Export Compliance Daily is a Warren News publication.

Wyden Seeks CISA, NSA Audits of FirstNet's Cybersecurity

Sen. Ron Wyden, D-Ore., pressed the Cybersecurity and Infrastructure Security Agency and the National Security Agency Wednesday to “conduct or commission annual cybersecurity audits of FirstNet" and complained that the federal government “has done little to force wireless carriers to…

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

fix” known vulnerabilities in the emergency network. “CISA’s subject matter expert told my staff” during a February 2022 briefing “that they had no confidence in the security of FirstNet, in large part because they have not seen the results of any cybersecurity audits conducted against this government-only network,” Wyden said in a letter to CISA Director Jen Easterly and NSA Director Paul Nakasone. A nondisclosure agreement included in AT&T’s contract to operate FirstNet means “NTIA and the FirstNet Authority are not allowed to reveal how frequently AT&T commissions these audits, how robust they are, what the audit results were, or whether all vulnerabilities discovered during the audits have been fixed.” Concealing “vital cybersecurity reporting is simply unacceptable,” he said: “CISA and NSA need to have access to all relevant information regarding the cybersecurity of FirstNet, and Congress needs this information to conduct oversight.” If the Commerce Department “is unable to share the results of the FirstNet audits commissioned by AT&T, CISA and NSA should conduct or commission their own annual audits and deliver the results to Congress and the FCC.” CISA and NSA didn’t comment. The FCC, meanwhile, should undo actions during Ajit Pai’s chairmanship that “allowed the industry to invest as little as it wanted in cybersecurity,” Wyden said. “During the Trump Administration,” then-FCC Commissioner Jessica Rosenworcel “called for the Commission to ‘move beyond studies and voluntary recommendations.' Now under her leadership, I hope that the FCC will address this market failure and protect Americans’ privacy. The FCC should issue new regulations forcing the carriers to meet minimum cybersecurity standards, just as regulators in other countries have done.” FirstNet said in a statement it “prioritized cybersecurity in the planning for the public safety broadband network, and it continues to be a top priority for us today.” It emphasized its existing cybersecurity strategy “goes well beyond standard commercial network security measures.”