This article was reported in partnership with the Project On Government Oversight . It was written by POGO investigator Andrea Peterson, and it incorporates research from former POGO intern Vanessa Perry.

The outages hit in the summer of 1991. Over several days, phone lines in major metropolises went dead without warning, disrupting emergency services and even air traffic control, often for hours. Phones went down one day in Los Angeles, then on another day in Washington, DC and Baltimore, and then in Pittsburgh. Even after service was restored to an area, there was no guarantee the lines would not fail again—and sometimes they did. The outages left millions of Americans disconnected.

The culprit? A computer glitch. A coding mistake in software used to route calls for a piece of telecom infrastructure known as Signaling System No. 7 (SS7) caused network-crippling overloads. It was an early sign of the fragility of the digital architecture that binds together the nation’s phone systems.

Leaders on Capitol Hill called on the one agency with the authority to help: the Federal Communications Commission (FCC). The FCC made changes, including new outage reporting requirements for phone carriers. To help the agency respond to digital network stability concerns, the FCC also launched an outside advisory group—then known as the Network Reliability Council but now called the Communications Security, Reliability, and Interoperability Council (CSRIC, pronounced “scissor-ick”).

Yet decades later, SS7 and other components of the nation’s digital backbone remain flawed, leaving calls and texts vulnerable to interception and disruption. Instead of facing the challenges of our hyper-connected age, the FCC is stumbling, according to documents obtained by the Project On Government Oversight (POGO) and through extensive interviews with current and former agency employees. The agency is hampered by a lack of leadership on cybersecurity issues and a dearth of in-house technical expertise that all too often leaves it relying on security advice from the very companies it is supposed to oversee.

Captured

CSRIC is a prime example of this so-called “agency capture”—the group was set up to help supplement FCC expertise and craft meaningful rules for emerging technologies. But instead, the FCC’s reliance on security advice from industry representatives creates an inherent conflict of interest. The result is weakened regulation and enforcement that ultimately puts all Americans at risk, according to former agency staff.

While the agency took steps to improve its oversight of digital security issues under the Obama administration, many of these reforms have been walked back under current Chairman Ajit Pai. Pai, a former Verizon lawyer, has consistently signaled that he doesn’t want his agency to play a significant role in the digital security of Americans’ communications—despite security being a core agency responsibility since the FCC’s inception in 1934.

The FCC’s founding statute charges it with crafting regulations that promote the “safety of life and property through the use of wire and radio communications,” giving it broad authority to secure communications. Former FCC Chairman Tom Wheeler and many legal experts argue that this includes cyber threats.

As a regulator, the FCC carries a stick: it can hit communications companies with fines if they don’t comply with its rules. That responsibility is even more important now that “smart” devices are networking almost every aspect of our lives.

But not everyone thinks the agency’s mandate is quite so clear, especially in the telecom industry. Telecom companies fight back hard against regulation; over the last decade, they spent nearly a billion dollars lobbying Congress and federal agencies, according to data from OpenSecrets. The industry argues that the FCC’s broad mandate to secure communications doesn’t extend to cybersecurity, and it has pushed for oversight of cybersecurity to come instead from other parts of government, typically the Department of Homeland Security (DHS) or the Federal Trade Commission (FTC)—neither of which is vested with the same level of rule-making powers as the FCC.

To Wheeler, himself the former head of industry trade group CTIA, the push toward DHS seemed like an obvious ploy. “The people and companies the FCC was charged with regulating wanted to see if they could get their jurisdiction moved to someone with less regulatory authority,” he told POGO.

But Chairman Pai seems to agree with industry. In a November 2018 letter to Senator Ron Wyden (D-Ore.) about the agency’s handling of SS7 problems, provided to POGO by the senator’s office, Pai wrote that the FCC “plays a supporting role, as a partner with DHS, in identifying vulnerabilities and working with stakeholders to increase security and resiliency in communications network infrastructure.”

The FCC declined to comment for this story.

Failing to protect the “crown jewels” of telecom

How the telecom industry leveraged lawmakers’ calls for FCC reform in the wake of the SS7 outages is a case study in how corporate influence can overcome even the best of the government’s intentions.

From the beginning, industry representatives dominated membership of the advisory group now known as CSRIC—though, initially, the group only provided input on a small subset of digital communications issues. Over time, as innovations in communications raced forward with the expansion of cellular networks and the Internet, the FCC’s internal technical capabilities didn’t keep up: throughout the 1990s and early 2000s, the agency’s technical expertise was largely limited to telephone networks while the world shifted to data networks, former staffers told POGO. The few agency staffers with expertise on new technologies were siloed in different offices, making it hard to coordinate a comprehensive response to the paradigm shift in communication systems. That gap left the agency increasingly dependent on advice from CSRIC.

During the early 1990s, the SS7-based software system was just coming into wide use. Today, though, it is considered outdated and insecure. Despite that, carriers still use the technology as a backup in their networks. This leaves the people who rely on those networks vulnerable to the technology’s problems, as Jonathan Mayer, a Princeton computer science and public affairs professor and former FCC Enforcement Bureau chief technologist, explained during a Congressional hearing in June 2018.

