentication for cellular towers, they still have significant
cell-site simulator vulnerabilities. And while the latest 5G
protocols do include a new protection against cell-site
simulators, that protection is only optional and only effective
against some of the known attacks against 3G and 4G networks.
The possible criminal uses of cell-site simulators are
limited only by our collective imagination. Criminals could
capture private financial information, for example, and steal
funds. They could collect sensitive medical information and
conduct blackmail. Or they could obtain confidential business
information for commercial gain.
Cell-site simulators also pose a serious national security
threat. The federal government is the Nation's largest consumer
of commercial wireless services, and is susceptible to the same
cybersecurity risks in our communications infrastructure. A
foreign intelligence service could easily use cell-site
simulators to collect highly confidential information about
government operations, deliberations, and personnel movements.
In responding to the threat of cell-site simulators, as
well as the other serious cybersecurity risks associated with
insecure call and text message routing, delayed mobile device
software updates, and unauthenticated caller ID, I encourage
the members of this Subcommittee to consider leveraging the
federal government's communications acquisitions. According to
OMB, the United States Government spends about $1 billion every
year on wireless service and mobile devices, and yet, as DHS
acknowledged in a recent report, the federal government has
little assurance that it is paying for wireless service and
mobile devices that incorporates cybersecurity best practices.
Congress should condition its substantial communications
outlays on implementation of appropriate cybersecurity
safeguards.
Before I close, I would like to briefly address law
enforcement use of cell-site simulators. Federal, state, and
local law enforcement agencies use cell-site simulators in the
course of criminal investigations, either to track the location
of a suspect's mobile device, or to identify all the mobile
devices nearby. At present, the federal government owns over
400 cell-site simulators and at least 73 State and local law
enforcement agencies also own cell-site simulators. Under
current law is a violation of Section 301 of the Communications
Act for State or local law enforcement agency to operate a
cell-site simulator, because they're transmitting unlicensed
wireless spectrum without authorization. Police departments may
also run afoul of Section 333, which prohibits wireless jamming
because law enforcement cell-site simulators could disrupt 911
calls and other wireless connectivity.
I believe that cell-site simulators are legitimate
investigative tools and that they should be available to law
enforcement agencies when subject to appropriate procedural
safeguards. But until Congress takes action, the Nation's
police departments will remain in legal limbo. I encourage the
Members of the Subcommittee to consider legislation that both
resolves the Communications Act issues with cell-site
simulators, and codifies a warrant requirement for cell-site
simulator operation.
Thank you again for the opportunity to address
communications security and privacy at today's hearing, and I
look forward to questions from the Subcommittee.
[The prepared statement of Dr. Mayer follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Abraham. Thank you, Dr. Mayer. I thank all the
witnesses for that very compelling testimony.
I'm going to recognize myself for five minutes for the
opening round of questions. Dr. Clancy, I'll direct my first
one to you.
You previously detailed that you see two possible scenarios
moving forward with this overall issue. One is a status quo
with the possibility of increased training and acknowledgment
of these targeted attacks. The second is a substantive dive and
to address the issue, which includes a comprehensive assessment
of how we treat cell phone towers, permissioned access, and
policy changes through updates to phones. Can you provide a
little more detail about the difference in the two options, and
which would you prefer?
Dr. Clancy. So I think there are a number of solutions that
are possible within this space. There are technical solutions,
there are policy solutions, there are legal solutions. I think
that there are--the key thing, though, is to ensure that any
action that's taken to, I guess, close the gaps that IMSI
catchers leverage takes into consideration a path forward for
law enforcement around being able to conduct their operations.
So I could imagine scenarios where we essentially look to
prevent phones from connecting to IMSI catchers, scenarios
where we shut down 2G preference for phones in order to prevent
them from being as susceptible to IMSI catchers. But I think
any action that we take should be complemented with efforts to
ensure that law enforcement still are able to get timely access
to location information in order to support their
investigations.
Chairman Abraham. Who should lead the effort to have a
comprehensive solution to these issues? What set of agencies or
people?
