Pai and Republican commissioner Michael O'Rielly have repeatedly asserted that cybersecurity is not the FCC's problem. Considering cybersecurity is a relatively new field for regulation, there are no rules mandating the FCC address flaws in the country's communications systems. So, Pai has said the FCC simply won't do anything.
Wyden and Lieu argue this line of thinking is misguided.
"The continued existence of these vulnerabilities -- and the industry's lax approach to cybersecurity -- does not just impact the liberty of Americans, it also poses a serious threat to our national and economic security," the letter reads. "As such, the FCC must take swift action to address fundamental security threats to our mobile phones, which are no less dangerous than those cybersecurity threats that receive far more attention from other government agencies."
Wyden and Lieu specifically call out the Signaling System 7 flaw that received a fair bit of media attention last year. Former FCC chairman Tom Wheeler ordered the Communications Security, Reliability and Interoperability Council to investigate SS7 vulnerabilities, and just this month, the CSRIC working group filed its final report on the matter. The investigation noted security holes in critical US infrastructure, as well as cellular, wireline and 5G networks, and recommended widespread firewall and encryption updates.
The CSRIC working group's charter ended on March 18th, but Wyden and Lieu urge the FCC to establish a new body to continue and expand the SS7 investigation.
Overall, the letter asks the FCC to do three main things, partially informed by the CSRIC investigation:
- Force cellular companies to address vulnerabilities in their systems.
- Warn the American people about ways their mobile data can be tracked hacked by foreign governments or other agents.
- Promote the use of end-to-end encryption apps.
So far, the FCC under Pai has been largely concerned with deregulation, suspending the agency's consumer data privacy rules, chipping away at net neutrality and stopping an order that would have addressed serious flaws in the Emergency Alert System. Pai and O'Rielly argue that regulation stifles innovation at communications companies, and many of their moves favor these large businesses.
Meanwhile, Wyden and Lieu want the FCC to focus on security issues affecting everyday Americans and the nation as a whole. As they put it: "It is clear that industry self-regulation isn't working when it comes to telecommunications cybersecurity."