b'<html>\n<title> - BOLSTERING DATA PRIVACY AND MOBILE SECURITY: AN ASSESSMENT OF IMSI CATCHER THREATS</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                        BOLSTERING DATA PRIVACY \n                         AND MOBILE SECURITY: \n                 AN ASSESSMENT OF IMSI CATCHER THREATS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                       SUBCOMMITTEE ON OVERSIGHT\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JUNE 27, 2018\n\n                               __________\n\n                           Serial No. 115-68\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n \n \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] \n\n\n       Available via the World Wide Web: http://science.house.gov\n\n              \n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n30-878PDF                  WASHINGTON : 2018                     \n          \n-----------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6106110e210214121509040d114f020e0c4f">[email&#160;protected]</a>               \n              \n              \n              \n             \n              \n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nDANA ROHRABACHER, California         ZOE LOFGREN, California\nMO BROOKS, Alabama                   DANIEL LIPINSKI, Illinois\nRANDY HULTGREN, Illinois             SUZANNE BONAMICI, Oregon\nBILL POSEY, Florida                  AMI BERA, California\nTHOMAS MASSIE, Kentucky              ELIZABETH H. ESTY, Connecticut\nRANDY K. WEBER, Texas                MARC A. VEASEY, Texas\nSTEPHEN KNIGHT, California           DONALD S. BEYER, JR., Virginia\nBRIAN BABIN, Texas                   JACKY ROSEN, Nevada\nBARBARA COMSTOCK, Virginia           CONOR LAMB, Pennsylvania\nBARRY LOUDERMILK, Georgia            JERRY McNERNEY, California\nRALPH LEE ABRAHAM, Louisiana         ED PERLMUTTER, Colorado\nGARY PALMER, Alabama                 PAUL TONKO, New York\nDANIEL WEBSTER, Florida              BILL FOSTER, Illinois\nANDY BIGGS, Arizona                  MARK TAKANO, California\nROGER W. MARSHALL, Kansas            COLLEEN HANABUSA, Hawaii\nNEAL P. DUNN, Florida                CHARLIE CRIST, Florida\nCLAY HIGGINS, Louisiana\nRALPH NORMAN, South Carolina\nDEBBIE LESKO, Arizona\n                                 ------                                \n\n                       Subcommittee on Oversight\n\n\n                  RALPH LEE ABRAHAM, Louisiana, Chair\nBILL POSEY, Florida                  DONALD S. BEYER, JR., Virginia\nTHOMAS MASSIE, Kentucky              JERRY McNERNEY, California\nBARRY LOUDERMILK, Georgia            ED PERLMUTTER, Colorado\nROGER W. MARSHALL, Kansas            EDDIE BERNICE JOHNSON, Texas\nCLAY HIGGINS, Louisiana\nRALPH NORMAN, South Carolina\nLAMAR S. SMITH, Texas\n                            C O N T E N T S\n\n                             June 27, 2018\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Ralph Lee Abraham, Chairman, \n  Subcommittee on Oversight, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................     4\n    Written Statement............................................     6\n\nStatement by Representative Eddie Bernice Johnson, Ranking \n  Member, Committee on Science, Space, and Technology, U.S. House \n  of Representatives.............................................     8\n    Written Statement............................................    10\n\nStatement by Representative Donald S. Beyer, Jr., Ranking Member, \n  Subcommittee on Oversight, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................    12\n    Written Statement............................................    14\n\n                               Witnesses:\n\nDr. Charles H. Romine, Director, Information Technology \n  Laboratory, National Institute of Standards and Technology\n    Oral Statement...............................................    17\n    Written Statement............................................    19\n\nDr. T. Charles Clancy, Director, Hume Center for National \n  Security and Technology, Virginia Tech\n    Oral Statement...............................................    25\n    Written Statement............................................    27\n\nDr. Jonathan Mayer, Assistant Professor of Computer Science and \n  Public Affairs, Princeton University\n    Oral Statement...............................................    33\n    Written Statement............................................    35\n\nDiscussion.......................................................    49\n\n             Appendix I: Answers to Post-Hearing Questions\n\nLetter submitted by Representative Ralph Lee Abraham, Chairman, \n  Subcommittee on Oversight, Committee on Science, Space, and \n  Technology, U.S. House of Representatives                          62\n\nArticles submitted by Representative Donald S. Beyer, Jr., \n  Ranking Member, Subcommittee on Oversight, Committee on \n  Science, Space, and Technology, U.S. House of Representatives      64\n\n \n                        BOLSTERING DATA PRIVACY\n                          AND MOBILE SECURITY:\n                 AN ASSESSMENT OF IMSI CATCHER THREATS\n\n                              ----------                              \n\n\n                        WEDNESDAY, JUNE 27, 2018\n\n                  House of Representatives,\n                          Subcommittee on Oversight\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittee met, pursuant to call, at 2:17 p.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Ralph \nAbraham [Chairman of the Subcommittee] presiding.\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n    Chairman Abraham. The Subcommittee on Oversight will come \nto order. Without objection, the Chair is authorized to declare \nrecesses of the Subcommittee at any time.\n    Good afternoon and welcome to today\'s hearing entitled \n``Bolstering Data Privacy and Mobile Security: An Assessment of \nIMSI Catcher Threats.\'\'\n    I recognize myself for five minutes for an opening \nstatement.\n    Good afternoon again. Welcome to today\'s Oversight \nSubcommittee hearing ``Bolstering Data Privacy and Mobile \nSecurity: An Assessment of IMSI Catcher Threats.\'\' The purpose \nof today\'s hearing is to examine the threats that IMSI catchers \nand other similar technologies pose to mobile security and user \nprivacy.\n    IMSI catchers and rogue base stations, commonly known by \ntheir brand name ``Stingray,\'\' are devices used for \nintercepting cellular traffic and data. Today we will hear from \ngovernment and academic experts about the basics of the \ntechnology, the ways in which it can be used by both legitimate \nand illegitimate actors, and potential methods to mitigate the \nrisks these devices pose.\n    Regrettably, although they were invited, the Department of \nHomeland Security, DHS, declined to provide a witness today and \ninstead provided a briefing to Members and staff last week. \nWhile this was helpful in giving some context to the matter, it \nwas no substitute for a public discussion on such a serious \nissue. It would have been substantially more helpful for DHS to \nhave been present today, to be part of the dialogue, inform the \nAmerican public, and answer questions about their work in this \narea. With that said, I would like to thank our witnesses for \nparticipating today and taking time out of their schedules to \ntestify on this very important matter.\n    Historically, the use of IMSI catcher technology has been \nlimited to law enforcement, Department of Defense, and \nintelligence services. This was due in large part to the high \ncost of acquiring the equipment. However, as sophisticated \ntechnologies have become more commonplace and advances in \nmanufacturing have made the production of highly technical \nproducts easier and cheaper, IMSI catcher technology and \nnefarious actors looking to exploit it have been proliferated.\n    While awareness is important, it is simply not enough to \nacknowledge an issue that needs to be addressed. Instead, we \nmust also gain an understanding of the technology--the nature \nof the technology, the complexity of the technology, and the \ndisruptive ability like IMSI catchers challenge, and the \nchallenges they present. This is a responsibility the Committee \ntakes seriously, and one which the Committee has a long history \nof meeting through vigorous oversight of emerging forms of \nresearch and technology. I believe today\'s hearing will yet add \nanother important chapter to that history.