"DoD has failed to use its purchasing power to require cyber defenses and accountability from wireless carriers," said Sens. Eric Schmitt and Ron Wyden.
In the wake of what some lawmakers are calling the worst telecom attack in the nation’s history, two senators are calling for an investigation into whether the Defense Department could use its purchasing power to better secure telephone communications from foreign spies.
In a Wednesday letter to DoD Inspector General Robert Storch, Sens. Eric Schmitt (R-Mo.), and Ron Wyden (D-Ore.), said the Pentagon, despite being one of the largest buyers of wireless telephone services in the country, has failed to leverage its significant purchasing power to require better cybersecurity practices or accountability from wireless carriers.
“The responsibility for such failures cannot and should not be pinned on low-level procurement officials, but rather, reflects a failure by senior DoD leadership to prioritize cybersecurity, and communications security in particular,” the lawmakers said.
The letter comes more than three months after Chinese government-backed hackers penetrated deep into the U.S. telecommunications infrastructure, including Verizon, AT&T and Lumen Technologies, among other companies, by exploiting systems designed for lawful wiretapping, which allows government agencies to access communications when authorized by a court order.
Last month, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency publicly confirmed that hackers were able to steal an extensive amount of data, including records of where, when and whom customers were communicating with, as well as the private communications of a small number of individuals primarily involved in government or political activities.
CISA and FBI officials told reporters Tuesday that U.S. telecom companies are struggling to kick hackers out of their networks.
A senior CISA official also acknowledged the Salt Typhoon campaign should spur some “hard thinking long term on what this means and how we’re going to secure our networks.” But in the immediate term, the official said CISA and the FBI are focused on finding and evicting the hackers from networks.
“We definitely need to do that, kind of look at what this means long term, how we secure our networks, how we work with our telecommunications partners,” the CISA official said. “Our focus right now, though, is with the victims.”
The Department of Homeland Security’s Cyber Safety Review Board is also expected to investigate the Salt Typhoon campaign as part of its next review.
Earlier this year, the DoD finalized the Spiral 4 contract, which provides unclassified wireless devices and services for soldiers and civilian employees. The contract can be extended for up to nine years and has a total potential value of $2.67 billion. The companies under the contract include AT&T, Verizon and T-Mobile.
According to the letter, DoD’s own assessments confirmed significant cybersecurity weaknesses among its contracted carriers, and while the department said it had implemented some encryption measures, some surveillance threats, including foreign governments’ ability to track phone locations, can “only be mitigated by the wireless carriers.” DoD told Congress that while it had asked carriers to access the results of third-party cybersecurity audits, they were informed the information is protected under attorney-client privilege.
Schmitt and Wyden urged the IG to review whether the Pentagon should “decline to renew these contracts and instead renegotiate with the contracted wireless carriers” to include stricter cybersecurity requirements and to require carriers share their third-party cybersecurity audits.
The senators also criticized DoD’s decision to continue using unencrypted landline phones and platforms like Microsoft Teams.
“The letter is, I think, spot on. It very appropriately calls out an area of great risk,” Ret. Rear Adm. David Simpson, who served as the chief of the Federal Communications Commission’s Public Safety and Homeland Security Bureau.
“I think this is an area that, certainly from a national security objective, we failed to keep the lawful intercept platform and connections secure, we failed to anticipate how they might be exploited, and DoD made it worse by carrying forward all those vulnerabilities, but then increasingly adding voice over IP collaborative tools under their programs that they started during COVID. They moved so much of their collaboration into Teams — they got rid of the useful technology and protocol diversity”
The items listed in the letter, however, are “just the tip of the iceberg,” said Simpson. First, the wireless and wired telephony area for the DoD has long been underfunded and poorly planned, leaving the department with significant technology debt.
Simpson said the DoD has focused on high-level architecture and science and technology goals, but the efforts have not translated into practical improvements in its telephony infrastructure.
And overseas, where operations involve interagency collaboration and working with partner nations, the lack of a robust telephony system puts units at risk since they tend to rely on improvised and non-standard solutions.
“[DoD] is in bad shape from technology debt and underinvesting in this area. The big C4I plan is not fit for purpose, in that it doesn’t come down to the levels that are pointed out in the wide letter. And the whole area is underfunded in a period of record expenditures on DoD items that stand to actually be decreased over the next couple of years. And it’s not being funded now when DoD funding is greater than it’s ever been. It’s hard to see how they’ll address this effectively going forward, if there’s not a significant push from leaders like Sens. Wyden and Schmidt, who will stay on this and hold DoD accountable to address the gaps,” said Simpson.
Federal News Network’s Justin Doubleday contributed reporting to this story
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.