Wyden Seeks CISA, NSA Audits of FirstNet's Cybersecurity
Sen. Ron Wyden, D-Ore., pressed the Cybersecurity and Infrastructure Security Agency and the National Security Agency Wednesday to “conduct or commission annual cybersecurity audits of FirstNet" and complained that the federal government “has done little to force wireless carriers to…
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
fix” known vulnerabilities in the emergency network. “CISA’s subject matter expert told my staff” during a February 2022 briefing “that they had no confidence in the security of FirstNet, in large part because they have not seen the results of any cybersecurity audits conducted against this government-only network,” Wyden said in a letter to CISA Director Jen Easterly and NSA Director Paul Nakasone. A nondisclosure agreement included in AT&T’s contract to operate FirstNet means “NTIA and the FirstNet Authority are not allowed to reveal how frequently AT&T commissions these audits, how robust they are, what the audit results were, or whether all vulnerabilities discovered during the audits have been fixed.” Concealing “vital cybersecurity reporting is simply unacceptable,” he said: “CISA and NSA need to have access to all relevant information regarding the cybersecurity of FirstNet, and Congress needs this information to conduct oversight.” If the Commerce Department “is unable to share the results of the FirstNet audits commissioned by AT&T, CISA and NSA should conduct or commission their own annual audits and deliver the results to Congress and the FCC.” CISA and NSA didn’t comment. The FCC, meanwhile, should undo actions during Ajit Pai’s chairmanship that “allowed the industry to invest as little as it wanted in cybersecurity,” Wyden said. “During the Trump Administration,” then-FCC Commissioner Jessica Rosenworcel “called for the Commission to ‘move beyond studies and voluntary recommendations.' Now under her leadership, I hope that the FCC will address this market failure and protect Americans’ privacy. The FCC should issue new regulations forcing the carriers to meet minimum cybersecurity standards, just as regulators in other countries have done.” FirstNet said in a statement it “prioritized cybersecurity in the planning for the public safety broadband network, and it continues to be a top priority for us today.” It emphasized its existing cybersecurity strategy “goes well beyond standard commercial network security measures.”