\n    As with much of technology in the modern age, IMSI catchers \nare a double-edged sword. On one hand, when used for legitimate \nlaw enforcement purposes, these technologies have the potential \nto positively impact society in a substantive and meaningful \nway. The ability to covertly track a suspect or intercept their \ndata has the potential to help law enforcement coordinate safer \narrests and certainly put more criminals behind bars, keeping \nour men and women in uniform, as well as our communities, safe.\n    However, as we have seen with many new technologies and law \nenforcement tools, striking the appropriate balance between \nsafety and privacy is not always easy. Just this past week, the \nSupreme Court ruled in Carpenter v. United States that cell \nphone location records are protected under the Fourth \nAmendment, previously a legal grey area. While this ruling does \nnot purport to apply to real-time data tracking, the type IMSI \ncatcher technology could provide, it raises the question of \nwhat the appropriate balance is between protecting privacy and \nempowering law enforcement to do their job.\n    Similarly, we must consider what defenses we can and should \nemploy to protect our privacy and national security. IMSI \ncatcher technology is ripe for exploitation by foreign nations \nseeking to spy on American government officials and is likely \nalready being used to do so. The cryptographic standards and \nmethods used to protect U.S. government officials and important \ngovernment information are something the National Institute of \nStandards and Technology is well positioned to produce, but \nthis too creates a dilemma.\n    As we saw with the San Bernardino terrorist\'s iPhone, \nsophistication--sophisticated encryption meant to protect user \ndata and privacy brings with it a set of different, but no less \nconsequential, issues. In the case of IMSI catcher \ntechnologies, to what degree should the general public be able \nto shield themselves from being caught in a foreign \nintelligence operation? To what degree might techniques meant \nto shield data from prying eyes prevent law enforcement from \ndoing their jobs? How much privacy should we trade for security \nat the civilian and governmental levels? These are fundamental \nquestions that must be asked.\n    While I doubt we will hear an easy answer to these \nquestions during today\'s hearing, we will hear informed \nperspectives from our witnesses on these and other important \nquestions. It is my hope that we will leave here not only with \na better understanding of this technology, but with forward-\nlooking thoughts about possible answers to, and solutions for, \nthese tough questions. Again, I want to thank our witnesses for \nagreeing to be here to highlight this important topic.\n    [The prepared statement of Chairman Abraham follows:]\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Abraham. At this time, I\'d ask unanimous consent \nthat we include in the record the letter--I\'ve got it here--\nthat was sent to the Subcommittee this morning by the \nElectronic Privacy Information Center, or EPIC. Although I\'m \nnot sure I agree with the entirety of their statement, we will \ninclude this letter in the record.\n    [The information appears in Appendix I]\n    Chairman Abraham. I now recognize Ranking Member of the \nFull Committee, Ms. Johnson, for an opening statement.\n    Ms. Johnson. Thank you very much, Chairman Abraham.\n    Cell-site simulators, also known as Stingrays, or IMSI \ncatchers, is a technology that can be used to locate cellular \ndevices and possibly intercept voice calls, text messages, and \ndata communications from the cellular device. It is a valuable \ntool for our law enforcement and intelligence communities.\n    It is also, undoubtedly, a technology used by foreign \nintelligence services operating here in the United States. \nIndeed, the genesis of today\'s hearing were recent press \nreports that a Department of Homeland Security pilot program \nfound rogue cell sites throughout Washington, D.C., including \nnear the White House, FBI headquarters, and the Pentagon.\n    It is clear that foreign intelligence agencies are seeking \nto use cell-site simulators to collect intelligence on federal \nofficials. What are we as a government doing to counter this \nparticular threat? Unfortunately, neither the Department of \nHomeland Security nor the Federal Bureau of Investigation is \nhere today to help provide some answers to these questions.\n    It is also unfortunate that President Trump appears to be \ntaking no safeguards to protect himself from these cyber \nthreats, and the Science Committee has taken no steps to use \nour oversight authority to investigate the White House\'s lack \nof cybersecurity precautions that we expect all other federal \nagencies to follow. I reiterate that Mr. Beyer\'s call and his \nstatement and request that we hold a hearing on this subject in \nthe near future.\n    I am glad though to have our witness panel here today, who \ncan provide us with advice on what Congress should be doing to \nprotect federal officials and federal agencies from cell-site \nsimulators that exploit our cybersecurity vulnerabilities, \nparticularly those that impact our national security interests.\n    Cell-site simulator technology also has implications for \nthe privacy of Americans, as a law enforcement operation \nutilizing a cell-site simulator could be gathering data from \nthousands of nearby innocent citizens. In Baltimore, for \ninstance, police used this technology without obtaining a \nwarrant thousands of times in violation of the Fourth Amendment \nof the U.S. Constitution regarding an unreasonable search. Last \nweek, the U.S. Supreme Court weighed in on this issue requiring \npolice to obtain a warrant to gather cell phone location data. \nHowever, their decision did not specifically apply to cell-site \nsimulators. So, it is unclear how these key privacy issues will \nbe addressed by law enforcement agencies in the future.\n    I am glad Dr. Jonathan Mayer from Princeton University--a \nlawyer and a computer scientist--is here today. He is uniquely \nqualified to speak on these important privacy issues, as well \nas the wider implications of this technology and the dangers it \nposes to our national security and our privacy. I look forward \nto hearing from him and other witnesses about how we can \nprotect our national security and the privacy of our citizenry \nfrom attack by these rogue cell sites and other cyber threats \nthat can target our mobile devices.\n    Thank you, Chairman Abraham, and thanks all of our \nwitnesses for being here.\n    [The prepared statement of Ms. Johnson follows:]\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n    Chairman Abraham. Thank you, Ms. Johnson.\n    I now recognize the Ranking Member of the Oversight \nSubcommittee, the gentleman from Virginia, Mr. Beyer, for an \nopening statement.\n    Mr. Beyer. Thank you, Chairman Abraham, very much, and \nthank you for your initiative to create this hearing.\n    Cell-site simulators, or IMSI catchers, pose risks to both \nour national security and our personal privacy. These devices \nare about the size of a laptop computer and can be placed in a \nvan, hotel room, drone aircraft, or operated by someone sitting \non a park bench. These rouge cell stations masquerade as \nlegitimate cell towers and gather the data of cell phones in \ntheir proximity. They are powerful tools employed by both \nfriendly and hostile intelligence agencies, criminals and \nothers. They also play an important role in the operations of \nU.S. law enforcement and the U.S. intelligence community. \nHowever, U.S. law enforcement agencies have not always obtained \nappropriate authorization from the courts before they have \nemployed these tools against suspected criminals, and this has \nled to improper incursions into the private lives of hundreds \nof American citizens.\n    Last week, the Supreme Court ruled that the government must \nnow obtain a warrant when collecting cell phone data in certain \ncases. The court found, and I quote, ``A cell phone faithfully \nfollows its owner beyond public thoroughfares and into private \nresidences, doctor\'s offices, political headquarters, and other \npotentially revealing locales. Accordingly, when the government \ntracks the location of a cell phone it achieves near perfect \nsurveillance, as if it had attached an ankle monitor to the \nphone\'s user.