Dr. Clancy. Indeed. So certainly any time we talk about
telecommunications and cellular it's tricky because there are
so many stakeholders. DHS is the sector-specific agency
associated with telecommunications, so they would seem like a
logical choice to take the lead. But certainly the FBI, the
FCC, and others are key stakeholders in this process.
Chairman Abraham. Okay, thank you.
Dr. Mayer, how does the recent Supreme Court decision on
Carpenter v. United States addressing citizens' Fourth
Amendment rights change the acceptable use of this technology?
Dr. Mayer. Thank you for the question. Carpenter, by its
own terms, does not regulate real time location tracking by law
enforcement. The majority was clear on that point. It does,
however, express a growing concern by the Supreme Court with
the scope of law enforcement capability using modern
technology, and to the extent it affects court's views on cell-
site simulators, it will only serve to heighten the level of
protection.
That said, I want to be very clear to note that to my
knowledge, every recent court decision has addressed the
question of whether cell-site simulators are regulated by the
Fourth Amendment has concluded they are regulated by the Fourth
Amendment and a warrant is required for their operation.
Chairman Abraham. Do you think it will have an impact on
this--from this Carpenter decision on lawful and legitimate use
of the rogue base stations or the IMSI catchers to thwart
criminal activity?
Dr. Mayer. So at the federal level I don't believe there
will be an effect because by policy, the Department of Justice
and the Department of Homeland Security already obtain warrants
to operate these devices. At the State and local level, my
understanding is that some police departments do currently
operate these devices without obtaining a search warrant, and
they may continue to do those things notwithstanding the
Carpenter decision. This issue has not been fully litigated in
every jurisdiction.
Chairman Abraham. Dr. Romine, NIST has published the Mobile
Threat Catalog which provides incredible useful information
about the overall issue of mobile device security. How is NIST
getting this information out and in front of vendors and people
that need to see it?
Dr. Romine. Thank you, Mr. Chairman.
We have a collection of stakeholders that are in contact
with us on a regular basis. We have thousands of people who
subscribe to our newsletters. In general, those are
stakeholders that are monitoring the work that we do. We are
working through the Standards Development Organizations, the
3GPP, for example, which has a lot of the work that we're doing
and involves trying to help improve the security of
telecommunications activities and their channels associated
with getting the information out through those mechanisms as
well. We also manage an active website with many, many--tens of
thousands of hits on a regular basis for people who are looking
at what we're doing in cybersecurity broadly and for specific
topic areas as well.
Chairman Abraham. Is NIST working with other government
agencies to promote this, such as a cybersecurity framework?
Dr. Romine. Well, it is not directly related to the
cybersecurity framework, but we are working with other federal
agencies. We encourage a large number of agencies to work, for
example, in the standards development bodies so that all of the
requirements and associated concerns can be expressed in those
bodies.
Chairman Abraham. Okay, thank you.
Mr. Beyer.
Mr. Beyer. Thank you, Mr. Chairman, and it's nice to have a
Chairman from Texas that loads the panel up with Virginians.
So Dr. Romine, your PAC from UVA is very much appreciated.
Dr. Clancy teaching with the Hokies at Virginia Tech. Dr.
Mayer, I'm sorry about the Stanford Princeton background, you
know, but you can--they can slum it today.
Dr. Mayer. I enjoy visiting the state.
Mr. Beyer. That's good. Dr. Mayer, you know, according to
press reports the President frequently uses his unsecured cell
phone and routinely refuses to change that to an official
secured phone. That was one of the recommendations that people
in very sensitive roles have these highly secure phones. We
talked about the cell phone number to Kim Jong-un.
Can you describe why these practices may put the
President's phone at risk from being hacked or penetrated by
foreign intelligence agencies?
Dr. Mayer. Any senior official in any of the branches of
government--and for that matter, any senior executive in the
private sector--should take heightened precautions with respect
to their telecommunications equipment. There are possible
attacks involving interception of voice and text messages. In
my written testimony, I describe how those might proceed. There
are also the cell-site simulator risks that we've discussed.
And in addition, there's an issue of security updates not
necessarily getting delivered in a timely fashion to consumer
devices, such that they could be remotely compromised.
