Dem lawmakers renew calls for release of delayed telecom security report

Two Democratic senators are reupping calls for the public release of a 2022 report on telecommunications industry security vulnerabilities that the Cybersecurity and Infrastructure Security Agency said months ago it would disclose. 

In a Nov. 12-dated letter, Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., pressed Department of Homeland Security Secretary Kristi Noem and Director of National Intelligence Tulsi Gabbard to release the unclassified document, which they called “critically important to U.S. national security.”

“The continued suppression of a report identifying serious vulnerabilities of the U.S. telecommunications sector undermines the public’s understanding of these threats and stymies an important public debate on a path forward to secure the U.S. telecommunications sector and protect the U.S. Government and all Americans who rely on that sector,” the lawmakers wrote. 

Wyden, in particular, has been calling for CISA to release the report since the Biden administration. In April, the senator said “CISA’s multi-year cover up of the phone companies’ negligent cybersecurity has real consequences,” citing the discovery late last year of a Chinese espionage group’s intrusions into U.S. and international telecommunications infrastructure.

The hackers, known as Salt Typhoon, breached at least nine U.S. telecom providers and some of their systems that facilitate law enforcement’s court-authorized wiretap requests, as well as dozens of other global providers. The Chinese government-affiliated group also targeted the communications of several high-profile political individuals, including individuals tied to President Donald Trump and Vice President JD Vance.

Although the Senate Homeland Security Committee advanced Sean Plankey’s nomination to be CISA’s next director in late July, Wyden has held up the full Senate vote on his confirmation in order to pressure the agency to disclose the report.

The day before the Senate panel voted to advance Plankey’s nomination, however, a CISA spokesperson told Nextgov/FCW that the agency "intends to release" the document. The agency’s statement also came after Wyden-led legislation requiring DHS to publicly release the document passed the Senate unanimously. But Wyden and Warner noted in their letter that “three months later, the report remains hidden from the American public.”

The lawmakers’ missive also called for the Federal Communications Commission “to establish mandatory minimum cybersecurity standards for the communications sector due to the risk of vulnerabilities presenting a significant threat to U.S. Government communications and security and the country.” 

That request comes, in part, after FCC Chairman Brendan Carr announced plans to hold a vote later this month on a proposal that would roll back some of the cybersecurity provisions implemented in the wake of the Salt Typhoon hacks.

In a statement to Nextgov/FCW, CISA Director of Public Affairs Marci McCarthy said the agency “works closely with telecommunications providers to share timely threat intelligence, provide technical support, and collaborate with our federal partners to safeguard America’s communications infrastructure.”

“Developed under the Biden administration in 2022, 'The U.S. Telecommunications Insecurity Report,' is based on vulnerabilities dating back to the mid-1990s,” she added. “In line with the President’s policies, CISA is committed to promoting transparency and accountability. DHS and CISA respond to official correspondence through official channels.”

Editor's note: This article has been updated to include a statement from CISA.