\'\' However, the court added that it was a narrow \nruling, specifically stating, ``We do not express a view on \nmatters not before us: real-time CSLI, Cell-Site Location \nInformation, or tower dumps.\'\' Unfortunately, it seems the \nconstitutionality of cell-site simulator use by law enforcement \nagencies without a warrant remains unsettled.\n    Rogue cell-site simulators have not only affected our \nprivacy, but they have endangered our national security. Last \nyear, a Department of Homeland Security pilot project \nidentified several rogue cell-site simulators near the White \nHouse and Pentagon, raising the specter of foreign intelligence \nagencies using IMSI catchers to target senior U.S. government \nofficials right here in our Nation\'s Capital.\n    Ironically, at the same time we are holding an oversight \nhearing on the threat to mobile security of these sorts of \nrogue cell sites, President Trump continues to ignore basic \ncybersecurity practices. This has created a threat not only to \nhis own personal privacy but also to our national security. A \nheadline from a CNN story in April read, ``Trump ramps up \npersonal cell phone use.\'\' In May, POLITICO summed up the \nPresident\'s attitude towards the cybersecurity issues we\'re \ndiscussing today. The headline read ``Too Inconvenient--Trump \nGoes Rogue on Phone Security.\'\' And making matters worse, \nPresident Trump recently said that he provided his direct phone \nnumber to North Korean dictator Kim Jong-un. Doing this has \nopened up an additional threat known as a Signaling System \nSeven, or SS7, attack that may permit access to President \nTrump\'s personal cell phone remotely by North Korean \nintelligence operatives. Earlier this month, WIRED magazine \npublished a story with the headline ``Trump Says He Gave Kim \nJong-un His Direct Number. Never Do That.\'\'\n    I am attaching all three articles to my statement.\n    Ongoing use of a reportedly unsecure cell phone by the \nPresident of the United States raises serious cybersecurity \nissues that this Committee should be examining. The Majority\'s \nOversight Plan said the Science Committee would investigate \ncybersecurity incidents and compliance with ``federal \ninformation security standards and guidelines\'\' ``regardless of \nwhere they may be found.\'\' Let me repeat, quote, ``regardless \nof where they may be found.\'\' I wrote to Chairman Smith with \nRanking Member Johnson and Mr. Lipinski in February of this \nyear pointing out numerous cybersecurity practices of serious \nconcern at the White House that warranted investigation. \nUnfortunately, we have not yet seen efforts by this Committee \nto uphold its oversight responsibilities to the American public \nand investigate these issues.\n    My good friend Chairman Abraham, I am asking you again, \nlet\'s look at holding this hearing and investigating the \npotential threat by holding--by rogue cell-site simulators, but \nwhile we do this, we can\'t ignore the specific threats within \nblocks of the White House and President Trump\'s own failure to \nabide by cybersecurity best practices.\n    You know, In January 2018, the White House Chief of Staff \nKelly banned the use of personal cell phones in the West Wing \nby White House employees. Yet, multiple media stories have \ncontinued to report that the President refuses to give up his \npersonal cell phone or take proper cybersecurity measures to \nhelp identify and diminish cybersecurity threats. The President \nshould not be held to a different standard than the rest of the \nfederal government and our Committee should help the Executive \nBranch protect Mr. Trump from foreign adversaries, even if the \nPresident won\'t.\n    So I look forward to hearing from all of our witnesses \ntoday who help us explore ways to enhance our cybersecurity. It \nis unfortunate we don\'t have anyone from DHS or the \ntelecommunications, but I hope we will be able to hear from \nthem in the future. Successfully addressing these issues is \ngoing to take a collective effort and a continued commitment \nfrom a wide range of stakeholders.\n    Thank you, Chairman Abraham, and I yield back.\n    [The prepared statement of Mr. Beyer follows:]\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n    Chairman Abraham. And now I will introduce our witnesses.\n    Our first witness is Dr. Charles H. Romine, director of the \nInformation Technology Laboratory at NIST. Dr. Romine joined \nNIST in 2009 as an associate director for the program \nimplementation. In November 2011, Dr. Romine became the \ndirector of Information Technology Laboratory at NIST. Dr. \nRomine received both his bachelor of arts degree in mathematics \nand his Ph.D. in applied mathematics from the University of \nVirginia. Welcome.\n    Dr. T. Charles Clancy, our next witness, he is the director \nof Virginia Tech\'s Hume Center for National Security and \nTechnology. Dr. Clancy has worked with Virginia Tech since 2010 \nas a professor. Prior to that he worked at the National \nSecurity Agency from 2000 to 2010. He holds a bachelor\'s degree \nin computer engineering from Rose-Hulman Institute of \nTechnology, and a master\'s degree in electrical engineering \nfrom the University of Illinois, Urbana-Champaign. Dr. Clancy \nalso received a doctorate from the University of Maryland, \nCollege Park, in computer science.\n    Dr. Jonathan Mayer, our last witness, assistant professor \nat Princeton University\'s Department of Computer Science, and \nthe Woodrow Wilson School of Public and International Affairs. \nDr. Mayer previously worked for Senator Kamala Harris as a \ntechnology advisor in 2017. Prior to that he worked for the \nFederal Communications Commission Enforcement Bureau as a chief \ntechnologist from 2015 to 2017. He holds a bachelor\'s degree in \npublic and international affairs from Princeton University. Dr. \nMayer also received his juris doctorate and Ph.D. from Stanford \nUniversity.\n    I now recognize Dr. Romine for five minutes to present his \ntestimony.\n\n         TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,\n\n               INFORMATION TECHNOLOGY LABORATORY,\n\n         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY\n\n    Dr. Romine. Chairman Abraham, Ranking Member Beyer, Ranking \nMember Johnson, and Members of the Subcommittee, I am Charles \nRomine, director of the Information Technology Laboratory at \nthe National Institute of Standards and Technology, known as \nNIST. Thank you for the opportunity to appear before you today \nto discuss our role in mobile device security.\n    In the cybersecurity realm, NIST has worked with federal \nagencies, industry, and academia since 1972, and NIST\'s role \nhas been expanded to research, develop, and deploy information \nsecurity standards and technology to protect the federal \ngovernment\'s information systems against threats, as well as to \nfacilitate and support the development of voluntary industry-\nled cybersecurity standards and best practices for critical \ninfrastructure.\n    Today, I\'d like to talk about our work related to rogue \nbase stations and the NIST Special Publication 800-187, Guide \nto LTE Security, released in December 2017.\n    Rogue base stations are unlicensed, cellular devices that \nare not owned or operated by a duly-licensed mobile network \noperator. They\'re known by many names, such as cell-site \nsimulators, Stingrays, or International Mobile Subscriber \nIdentity, or IMSI, catchers. Rogue base stations act as a cell \ntower and broadcast a signal pretending to be a legitimate \nmobile network that may trick an individual\'s device into \nconnecting to it. The necessary hardware to build a rogue base \nstation is inexpensive, easily obtained, and the software \nrequired is freely available.\n    Rogue base stations exploit the fact that mobile devices \nwill connect to whichever base station is broadcasting as a \ndevice\'s preferred carrier network and is transmitting at the \nhighest power level. Therefore, when a rogue base station is \nphysically near a mobile device that is transmitting at higher \npower levels than the legitimate antenna, the device may \nattempt to connect to that malicious network.\n    The threats from rogue base stations can come from their \nperforming a passive attack, known as IMSI catching. This \nattack collects mobile device identities without the user\'s \nknowledge. It poses a significant threat to user privacy and \nsecurity and safety because a malicious actor can determine if \na subscriber is in a given location at a given time. \nUnfortunately, IMSI catching is no longer an advanced or \ncomplex attack only accessible to a small number of \nindividuals.