So there are a number of cybersecurity risks that are very
significant in this ecosystem that could result in essentially
total compromise of communications, and again, anyone in a
sensitive position should take heightened precautions.
Mr. Beyer. Great, thank you very much.
Dr. Romine, in Dr. Mayer's presentation he talks about
femtocells, consumer hardware sold by wireless providers that
extend coverage indoors and into rural areas. Are these the
things I bought from Google that allow my wife to use her
wireless thing upstairs?
Dr. Romine. I think that's probably a good example of
exactly what was described.
Mr. Beyer. So one of the things that we consumers may have
been totally unaware of is by buying essentially the wireless
extenders within our home, that we have set up these rogue IMSI
devices?
Dr. Romine. I'd have to double check the particulars, but I
don't think that's quite the same kind of thing that we're
talking about. In the case of these devices, these are lawfully
provisioned to provide extended coverage and are not considered
camping illegally on spectrum that hasn't been authorized.
Mr. Beyer. I wasn't so worried about us breaking the law as
we were setting up bad guys to get our----
Dr. Romine. Oh, I see what you're saying. I don't know the
particulars of the femtocells and whether they have similar
kinds of cybersecurity built into them. I think it would depend
on the manufacturer and on the way that they're provisioned.
I'll have to get back to you on whether I think there's
additional vulnerability associated with having femtocells in
your home.
Mr. Beyer. Great. Dr. Clancy, I loved your recommendations
at the end. You talked about the default setting that the major
phone carriers need to set default stuff within the androids
and the iPhones that would basically disable the 2G thing
unless they're specifically roaming. How do we make that
happen? Is there a role for Congress there?
Dr. Clancy. That's a good question. It's a fairly simple
change to the software of the devices. It could even be done as
a policy push from the carrier networks.
Right now, users have the ability to shut off 3G and 4G
particularly on iPhones, but they do not have the ability to
shut off 2G, which is sort of backwards in my opinion. So with
some minor policy shift pushes from the carriers that have
already decommissioned 2G, these devices would default to only
using 3G and 4G.
Mr. Beyer. Is this something that they could tell all of us
with our iPhones and androids to do, or do you have to do that
in the units they sell going forward?
Dr. Clancy. Well it would need to be an update that they
push from the networks to the phones. It wouldn't necessarily
just be new devices. There is not a way for a user to do it by
themselves within the current infrastructure. Even the secret
code I talked about that brings up the diagnostic menu where
you can change it yourself, it doesn't--once you reboot your
phone, the setting goes away so you have to sort of constantly
go in and make sure that 2G is disabled.
So there are some very simple things that could be done
with the user interface through software updates that would
cause phones to not connect to 2G unless roaming.
Mr. Beyer. Okay, great. Mr. Chairman, I yield back.
Chairman Abraham. Thank you.
Mr. McNerney?
Mr. McNerney. Well I thank the Chair and I thank the
witnesses. I apologize for leaving during your testimony, but
you did have written testimony that we reviewed beforehand.
My question is similar to Mr. Beyer's question, the Ranking
Member's question. Dr. Mayer, in your testimony you state that
the most serious cell-site simulator risks are associated with
2G wireless protocols, which were deployed in the 1990s and
remain operational today to support the legacy devices that are
out there. Who are the consumers that are most likely to
possess these legacy devices?
Dr. Mayer. Well as Dr. Clancy testified, there are a number
of devices like home alarm systems, connected devices that were
deployed in the 1990s or early 2000s that just don't have newer
cellular technology built into them. Nowadays we call these
things the internet of things, but back then it was just your
alarm system.
So those are the types of devices that might be affected,
and it's also important to note that rural connectivity is
sometimes provided by 2G, because those networks were built out
and have not been updated since.
That said, I think providing the security protection
associated with disabling 2G need not come at the expense of
disabling those legacy devices or rural connectivity. You know,
for folks who live in an area that doesn't have 2G--or that has
3G, 4G, or now 5G coverage, disabling 2G wouldn't be a problem.