Unlike in the 1990s, the risks now go much deeper than just service disruption. Researchers have long warned that flaws in the system allow cybercriminals or hackers—sometimes working on behalf of foreign adversaries—to turn cell phones into sophisticated geo-tracking devices or to intercept calls and text messages. Security problems with SS7 are so severe that some government agencies and some major companies like Google are moving away from using codes sent via text to help secure important accounts, such as those for email or online banking.

A panel advising President Bill Clinton raised the alarm back in 1997, saying that SS7 was among America’s networking “crown jewels” and warning that if those crown jewels were “attacked or exploited, [it] could result in a situation that threatened the security and reliability of the telecommunications infrastructure.” By 2001, security researchers argued that risks associated with SS7 were multiplying thanks to “deregulation” and “the Internet and wireless networks.” They were proved right in 2008 when other researchers demonstrated ways that hackers could use flaws in SS7 to pinpoint the location of unsuspecting cell phone users.

By 2014, it was clear that foreign governments had caught on to the disruptive promise of the problem. That year, Russian intelligence used SS7 vulnerabilities to attack a Ukrainian telecommunications company, according to a report published by NATO’s Cooperative Cyber Defence Centre of Excellence, and more research about SS7 call interception made headlines in The Washington Post and elsewhere.

Despite the increasingly dire stakes, the FCC didn’t pay much attention to the issue until the summer of 2016, after Rep. Ted Lieu (D-Calif.) allowed 60 Minutes to demonstrate how researchers could use security flaws in the SS7 protocol to spy on his phone. The FCC—then led by Wheeler—responded by essentially passing the buck to CSRIC. It created a working group to study and make security recommendations about SS7 and other so-called “legacy systems.” The result was a March 2017 report with non-binding guidance about best practices for securing against SS7 vulnerabilities, a non-public report, and the eventual creation of yet another CSRIC working group to study similar security issues.

A POGO analysis of CSRIC membership in recent years shows that its membership, which is solely appointed by the FCC chairman, leans heavily toward industry. And the authorship of the March 2017 report was even more lopsided than CSRIC, overall. Of the twenty working-group members listed in the final report, only five were from the government, including four from the Department of Homeland Security. The remaining fifteen represented private-sector interests. None were academics or consumer advocates.

The working group’s leadership was drawn entirely from industry. The group’s co-chairs came from networking infrastructure company Verisign and iconectiv, a subsidiary of Swedish telecom company Ericsson. The lead editor of the group’s final report was CTIA Vice President for Technology and Cyber Security John Marinho.

Emails from 2016 between working group members, obtained by POGO via a Freedom of Information Act request, show that the group dragged its feet on resolving SS7 security vulnerabilities despite urging from FCC officials to move quickly. The group also repeatedly ignored input from DHS technical experts.

The problem wasn’t figuring out a fix, however, according to David Simpson, a retired rear-admiral who led the FCC’s Public Safety and Homeland Security Bureau at the time. The group was quickly able to discern some best practices—primarily through using different filtering systems—that some major carriers had already deployed and that others could use to mitigate the risks associated with SS7.

“We knew the answer within the first couple months from the technical experts in the working groups,” said Simpson, who consulted with the Working Group. But ultimately, the “consensus orientation of the CSRIC unfortunately allowed” the final report to be pushed from the lame-duck session into the Trump administration—which is not generally inclined toward introducing new federal regulations.

Overall, POGO’s analysis of emails from the group and interviews with former FCC staff found that industry dominance of CSRIC appears to have contributed to a number of issues with the process and the final report, including:

Industry members of the working group successfully pushed for the final recommendations to rely on voluntary compliance, according to former FCC staffers. Security experts say that strategy ultimately leaves the entire cellular network at risk because there are thousands of smaller providers, often in rural areas, that are unlikely to prioritize rolling out the needed protections without a firm rule.

An August 2016 email shows that, early on in the process, DHS experts objected to describing the working group’s focus as being on “legacy” systems because it “conveys a message that these protocols and associated threats are going away soon and that’s not necessarily the case.” The group did not revise the legacy language, and it remained in the final report.

In an email from September 2016, an FCC official emailed Marinho, noting that edits from DHS were not being incorporated into the working draft. Marinho responded that he received them too late and planned to incorporate them in a later version. However, in a May 2018 letter to the FCC, Senator Wyden said DHS officials told his office that “the vast majority of edits to the final report” suggested by DHS experts “were rejected.”

In the emails obtained by POGO, Marinho also refers to warnings about security issues with SS7 that came from panelists at an event organized by George Washington University’s Cybersecurity Strategy and Information Management Program as “hyperbolic.”

Marinho did not respond to a series of specific questions about the Working Group’s activities. In a statement to POGO, CTIA said, “[t]he wireless industry is committed to safeguarding consumer security and privacy and collaborates closely with DHS, the FCC, and other stakeholders to combat evolving threats that could impact communications networks.”

The working group’s report acknowledged that problems remained with SS7, but it recommended voluntary measures and put the onus on telecom users to take extra steps like using apps that encrypt their phone calls and texts.