\n    A more advanced attack that can be executed using a rogue \nbase station is a type of man in the middle attack in which a \nmalicious actor can force a user to downgrade to an older and \nless secure mobile network technology, such as 2G or 3G, that \nexposes that user to less robust security protections that \nexist in older versions of mobile networks, tricking the device \ninto connecting to the rogue base station.\n    A complex denial of service attack can occur when a mobile \ndevice first connects to a network when certain messages can be \nsent to a device by a rogue base station, essentially fooling \nthe device to into the equivalent of airplane mode. This can \ncause a denial of service that may persist until a hard reboot \nis done.\n    Since 2012, NIST has been working in cybersecurity aspect \nof telecommunications, focusing on 4G LTE networks used by \npublic safety. This work enabled NIST to develop the guide to \nLTE security, which serves as a guide to the fundamentals of \nhow LTE networks operate. It explores the LTE security \narchitecture, and it provides an analysis of the threats posed \nto LTE networks and supporting mitigations. The guide is \nintended to educate federal agencies and other organizations \nthat rely on 4G LTE networks as part of their operational \nenvironment.\n    NIST has been an active participant in the working group of \nthe Standards Development Organization responsible for security \nand privacy of 3G and 4G LTE, and recently, 5G. Active \nparticipation with the mobile network ecosystem developing \nsecurity standards for future networks is an important way NIST \nworks to address security vulnerabilities in mobile networks \ntoday.\n    Security standards for 5G are, in fact, seeking to address \nissues surrounding rogue base stations through the introduction \nof optional privacy functionality. Once this functionality \nstandard is developed for future networks, its implementation \nby mobile network operators will have the potential to \neliminate the threat of today\'s passive sniffing IMSI catchers. \nIn addition, the use of the optional security settings and next \ngeneration 5G technologies will go a long way to mitigate the \nusage of rogue base station technology.\n    Much work still needs to be done to ensure secure \ndeployments. NIST will continue its research and development in \nthe security of telecommunications, the publication of \nguidelines and best practices, and our work with international \nstandards bodies and technical committees.\n    Thank you for the opportunity to testify on NIST\'s work \nregarding telecommunications security, and I will be pleased to \nanswer any questions you may have.\n    [The prepared statement of Dr. Romine follows:]\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Abraham. Thank you, Romine--Dr. Romine.\n    All right, I now recognize Dr. Clancy for five minutes to \npresent his testimony.\n\n              TESTIMONY OF DR. T. CHARLES CLANCY,\n\n  DIRECTOR, HUME CENTER FOR NATIONAL SECURITY AND TECHNOLOGY,\n\n                         VIRGINIA TECH\n\n    Dr. Clancy. Chairman Abraham, Ranking Members Beyer and \nJohnson, Subcommittee Members, my name is Charles Clancy and I \nam a professor of electrical and computer engineering at \nVirginia Tech where I direct the Hume Center for National \nSecurity and Technology. My current research sits at the \nintersection of 5G wireless, the internet of things, \ncybersecurity, and artificial intelligence. Prior to joining \nVirginia Tech, I led a portfolio of wireless research and \ndevelopment programs at the National Security agency.\n    It is my distinct pleasure to address this Committee on \ntopics of critical national importance.\n    Security of wireless infrastructure is critical. These \ndevices, wireless base stations, and core network \ninfrastructure are a key part of our critical infrastructure \necosystem. While each generation of cellular technology \nimproves security and privacy, the backward compatibility \nchallenge means that even if we deploy highly secure 5G \nnetworks, most phones can still connect to insecure 2G \nnetworks, even though many of the national carriers in the \nUnited States have already decommissioned their 2G \ninfrastructure.\n    This mixture of old and new technologies means that \ninsecurity will always be part of the cellular ecosystem. \nCombatting threats to wireless network infrastructure requires \na risk management approach that constantly evaluates potential \nvulnerabilities, observes threats, engineers countermeasures, \nand communicates best practices.\n    Specifically with respect to IMSI catchers, as we\'ve heard, \nIMSI catchers, also known as Stingrays, have come to symbolize \na wide range of different cellular surveillance technologies. \nRogue base stations, a particular class of surveillance \ntechnology, also known as a cell-site simulator, are devices \nthat act like cell towers. 2G technology is particularly \nsusceptible to these threats because authentication in 2G is \nweak and the encryption has been cracked. 2G rogue base \nstations are able to lure a phone into connecting, eliciting \nthat phone\'s identity, also known as IMSI, prevent it from \ndisconnecting, query the phone\'s precise GPS location, and in \ncertain cases, intercept voice, data, and SMS content. 3G and \n4G rogue base stations are less capable because the underlying \nstandards are more secure; however, they are still able to \nelicit a phone\'s identity.\n    Earlier this year, 5G adopted a proposal known as IMSI \nencryption, which prevents 5G rogue base stations from \nsuccessfully eliciting a phone\'s identity, which was seen \ngenerally as a very positive step forward.\n    Rogue base stations can be used for a variety of \napplications, but are most commonly associated with IMSI \ncatching. They interact with a phone for a few milliseconds to \nlearn the phone\'s identity, and then pass that phone back to \nthe real network.\n    Another class of device is a more generic cell phone \ninterception system. These devices are purely passive. They \ndon\'t transmit anything. They don\'t pretend to be a cell tower. \nHowever, particularly for 2G standards, which have been \ncracked, they are able to intercept in bulk voice, SMS, and \ndata traffic that is traversing those networks. For 3G and 4G \nnetworks that are protected by stronger encryption, there are \nmuch fewer capabilities that are possible.\n    However, these technologies can be used together, for \nexample, in conjunction with a jammer. Imagine jamming the 3G \nand 4G signal spectrum, which causes a phone to downgrade to \n2G, and then is vulnerable to the widest range of potential \nattacks. So these downgrade attacks undermine the improved \nsecurity features that we see in the newer cellular standards.\n    So with respect to closing the gap, 2G, in my opinion, \nrepresents one of the weakest links. The weak encryption and \nauthentication is a major security challenge with modern cell \nphones. And interestingly, carriers have already decommissioned \nmuch of the 2G infrastructure here in the United States. So if \ncarriers were able to push policies to phones that would \nprevent phones from connecting to vulnerable 2G networks, this \nwould go a long way into addressing this issue. Currently \niPhones lack the ability to do this, and with android phones, \nyou have to know a secret number to type in that results in a \nsecret diagnostic menu that allows you to change this setting. \nNot exactly user-friendly, and I think with improved user \ninterfaces and making this the default, we would make users \nmuch more secure.\n    As we think about downgrade--sort of the decommissioning of \n2G, we have to be careful though. Many rural networks still \nrely on 2G, and there are many devices from vehicle telematics \nto home alarm systems that rely on 2G networks to provide \nconnectivity.\n    Lastly would be is if we do want to try and identify the \ntech and track rogue base stations, it\'s important to \nunderstand the motivation for doing so. There certainly are \ntelltale signs that a base station is a rogue base station, and \nphones are able to differentiate that with a variety of \nhardware and software modifications. Also there are standards \nwithin the cell phone networks that would allow cell phone \ncarriers to be able to track rogue base station activity. In \nfact, the new 5G security standards makes a specific \nrecommendation about how this data can be used.