Mr. McNerney. But there are a lot of legacy devices out
there that they are going to continue to require 2G protocols,
right?
Dr. Mayer. I'm afraid I don't have a handle on the scale of
the use of 2G networks at this point, but it is not an area
where we have to make a tradeoff between supporting those
devices and securing the latest devices. We can do both.
Mr. McNerney. Well you note that while most 3G and 4G
protocols include authentication for cell towers, they still
have significant site cell tower vulnerabilities. Could you
expand on that a little bit?
Dr. Mayer. Sure. In my written testimony, I describe three
classes of vulnerability in addition to taking advantage of 2G
networks. One class of vulnerability is location tracking.
There are certain components of the 3G and 4G cellular
protocols that enable location tracking, even though the base
station isn't properly authenticated. So that's one class of
attack.
Another class of attack is taking advantage of femtocells,
as Ranking Member Beyer noted. These are home devices that
serve as range extenders. Criminals could compromise these
devices and convert them into their own cell-site simulators,
and in fact, researchers have demonstrated that this can
actually be a pretty easy thing to do.
The third class of attack I describe takes advantage of
either collaborating with or compromising a foreign cellular
network, and then effectively tricking devices within the
United States into roaming on that foreign network.
So there are multiple other categories of attack in
addition to the 2G issue.
Mr. McNerney. So these range extenders, when they're
attacked, does that give the attacker just access to the person
that has the range extender or does it go beyond that?
Dr. Mayer. Those devices could give access to any person
targeted by whoever's operating the range extender that's been
compromised, and that could allow intercepting voice,
intercepting text messages, and intercepting data.
Mr. McNerney. Thank you.
Dr. Clancy, when a carrier detects the rogue base station
is in operation, is it currently required to report that to an
agency like the FBI?
Dr. Clancy. Currently the carriers perhaps are collecting
enough data to make that determination, but they are not
archiving it in a way that it can be analyzed to produce that
conclusion. So there is sort of data that exists ephemerally
within the carrier networks that could be a telltale sign that
an IMSI catcher is operating in their geographic footprint.
Right now that data is not being stored. It is not being
analyzed, and it is only now in the 5G standards that it is
even proposed that that is a thing that should be done. So I
think that is sort of unexplored at this moment in terms of
what should be done with that data.
Mr. McNerney. Is that a business opportunity or a
regulatory opportunity to control that?
Dr. Clancy. So there are other countries where that data is
handed over to third parties and use for all manners of
analytics. I think those countries have substantially different
privacy laws than we do here in the United States, so I think
it is data, certainly given all the focus on cellular privacy
we have seen over the last few weeks, that I wouldn't
necessarily consider a business opportunity. It would need to
be treated carefully.
In terms of regulatory, yeah, I mean, I assume you could
regulate that data needed to be analyzed, and if detection
was--if you discovered a rogue base station then you should
tell someone. I guess the question is who? Do you file an
interference complaint with the FCC? Do you file something with
the FBI saying that you've detected an IMSI catcher? These
things, of course, could be being used by--lawfully by federal
law enforcement, or they could be being used unlawfully. And
the carrier wouldn't know which it was.
Mr. McNerney. Mr. Chairman, I'll yield back.
Chairman Abraham. All right. Well so I'm thinking of
ditching my cell phone and going to get two cans and a string
to--you have some questions, Mr.----
Mr. Beyer. Well I was going to yield to either of you guys.
Chairman Abraham. I'm going--we're going to have a second
round of questions now, so we're good. Okay. Yeah, we're--this
is such an interesting topic, we're going to continue here for
at least another round.
Dr. Mayer, is it possible to attribute any legal cell-site
simulator to a particular actor, specifically particular cell-
site simulators, do they have characteristics associated with
where they were made or the entity using them? For example, if
the device was made in China or in Russia, would it have any
specific identifiers?
Dr. Mayer. That's a great question, Chairman Abraham. I'm
not aware of any instance in which a law enforcement or
regulatory agency has successfully tracked down one of these
devices, and so I'm not aware of anyone who's tried to
attribute one of these devices once they get their hands on it
or having studied the signals emanating from it and concluding
that it was definitively a cell-site simulator.
