(by TLPC student attorneys Parker Nagle, Andrew Leddy, and Kennedy Smith)
On behalf of a coalition of independent network security researchers and public interest organizations, the Samuelson-Glushko Technology Law and Policy Clinic at Colorado Law filed reply comments on the FCC’s 2019 National Security Supply Chain Order and Further Notice of Proposed Rulemaking calling for greater cell network security. The TLPC worked with the coalition to draw attention to the many vulnerabilities plaguing cell networks that the Order did not address and to outline the broad but underutilized, authority the FCC has to advance meaningful solutions. The coalition included CU-Boulder researchers Dr. Eric Wustrow, Dr. Dirk Grunwald, and Dr. Sangtae Ha, mobile security researchers Joseph Hall, Yomna Nasser, Marcus Prem, and Ashley Wilson, and public interest organizations Electronic Frontier Foundation (EFF), Public Knowledge, and Eye on Surveillance.
While securing the cell network supply chain must be a priority, there are numerous other vulnerabilities that persist across the American cell network stemming from root causes other than the supply chain. These vulnerabilities allow malicious actors to exploit them for communication interception, location tracking, and other insidious privacy threats, including the potential to send spoofed Presidential Alerts to thousands of phones in concentrated areas.
Solutions to these vulnerabilities do exist in 5G, including stronger authentication and encryption protocols. However, the more secure architectural improvements are optional and unlikely to be implemented by the cell carriers as these measures may increase network latency. The FCC has a critical role to play in ensuring existing solutions are implemented more reliably and new solutions are identified more frequently.
Finally, the reply comment argues that the FCC is uniquely positioned to spearhead a wide-ranging, whole-of-government inquiry into the vulnerabilities plaguing the cell network and identifying potential solutions. Contrary to arguments made by industry commenters, the FCC possesses broad authority to implement the most effective solutions.
The coalition reply comments are available here: Security Researchers and Public Interest Organizations Reply Comment