\n    However, when we consider this, we must consider to what \nend we seek to track down these base stations, to notify the \nuser, to notify the carrier, and if so, how that data should be \nused.\n    So looking forward, I recommend the Subcommittee consider \nthe following: first, as 2G network infrastructure is \ndecommissioned, phones should not prefer 2G in any \ncircumstances; next, individuals who are likely targets of \nforeign intelligence should use phones that meet the needed \nsecurity countermeasures; and finally, if you do seek to track \ndown IMSI catchers, first address to what end and how that data \nwill be used.\n    Thank you for the opportunity to address the Subcommittee \ntoday, and I look forward to your questions.\n    [The prepared statement of Dr. Clancy follows:]\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Abraham. Thank you, Dr. Clancy.\n    Dr. Mayer, five minutes.\n\n      TESTIMONY OF DR. JONATHAN MAYER, ASSISTANT PROFESSOR\n\n            OF COMPUTER SCIENCE AND PUBLIC AFFAIRS,\n\n                      PRINCETON UNIVERSITY\n\n    Dr. Mayer. Chairman Abraham, Ranking Member Beyer, Ranking \nMember Johnson, and Members of the Subcommittee, thank you for \nthe opportunity to address cell-site simulators and the broader \ntopic of communication security and privacy at today\'s hearing.\n    These issues were central to my recent service as chief \ntechnologist of the Federal Communications Commission \nEnforcement Bureau. They have been an essential component of my \ncomputer science and legal research.\n    In last week\'s groundbreaking Carpenter v. United States \ndecision, the Supreme Court recognized that ``Cell phones and \nthe services they provide are such a pervasive and insistent \npart of daily life that carrying on is indispensable to \nparticipation in modern society.\'\' The private sector, the \npublic sector, and the American people all depend on our \ncommunications infrastructure. The security and privacy \nsafeguards for that infrastructure have not kept pace with its \ngrowing importance to the Nation. Our communications networks \nhave significant cybersecurity vulnerabilities that could be \nexploited by criminals and foreign adversaries. And when law \nenforcement agencies seek to conduct investigations using \nwireless technology, the applicable federal law is imprecise, \noutdated, likely unconstitutional, and leaves police \ndepartments in legal limbo.\n    In this brief opening statement, I will focus on security \nand privacy risks associated with cell-site simulators. My \nwritten testimony highlights several other areas of \ncybersecurity vulnerability, including insecure call and text \nmessage routing, delayed mobile device software updates, and \nunauthenticated caller ID, the last of which is responsible for \nthe nationwide explosion of fraudulent robocalls.\n    Cell-site simulators, commonly dubbed IMSI catchers, \nStingrays, or dirt boxes, are devices that exploit omissions \nand mistakes in the trust between mobile devices and cellular \ntowers. A cell-site simulator mimics a legitimate cellular \ntower and tricks nearby mobile devices into connecting to it. \nThe cell-site simulator then takes advantage of the connection \nto extract information from those devices. The most serious \ncell-site simulator risks are associated with second \ngeneration, or 2G, wireless protocols which were initially \ndeployed in the 1990s and remain operational today to support \nlegacy devices and offer service in rural areas. The 2G \nwireless protocols do not include authentication for cellular \ntowers. As a result, 2G cell-site simulators can fully mimic a \ncellular tower, and these cell-site simulators can identify and \ntrack nearby mobile devices, can intercept or block voice, \ntext, and data communications involving those devices.\n    While more recent 3G and 4G wireless protocols include \nauthentication for cellular towers, they still have significant \ncell-site simulator vulnerabilities. And while the latest 5G \nprotocols do include a new protection against cell-site \nsimulators, that protection is only optional and only effective \nagainst some of the known attacks against 3G and 4G networks.\n    The possible criminal uses of cell-site simulators are \nlimited only by our collective imagination. Criminals could \ncapture private financial information, for example, and steal \nfunds. They could collect sensitive medical information and \nconduct blackmail. Or they could obtain confidential business \ninformation for commercial gain.\n    Cell-site simulators also pose a serious national security \nthreat. The federal government is the Nation\'s largest consumer \nof commercial wireless services, and is susceptible to the same \ncybersecurity risks in our communications infrastructure. A \nforeign intelligence service could easily use cell-site \nsimulators to collect highly confidential information about \ngovernment operations, deliberations, and personnel movements.\n    In responding to the threat of cell-site simulators, as \nwell as the other serious cybersecurity risks associated with \ninsecure call and text message routing, delayed mobile device \nsoftware updates, and unauthenticated caller ID, I encourage \nthe members of this Subcommittee to consider leveraging the \nfederal government\'s communications acquisitions. According to \nOMB, the United States Government spends about $1 billion every \nyear on wireless service and mobile devices, and yet, as DHS \nacknowledged in a recent report, the federal government has \nlittle assurance that it is paying for wireless service and \nmobile devices that incorporates cybersecurity best practices. \nCongress should condition its substantial communications \noutlays on implementation of appropriate cybersecurity \nsafeguards.\n    Before I close, I would like to briefly address law \nenforcement use of cell-site simulators. Federal, state, and \nlocal law enforcement agencies use cell-site simulators in the \ncourse of criminal investigations, either to track the location \nof a suspect\'s mobile device, or to identify all the mobile \ndevices nearby. At present, the federal government owns over \n400 cell-site simulators and at least 73 State and local law \nenforcement agencies also own cell-site simulators. Under \ncurrent law is a violation of Section 301 of the Communications \nAct for State or local law enforcement agency to operate a \ncell-site simulator, because they\'re transmitting unlicensed \nwireless spectrum without authorization. Police departments may \nalso run afoul of Section 333, which prohibits wireless jamming \nbecause law enforcement cell-site simulators could disrupt 911 \ncalls and other wireless connectivity.\n    I believe that cell-site simulators are legitimate \ninvestigative tools and that they should be available to law \nenforcement agencies when subject to appropriate procedural \nsafeguards. But until Congress takes action, the Nation\'s \npolice departments will remain in legal limbo. I encourage the \nMembers of the Subcommittee to consider legislation that both \nresolves the Communications Act issues with cell-site \nsimulators, and codifies a warrant requirement for cell-site \nsimulator operation.\n    Thank you again for the opportunity to address \ncommunications security and privacy at today\'s hearing, and I \nlook forward to questions from the Subcommittee.\n    [The prepared statement of Dr. Mayer follows:]\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n    Chairman Abraham. Thank you, Dr. Mayer. I thank all the \nwitnesses for that very compelling testimony.\n    I\'m going to recognize myself for five minutes for the \nopening round of questions. Dr. Clancy, I\'ll direct my first \none to you.\n    You previously detailed that you see two possible scenarios \nmoving forward with this overall issue. One is a status quo \nwith the possibility of increased training and acknowledgment \nof these targeted attacks. The second is a substantive dive and \nto address the issue, which includes a comprehensive assessment \nof how we treat cell phone towers, permissioned access, and \npolicy changes through updates to phones. Can you provide a \nlittle more detail about the difference in the two options, and \nwhich would you prefer?