And so I think in principle it could be possible to
attribute one of these devices. Again, I'm not aware of an
instance in which folks have gotten close enough to do that.
Chairman Abraham. Dr. Clancy, do you have anything to add
to that?
Dr. Clancy. So in my experience, there's broadly two
classes of these devices. There are the expensive ones that are
manufactured principally for military and law enforcement use,
and their signaling parameters would likely have one set of
characteristics associated with it. There's another that's
based on inexpensive open source hardware and software that you
would likely find being used potentially by foreign
intelligence. It depends on the sophistication level of the
adversary.
I would imagine that you could, with relative simplicity,
tell the difference between an open source--one that was built
on open source software versus one that was built for higher
end military and law enforcement use, and I would imagine that
that would also then be differentiable from the legitimate cell
tower networks.
Chairman Abraham. Okay, Dr. Mayer, back to you. In your
testimony, you state that to your knowledge, other than the
recent DHS pilot project, no component of the U.S. Government
has acknowledged a capability to detect cell-site simulators in
the field, including wireless carriers.
Additionally in a response to Senator Wyden, DHS
specifically claimed it did not currently possess the technical
capability to detect cell-site simulators. Should DHS have this
capability, and if so, how difficult would it be for them to
actually have it?
Dr. Mayer. So there are commercial tools available for law
enforcement and regulatory agencies to attempt to detect these
devices. The inherent challenge with detecting these devices is
that there is no definitive telltale sign of a cell-site
simulator. There are only indicia that give rise to suspicion,
that the tower appears to be configured in an unusual way, and
it appears to be broadcasting on unusual spectrum or unusual
power level. But there are many reasons why legitimate cell
towers are configured in unusual ways, either intentionally or
unintentionally. They may appear and disappear, such as getting
set up for a special event, and so again, while there are
commercial tools available, I'm not aware of anyone who's used
any of these tools to definitively identify one of these
devices, and that's why my recommendation is focusing on
defense rather than whack-a-mole with the folks setting these
things up.
Chairman Abraham. Dr. Clancy, in its mobile device security
study, DHS concluded that it ``believes''--and I will put that
in quotes--``that all U.S. carriers are vulnerable'' to the SS7
and the Diameter attacks, in addition to the federal government
having little assurance that it's paying for cellular service
and mobile devices that incorporate cybersecurity best
practices. Since DHS has responsibility for the protection of
critical infrastructure of the government, in your opinion,
should DHS continue researching the risks through pilot
programs and studies like the 2017 pilot? What DHS S and T be--
would be the appropriate division to continue this research?
Dr. Clancy. So within DHS SNT, there would be two logical
groups. There's a public safety group and there's a
cybersecurity group. Perhaps it would be an interesting
collaboration between the two that could focus on these topics.
I do think that there's room for continued research on
developing and maturing these tools. I do also agree that the
sort of whack-a-mole approach is--would be challenging. Anytime
you identify what you think is a unique signature for one of
these devices, a sophisticated adversary could change that
signature in order to avoid detection.
So I'll also note that there are apps that are available
that purport to identify a rogue base station, and there was a
systematic study done last August--it was published last August
which showed that they were able to fool all of those apps into
thinking that their rogue base station was indeed a legitimate
one. So again, supporting this notion that whack-a-mole would
be challenging against a sophisticated adversary.
Chairman Abraham. Mr. Beyer.
Mr. Beyer. Thank you, Mr. Chairman.
Dr. Mayer, you wrote that in 2016 the major wireless
carriers committed to targeting a rollout for caller ID
authentication in the first quarter of 2018, and as of today,
not a single major wireless carrier has adopted rigorous caller
ID authentication. Can you tell us why? Is it ridiculously
expensive? Have they been otherwise distracted? AT&T, for
example.
