This month, FCC Chairman Tom Wheeler revealed, in response to a letter from Congressman Alan Grayson, that his agency is assembling a task force “to combat the illicit and unauthorized use of IMSI catchers.” Often known as the brand-name “StingRay,” these are surveillance devices that impersonate legitimate cell towers, enabling them to covertly identify and locate nearby cell phones and, in some cases, to intercept the content of calls or text messages those phones send or receive.

#### Stephanie Pell ##### About Stephanie Pell is an Assistant Professor and Cyber Ethics Fellow at the Army Cyber Institute, United States Military Academy at West Point. The views expressed here are those of the author and do not reflect the official policy or position of the Department of the Army, Department of Defense, or the U.S. Government.

A Stingray does this by exploiting a persistent vulnerability in the 2G protocol: telephones operating in 2G cannot authenticate cell towers, which means that a rogue tower can appear to be part of a legitimate cellular network. Although 3G and 4G networks have addressed this vulnerability, these networks can be jammed, forcing nearby phones to communicate using the vulnerable 2G protocol. As long as phones include the capability to communicate using 2G—a useful thing when 2G remains widespread in rural areas—the latest smartphones will remain vulnerable to decades old security flaws. Moreover, IMSI catchers remain essentially invisible, since their operation can only be detected in real time with rarely used counter-surveillance equipment.

The FCC task force represents a step in the right direction, but Chairman Wheeler’s response appears to limit its focus to illegal uses of Stingrays, which would not address the serious underlying cyber security problem that enables their operation, legal or not.

>Policymakers should take a dim view of any aspects of national surveillance policy and practice that rely upon perpetual network vulnerabilities.

Twenty years ago, IMSI catchers were costly, cumbersome equipment used by the U.S. military and intelligence agencies. Over time, however, the devices have become smaller, cheaper, and more prevalent. Like many other surveillance technologies initially created for the battlefield, they have trickled down to federal, state and local law enforcement agencies.

Moreover, although once accessible only to a few major global powers at six-figure prices, IMSI catchers can now be bought on the open market from surveillance companies and online retailers for as little as $1,800. Indeed, a recent Newsweek article quoted an ex-FBI official revealing that foreign governments use IMSI catchers to spy on the phone calls of U.S. government officials and corporate employees. Today, a tech-savvy criminal or hobbyist can even build one using off-the-shelf equipment. Whatever effective monopoly the U.S. government once had over the use of IMSI catchers is now gone.

Stingrays Only Work Because Cellular Networks Are Vulnerable

With the democratization and globalization of this surveillance tool, Chairman Wheeler is right to be concerned about the unlawful use of IMSI catchers by criminals and foreign spies in the United States. In stopping there, however, the FCC letter fails to acknowledge or address a more fundamental issue: IMSI catchers, whether employed illegally by criminals or legally by U.S. law enforcement, function by exploiting long-standing cyber security vulnerabilities in our cellular networks. Any genuine solution to the “illicit” IMSI catcher problem must address the continuing presence of network vulnerabilities that are exploitable by anyone who possesses this widely available surveillance technology.

One consequence of securing our national telephone networks from rogue IMSI catchers, however, is that doing so will render it more difficult for law enforcement to monitor targets’ cell phones with their own IMSI catchers. That is, by protecting our phone networks from illegal surveillance, it will also become more difficult for U.S. government agencies to engage in certain kinds of lawful surveillance.

Policymakers seeking to address the illicit IMSI catcher problem must therefore grapple with the inherent tension between court-approved use of certain surveillance technologies and the contemporary effort to harden our communications networks against a broad spectrum of cyber threats. Given the serious cyber threats our country faces, the surveillance benefits realized by law enforcement through the use of IMSI catchers can no longer justify ignoring the cyber security weaknesses in our communications networks that enable their operation. Indeed, policymakers should take a dim view of any aspects of national surveillance policy and practice that rely upon perpetual network vulnerabilities. Such vulnerabilities no longer represent exclusive opportunities for effective surveillance by law enforcement and intelligence agencies since their operational hegemony in this area has long since been lost. Rather, these security flaws constitute an increasing risk to privacy and public safety that should become the subject of a full and open policy discussion of the kind the FCC’s new task force will presumably conduct.

The FCC is well aware of this tension. Chairman Wheeler’s framing of the task force as addressing the “illicit use” of IMSI catchers hopefully represents a positive initial step towards protecting our cellular communications. But to the extent that the task force’s efforts only focus on “clamp[ing] down on the unauthorized use” of the devices, the Commission’s efforts will do little if anything to protect cellular communications from IMSI catchers, much less from broader exploitation of the network vulnerabilities that enable their use.

After all, foreign intelligence services are already breaking the law when they spy in the United States. Increased penalties and enforcement will not stop them from spying. The only effective solution is to secure our national telephone networks and adapt legitimate surveillance policies and practices accordingly.