\n    Dr. Clancy. So I think there are a number of solutions that \nare possible within this space. There are technical solutions, \nthere are policy solutions, there are legal solutions. I think \nthat there are--the key thing, though, is to ensure that any \naction that\'s taken to, I guess, close the gaps that IMSI \ncatchers leverage takes into consideration a path forward for \nlaw enforcement around being able to conduct their operations.\n    So I could imagine scenarios where we essentially look to \nprevent phones from connecting to IMSI catchers, scenarios \nwhere we shut down 2G preference for phones in order to prevent \nthem from being as susceptible to IMSI catchers. But I think \nany action that we take should be complemented with efforts to \nensure that law enforcement still are able to get timely access \nto location information in order to support their \ninvestigations.\n    Chairman Abraham. Who should lead the effort to have a \ncomprehensive solution to these issues? What set of agencies or \npeople?\n    Dr. Clancy. Indeed. So certainly any time we talk about \ntelecommunications and cellular it\'s tricky because there are \nso many stakeholders. DHS is the sector-specific agency \nassociated with telecommunications, so they would seem like a \nlogical choice to take the lead. But certainly the FBI, the \nFCC, and others are key stakeholders in this process.\n    Chairman Abraham. Okay, thank you.\n    Dr. Mayer, how does the recent Supreme Court decision on \nCarpenter v. United States addressing citizens\' Fourth \nAmendment rights change the acceptable use of this technology?\n    Dr. Mayer. Thank you for the question. Carpenter, by its \nown terms, does not regulate real time location tracking by law \nenforcement. The majority was clear on that point. It does, \nhowever, express a growing concern by the Supreme Court with \nthe scope of law enforcement capability using modern \ntechnology, and to the extent it affects court\'s views on cell-\nsite simulators, it will only serve to heighten the level of \nprotection.\n    That said, I want to be very clear to note that to my \nknowledge, every recent court decision has addressed the \nquestion of whether cell-site simulators are regulated by the \nFourth Amendment has concluded they are regulated by the Fourth \nAmendment and a warrant is required for their operation.\n    Chairman Abraham. Do you think it will have an impact on \nthis--from this Carpenter decision on lawful and legitimate use \nof the rogue base stations or the IMSI catchers to thwart \ncriminal activity?\n    Dr. Mayer. So at the federal level I don\'t believe there \nwill be an effect because by policy, the Department of Justice \nand the Department of Homeland Security already obtain warrants \nto operate these devices. At the State and local level, my \nunderstanding is that some police departments do currently \noperate these devices without obtaining a search warrant, and \nthey may continue to do those things notwithstanding the \nCarpenter decision. This issue has not been fully litigated in \nevery jurisdiction.\n    Chairman Abraham. Dr. Romine, NIST has published the Mobile \nThreat Catalog which provides incredible useful information \nabout the overall issue of mobile device security. How is NIST \ngetting this information out and in front of vendors and people \nthat need to see it?\n    Dr. Romine. Thank you, Mr. Chairman.\n    We have a collection of stakeholders that are in contact \nwith us on a regular basis. We have thousands of people who \nsubscribe to our newsletters. In general, those are \nstakeholders that are monitoring the work that we do. We are \nworking through the Standards Development Organizations, the \n3GPP, for example, which has a lot of the work that we\'re doing \nand involves trying to help improve the security of \ntelecommunications activities and their channels associated \nwith getting the information out through those mechanisms as \nwell. We also manage an active website with many, many--tens of \nthousands of hits on a regular basis for people who are looking \nat what we\'re doing in cybersecurity broadly and for specific \ntopic areas as well.\n    Chairman Abraham. Is NIST working with other government \nagencies to promote this, such as a cybersecurity framework?\n    Dr. Romine. Well, it is not directly related to the \ncybersecurity framework, but we are working with other federal \nagencies. We encourage a large number of agencies to work, for \nexample, in the standards development bodies so that all of the \nrequirements and associated concerns can be expressed in those \nbodies.\n    Chairman Abraham. Okay, thank you.\n    Mr. Beyer.\n    Mr. Beyer. Thank you, Mr. Chairman, and it\'s nice to have a \nChairman from Texas that loads the panel up with Virginians.\n    So Dr. Romine, your PAC from UVA is very much appreciated. \nDr. Clancy teaching with the Hokies at Virginia Tech. Dr. \nMayer, I\'m sorry about the Stanford Princeton background, you \nknow, but you can--they can slum it today.\n    Dr. Mayer. I enjoy visiting the state.\n    Mr. Beyer. That\'s good. Dr. Mayer, you know, according to \npress reports the President frequently uses his unsecured cell \nphone and routinely refuses to change that to an official \nsecured phone. That was one of the recommendations that people \nin very sensitive roles have these highly secure phones. We \ntalked about the cell phone number to Kim Jong-un.\n    Can you describe why these practices may put the \nPresident\'s phone at risk from being hacked or penetrated by \nforeign intelligence agencies?\n    Dr. Mayer. Any senior official in any of the branches of \ngovernment--and for that matter, any senior executive in the \nprivate sector--should take heightened precautions with respect \nto their telecommunications equipment. There are possible \nattacks involving interception of voice and text messages. In \nmy written testimony, I describe how those might proceed. There \nare also the cell-site simulator risks that we\'ve discussed. \nAnd in addition, there\'s an issue of security updates not \nnecessarily getting delivered in a timely fashion to consumer \ndevices, such that they could be remotely compromised.\n    So there are a number of cybersecurity risks that are very \nsignificant in this ecosystem that could result in essentially \ntotal compromise of communications, and again, anyone in a \nsensitive position should take heightened precautions.\n    Mr. Beyer. Great, thank you very much.\n    Dr. Romine, in Dr. Mayer\'s presentation he talks about \nfemtocells, consumer hardware sold by wireless providers that \nextend coverage indoors and into rural areas. Are these the \nthings I bought from Google that allow my wife to use her \nwireless thing upstairs?\n    Dr. Romine. I think that\'s probably a good example of \nexactly what was described.\n    Mr. Beyer. So one of the things that we consumers may have \nbeen totally unaware of is by buying essentially the wireless \nextenders within our home, that we have set up these rogue IMSI \ndevices?\n    Dr. Romine. I\'d have to double check the particulars, but I \ndon\'t think that\'s quite the same kind of thing that we\'re \ntalking about. In the case of these devices, these are lawfully \nprovisioned to provide extended coverage and are not considered \ncamping illegally on spectrum that hasn\'t been authorized.\n    Mr. Beyer. I wasn\'t so worried about us breaking the law as \nwe were setting up bad guys to get our----\n    Dr. Romine. Oh, I see what you\'re saying. I don\'t know the \nparticulars of the femtocells and whether they have similar \nkinds of cybersecurity built into them. I think it would depend \non the manufacturer and on the way that they\'re provisioned. \nI\'ll have to get back to you on whether I think there\'s \nadditional vulnerability associated with having femtocells in \nyour home.\n    Mr. Beyer. Great. Dr. Clancy, I loved your recommendations \nat the end. You talked about the default setting that the major \nphone carriers need to set default stuff within the androids \nand the iPhones that would basically disable the 2G thing \nunless they\'re specifically roaming. How do we make that \nhappen? Is there a role for Congress there?\n    Dr. Clancy. That\'s a good question. It\'s a fairly simple \nchange to the software of the devices. It could even be done as \na policy push from the carrier networks.