Dr. Mayer. Ranking Member Beyer, before answering that in
just a moment, if I might add to Dr. Clancy's response on the
last question that our allies across the pond in the United
Kingdom actually have their government audit communications
carriers to make sure that these SS7 and Diameter
vulnerabilities have been addressed. The notion of DHS jumping
into the carriers maybe is not--may be worth further
discussion, but at any rate, our allies have a different
approach to this than we do.
With respect to the robocall issue and call authentication,
my understanding is that the carriers are not eager to make new
investments in what they view as a declining area of their
business. The growth in cellular communications has been in
data and not in voice, and so investing new money in voice
security is a bit of a tough proposition when these are systems
that are just not going to be revenue generators in the future.
Mr. Beyer. Despite the fact that there are billions of
robocalls made that harass Americans every year?
Dr. Mayer. That's right, and I think an extra dimension of
this that I will certainly I find personally frustrating is the
major wireless carriers not only have not taken steps to
address the issue, but in fact, charge a monthly fee if you
would like to use their services to address robocalls.
Mr. Beyer. Wow. Thank you very much.
Dr. Clancy, you write that criminal organizations could
theoretically take advantage of the technology, but they
haven't. Why not?
Dr. Clancy. Well it depends on--in order to take advantage
of the technology, you need a fairly sophisticated sort of
intelligence analysis function. If you're simply catching
IMSIs, you have to know to whom those IMSIs belong, and that
isn't readily available if you're just doing this
opportunistically.
So law enforcement and foreign intelligence are spending a
lot more time on the analytic component in order to develop
those relationships and know what IMSI they're looking for,
whereas criminal organizations don't often have the analytic
capacity to accomplish that, so they've been focused on more
brute force technologies like just jamming the cellular signals
in order to accomplish their acts.
Mr. Beyer. Okay.
Dr. Clancy. At least that's been my observation.
Mr. Beyer. Thank you.
Dr. Romine, I think it was Dr. Mayer who wrote that other
than the DHS pilot, no component of the United States
government has acknowledged the capability to detect cell-site
simulators in the field. No wireless carrier has acknowledged
such a capability, and the Department of Justice has not
initiated any prosecution for operating a cell-site simulator.
Is this a hole in our federal capabilities, and where does NIST
fit into this?
Dr. Romine. Thank you for the question. Let me address the
second part of that first, which is that NIST's role in this
space, is to strengthen the security of telecommunications
networks, and we do that principally through our engagement
with the standards development process and in the guidelines
that we publish, such as the special publication I referenced
in my testimony, to try to provide useful input for operators
and others who might like to strengthen their
telecommunications activities.
The question of the gap, or if there is a gap in this, is
probably a little above my pay grade. I don't know what the
right answer to that is. I would say that certainly the
Department of Homeland Security has a role to play as the
sector-specific agency for the telecommunications sector.
Beyond that, it's not clear to me.
Mr. Beyer. Thank you. Dr. Mayer, you wrote that paragraph.
What was your intent in talking about this gap?
Dr. Mayer. My view is that while it is worth spending time
on attempting to improve detection of these devices, the far
better or far more effective focus for federal policy would be
on defense. We know how to defend against the worst of these
attacks, and I think it is a--it would be a very reasonable
thing for Congress to say when we're spending all this taxpayer
money on wireless services and devices, we expect at minimum
defenses against the worst of the worst.
Mr. Beyer. I agree. Thank you very much.
Mr. Chairman, I yield back.
Chairman Abraham. Thank you, Mr. Beyer.
Mr. McNerney?
Mr. McNerney. Again, I thank the Chair for another round of
questions.
Dr. Romine, in your testimony you noted that 4G systems
have a number of operational capabilities that mobile network
operators may choose to implement, and that's presumably to
secure cell phone communications. Has NIST conducted an
analysis to determine what has been implemented to date, how
widespread that implementation is, and what's still needed?
Dr. Romine. Thank you, sir. We have not done that analysis.
We don't do operational activities. We're not a provider of
these services and we don't have any insight into way the
operators are currently using these, and whether the optional
security features or privacy features are being turned on or
not.
From our perspective, I agree with the other two witnesses
here that there's some low-hanging fruit here. The easiest part
of this, or the most important, would perhaps be addressing
this idea of dropping back to 2G communications--and I want to
be clear here. The vendors or the mobile operators are not
doing this because of any lack of understanding of the concern
of security. They are doing it to provide the best user
experience, right? So the vulnerability exists because the
telecommunications providers are trying to ensure a seamless
communication.
That said, I think it's going to take a collaboration among
users, vendors, and the industry to ultimately complete the
phaseout of 2G communications.
Mr. McNerney. That's what it's going to take, phasing out
the 2G communications?
Dr. Romine. That's certainly one major focus that I think
would make a difference.
Mr. McNerney. Thank you. Dr. Clancy, you said that in the
past, both industry and the federal government need to
significantly increase cybersecurity funding research. You said
that the Government often approaches cybersecurity with an
``after the fact solutions applied with duct tape and bubble
gum.'' You also said that cybersecurity investments by both the
federal government and industry are drastically underfunded. Do
you have any specific recommendations on funding levels or
investments in federal cybersecurity R&D, or comments on what
the federal government can do better to address our
cybersecurity research efforts?
Dr. Clancy. So as an academic, it's always--I think I'm
congressionally required to lobby for more university research
funding.
Mr. McNerney. Yeah.
Dr. Clancy. But no, seriously, I think that there is a
critical need for continued investment in cybersecurity. The
World Economic Forum states that cyber risk is the number one
risk to international organizations doing business in the
United States. This is the challenge of our time and needs to
be the focus of significant R&D investment, particularly in the
cellular spaces where the majority of the R&D investment is
happening in the EU. The Horizon 20/20 program out of the EU is
funding almost all of the 5G security research right now, and
we have very little being funded here in the United States,
either through the National Science Foundation or DHS. And that
seems like a key opportunity for the U.S. to take a leadership
role in an area as important as this.
Mr. McNerney. Well it's our responsibility to decide how
much money to spend on these things, and we need guidance. So
if there's a place we can go to find that kind of guidance, I
think it would be very useful.
Dr. Clancy, you have said the United States needs for one
million cybersecurity-related jobs, that an estimated 31
percent of those jobs are vacant now. You also pointed out the
fact that American universities are not offering the right kind
of courses to train people in cybersecurity. Do you have any
recommendations for Congress to try and help energize efforts
for the right source of--sorts of computer security expertise
that our nation needs?
Dr. Clancy. So yes, there are----
Mr. McNerney. Similar question.
Dr. Clancy. There are currently, what, 300,000 empty cyber
jobs across the country. Here in the DC. region, we have 42,000
unfilled cyber jobs. We have the densest cyber workforce in the
world here in the DC. region, and among the highest vacancy
rate because the talent is so sought after.
So there's a range of different activities that are needed
to invest in workforce development programs. The number of new
cyber jobs that are needed each year exceeds the number of
students graduating with a degree in computer science each
year, so this needs to be not just viewed as a computer science
domain, this is a domain for business and policy. A wide range
of skills are needed in order to effectively combat this
challenge.
So for example, there are federal programs such as the
Cyber Course Scholarship for Service Program that is
administered by OPM and the National Science Foundation. I
think opportunities to expand that program to focus beyond the
pure technical skills of computer science would be an
opportunity to densify the workforce pipeline.
Mr. McNerney. And you--would you think that there's a
significant opportunity for women and underserved minorities
to--in this field?
Dr. Clancy. Certainly. So cybersecurity is notorious for
its poor performance in diversity, both in terms of gender and
racial background. So I think programs specifically targeting
women and underrepresented minorities in order to increase
awareness are critical, and most studies have found that this
isn't something you can't start at college. This has to go all
the way back to third and fourth grade where people are sort of
beginning to decide whether or not a STEM career is what they
want to pursue or not.
Mr. McNerney. Thank you, Mr. Chairman.
Chairman Abraham. All right, good stuff.
I thank the witnesses for their testimony, very valuable,
and Members for their great questions. The record will remain
open for two weeks for additional comments and written
questions from members.
This hearing is adjourned.
[Whereupon, at 3:24 p.m., the Subcommittee was adjourned.]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]