\n    Right now, users have the ability to shut off 3G and 4G \nparticularly on iPhones, but they do not have the ability to \nshut off 2G, which is sort of backwards in my opinion. So with \nsome minor policy shift pushes from the carriers that have \nalready decommissioned 2G, these devices would default to only \nusing 3G and 4G.\n    Mr. Beyer. Is this something that they could tell all of us \nwith our iPhones and androids to do, or do you have to do that \nin the units they sell going forward?\n    Dr. Clancy. Well it would need to be an update that they \npush from the networks to the phones. It wouldn\'t necessarily \njust be new devices. There is not a way for a user to do it by \nthemselves within the current infrastructure. Even the secret \ncode I talked about that brings up the diagnostic menu where \nyou can change it yourself, it doesn\'t--once you reboot your \nphone, the setting goes away so you have to sort of constantly \ngo in and make sure that 2G is disabled.\n    So there are some very simple things that could be done \nwith the user interface through software updates that would \ncause phones to not connect to 2G unless roaming.\n    Mr. Beyer. Okay, great. Mr. Chairman, I yield back.\n    Chairman Abraham. Thank you.\n    Mr. McNerney?\n    Mr. McNerney. Well I thank the Chair and I thank the \nwitnesses. I apologize for leaving during your testimony, but \nyou did have written testimony that we reviewed beforehand.\n    My question is similar to Mr. Beyer\'s question, the Ranking \nMember\'s question. Dr. Mayer, in your testimony you state that \nthe most serious cell-site simulator risks are associated with \n2G wireless protocols, which were deployed in the 1990s and \nremain operational today to support the legacy devices that are \nout there. Who are the consumers that are most likely to \npossess these legacy devices?\n    Dr. Mayer. Well as Dr. Clancy testified, there are a number \nof devices like home alarm systems, connected devices that were \ndeployed in the 1990s or early 2000s that just don\'t have newer \ncellular technology built into them. Nowadays we call these \nthings the internet of things, but back then it was just your \nalarm system.\n    So those are the types of devices that might be affected, \nand it\'s also important to note that rural connectivity is \nsometimes provided by 2G, because those networks were built out \nand have not been updated since.\n    That said, I think providing the security protection \nassociated with disabling 2G need not come at the expense of \ndisabling those legacy devices or rural connectivity. You know, \nfor folks who live in an area that doesn\'t have 2G--or that has \n3G, 4G, or now 5G coverage, disabling 2G wouldn\'t be a problem.\n    Mr. McNerney. But there are a lot of legacy devices out \nthere that they are going to continue to require 2G protocols, \nright?\n    Dr. Mayer. I\'m afraid I don\'t have a handle on the scale of \nthe use of 2G networks at this point, but it is not an area \nwhere we have to make a tradeoff between supporting those \ndevices and securing the latest devices. We can do both.\n    Mr. McNerney. Well you note that while most 3G and 4G \nprotocols include authentication for cell towers, they still \nhave significant site cell tower vulnerabilities. Could you \nexpand on that a little bit?\n    Dr. Mayer. Sure. In my written testimony, I describe three \nclasses of vulnerability in addition to taking advantage of 2G \nnetworks. One class of vulnerability is location tracking. \nThere are certain components of the 3G and 4G cellular \nprotocols that enable location tracking, even though the base \nstation isn\'t properly authenticated. So that\'s one class of \nattack.\n    Another class of attack is taking advantage of femtocells, \nas Ranking Member Beyer noted. These are home devices that \nserve as range extenders. Criminals could compromise these \ndevices and convert them into their own cell-site simulators, \nand in fact, researchers have demonstrated that this can \nactually be a pretty easy thing to do.\n    The third class of attack I describe takes advantage of \neither collaborating with or compromising a foreign cellular \nnetwork, and then effectively tricking devices within the \nUnited States into roaming on that foreign network.\n    So there are multiple other categories of attack in \naddition to the 2G issue.\n    Mr. McNerney. So these range extenders, when they\'re \nattacked, does that give the attacker just access to the person \nthat has the range extender or does it go beyond that?\n    Dr. Mayer. Those devices could give access to any person \ntargeted by whoever\'s operating the range extender that\'s been \ncompromised, and that could allow intercepting voice, \nintercepting text messages, and intercepting data.\n    Mr. McNerney. Thank you.\n    Dr. Clancy, when a carrier detects the rogue base station \nis in operation, is it currently required to report that to an \nagency like the FBI?\n    Dr. Clancy. Currently the carriers perhaps are collecting \nenough data to make that determination, but they are not \narchiving it in a way that it can be analyzed to produce that \nconclusion. So there is sort of data that exists ephemerally \nwithin the carrier networks that could be a telltale sign that \nan IMSI catcher is operating in their geographic footprint. \nRight now that data is not being stored. It is not being \nanalyzed, and it is only now in the 5G standards that it is \neven proposed that that is a thing that should be done. So I \nthink that is sort of unexplored at this moment in terms of \nwhat should be done with that data.\n    Mr. McNerney. Is that a business opportunity or a \nregulatory opportunity to control that?\n    Dr. Clancy. So there are other countries where that data is \nhanded over to third parties and use for all manners of \nanalytics. I think those countries have substantially different \nprivacy laws than we do here in the United States, so I think \nit is data, certainly given all the focus on cellular privacy \nwe have seen over the last few weeks, that I wouldn\'t \nnecessarily consider a business opportunity. It would need to \nbe treated carefully.\n    In terms of regulatory, yeah, I mean, I assume you could \nregulate that data needed to be analyzed, and if detection \nwas--if you discovered a rogue base station then you should \ntell someone. I guess the question is who? Do you file an \ninterference complaint with the FCC? Do you file something with \nthe FBI saying that you\'ve detected an IMSI catcher? These \nthings, of course, could be being used by--lawfully by federal \nlaw enforcement, or they could be being used unlawfully. And \nthe carrier wouldn\'t know which it was.\n    Mr. McNerney. Mr. Chairman, I\'ll yield back.\n    Chairman Abraham. All right. Well so I\'m thinking of \nditching my cell phone and going to get two cans and a string \nto--you have some questions, Mr.----\n    Mr. Beyer. Well I was going to yield to either of you guys.\n    Chairman Abraham. I\'m going--we\'re going to have a second \nround of questions now, so we\'re good. Okay. Yeah, we\'re--this \nis such an interesting topic, we\'re going to continue here for \nat least another round.\n    Dr. Mayer, is it possible to attribute any legal cell-site \nsimulator to a particular actor, specifically particular cell-\nsite simulators, do they have characteristics associated with \nwhere they were made or the entity using them? For example, if \nthe device was made in China or in Russia, would it have any \nspecific identifiers?\n    Dr. Mayer. That\'s a great question, Chairman Abraham. I\'m \nnot aware of any instance in which a law enforcement or \nregulatory agency has successfully tracked down one of these \ndevices, and so I\'m not aware of anyone who\'s tried to \nattribute one of these devices once they get their hands on it \nor having studied the signals emanating from it and concluding \nthat it was definitively a cell-site simulator.\n    And so I think in principle it could be possible to \nattribute one of these devices. Again, I\'m not aware of an \ninstance in which folks have gotten close enough to do that.\n    Chairman Abraham. Dr. Clancy, do you have anything to add \nto that?\n    Dr. Clancy. So in my experience, there\'s broadly two \nclasses of these devices. There are the expensive ones that are \nmanufactured principally for military and law enforcement use, \nand their signaling parameters would likely have one set of \ncharacteristics associated with it. There\'s another that\'s \nbased on inexpensive open source hardware and software that you \nwould likely find being used potentially by foreign \nintelligence. It depends on the sophistication level of the \nadversary.\n    I would imagine that you could, with relative simplicity, \ntell the difference between an open source--one that was built \non open source software versus one that was built for higher \nend military and law enforcement use, and I would imagine that \nthat would also then be differentiable from the legitimate cell \ntower networks.\n    Chairman Abraham. Okay, Dr. Mayer, back to you. In your \ntestimony, you state that to your knowledge, other than the \nrecent DHS pilot project, no component of the U.S. Government \nhas acknowledged a capability to detect cell-site simulators in \nthe field, including wireless carriers.\n    Additionally in a response to Senator Wyden, DHS \nspecifically claimed it did not currently possess the technical \ncapability to detect cell-site simulators. Should DHS have this \ncapability, and if so, how difficult would it be for them to \nactually have it?\n    Dr. Mayer. So there are commercial tools available for law \nenforcement and regulatory agencies to attempt to detect these \ndevices. The inherent challenge with detecting these devices is \nthat there is no definitive telltale sign of a cell-site \nsimulator. There are only indicia that give rise to suspicion, \nthat the tower appears to be configured in an unusual way, and \nit appears to be broadcasting on unusual spectrum or unusual \npower level. But there are many reasons why legitimate cell \ntowers are configured in unusual ways, either intentionally or \nunintentionally. They may appear and disappear, such as getting \nset up for a special event, and so again, while there are \ncommercial tools available, I\'m not aware of anyone who\'s used \nany of these tools to definitively identify one of these \ndevices, and that\'s why my recommendation is focusing on \ndefense rather than whack-a-mole with the folks setting these \nthings up.\n    Chairman Abraham. Dr. Clancy, in its mobile device security \nstudy, DHS concluded that it ``believes\'\'--and I will put that \nin quotes--``that all U.S. carriers are vulnerable\'\' to the SS7 \nand the Diameter attacks, in addition to the federal government \nhaving little assurance that it\'s paying for cellular service \nand mobile devices that incorporate cybersecurity best \npractices. Since DHS has responsibility for the protection of \ncritical infrastructure of the government, in your opinion, \nshould DHS continue researching the risks through pilot \nprograms and studies like the 2017 pilot? What DHS S and T be--\nwould be the appropriate division to continue this research?\n    Dr. Clancy. So within DHS SNT, there would be two logical \ngroups. There\'s a public safety group and there\'s a \ncybersecurity group. Perhaps it would be an interesting \ncollaboration between the two that could focus on these topics.\n    I do think that there\'s room for continued research on \ndeveloping and maturing these tools. I do also agree that the \nsort of whack-a-mole approach is--would be challenging. Anytime \nyou identify what you think is a unique signature for one of \nthese devices, a sophisticated adversary could change that \nsignature in order to avoid detection.\n    So I\'ll also note that there are apps that are available \nthat purport to identify a rogue base station, and there was a \nsystematic study done last August--it was published last August \nwhich showed that they were able to fool all of those apps into \nthinking that their rogue base station was indeed a legitimate \none. So again, supporting this notion that whack-a-mole would \nbe challenging against a sophisticated adversary.\n    Chairman Abraham. Mr. Beyer.\n    Mr. Beyer. Thank you, Mr. Chairman.\n    Dr. Mayer, you wrote that in 2016 the major wireless \ncarriers committed to targeting a rollout for caller ID \nauthentication in the first quarter of 2018, and as of today, \nnot a single major wireless carrier has adopted rigorous caller \nID authentication. Can you tell us why? Is it ridiculously \nexpensive? Have they been otherwise distracted? AT&T, for \nexample.\n    Dr. Mayer. Ranking Member Beyer, before answering that in \njust a moment, if I might add to Dr. Clancy\'s response on the \nlast question that our allies across the pond in the United \nKingdom actually have their government audit communications \ncarriers to make sure that these SS7 and Diameter \nvulnerabilities have been addressed. The notion of DHS jumping \ninto the carriers maybe is not--may be worth further \ndiscussion, but at any rate, our allies have a different \napproach to this than we do.\n    With respect to the robocall issue and call authentication, \nmy understanding is that the carriers are not eager to make new \ninvestments in what they view as a declining area of their \nbusiness. The growth in cellular communications has been in \ndata and not in voice, and so investing new money in voice \nsecurity is a bit of a tough proposition when these are systems \nthat are just not going to be revenue generators in the future.\n    Mr. Beyer. Despite the fact that there are billions of \nrobocalls made that harass Americans every year?\n    Dr. Mayer. That\'s right, and I think an extra dimension of \nthis that I will certainly I find personally frustrating is the \nmajor wireless carriers not only have not taken steps to \naddress the issue, but in fact, charge a monthly fee if you \nwould like to use their services to address robocalls.\n    Mr. Beyer. Wow. Thank you very much.\n    Dr. Clancy, you write that criminal organizations could \ntheoretically take advantage of the technology, but they \nhaven\'t. Why not?\n    Dr. Clancy. Well it depends on--in order to take advantage \nof the technology, you need a fairly sophisticated sort of \nintelligence analysis function. If you\'re simply catching \nIMSIs, you have to know to whom those IMSIs belong, and that \nisn\'t readily available if you\'re just doing this \nopportunistically.\n    So law enforcement and foreign intelligence are spending a \nlot more time on the analytic component in order to develop \nthose relationships and know what IMSI they\'re looking for, \nwhereas criminal organizations don\'t often have the analytic \ncapacity to accomplish that, so they\'ve been focused on more \nbrute force technologies like just jamming the cellular signals \nin order to accomplish their acts.\n    Mr. Beyer. Okay.\n    Dr. Clancy. At least that\'s been my observation.\n    Mr. Beyer. Thank you.\n    Dr. Romine, I think it was Dr. Mayer who wrote that other \nthan the DHS pilot, no component of the United States \ngovernment has acknowledged the capability to detect cell-site \nsimulators in the field. No wireless carrier has acknowledged \nsuch a capability, and the Department of Justice has not \ninitiated any prosecution for operating a cell-site simulator. \nIs this a hole in our federal capabilities, and where does NIST \nfit into this?\n    Dr. Romine. Thank you for the question. Let me address the \nsecond part of that first, which is that NIST\'s role in this \nspace, is to strengthen the security of telecommunications \nnetworks, and we do that principally through our engagement \nwith the standards development process and in the guidelines \nthat we publish, such as the special publication I referenced \nin my testimony, to try to provide useful input for operators \nand others who might like to strengthen their \ntelecommunications activities.\n    The question of the gap, or if there is a gap in this, is \nprobably a little above my pay grade. I don\'t know what the \nright answer to that is. I would say that certainly the \nDepartment of Homeland Security has a role to play as the \nsector-specific agency for the telecommunications sector. \nBeyond that, it\'s not clear to me.\n    Mr. Beyer. Thank you. Dr. Mayer, you wrote that paragraph. \nWhat was your intent in talking about this gap?\n    Dr. Mayer. My view is that while it is worth spending time \non attempting to improve detection of these devices, the far \nbetter or far more effective focus for federal policy would be \non defense. We know how to defend against the worst of these \nattacks, and I think it is a--it would be a very reasonable \nthing for Congress to say when we\'re spending all this taxpayer \nmoney on wireless services and devices, we expect at minimum \ndefenses against the worst of the worst.\n    Mr. Beyer. I agree. Thank you very much.\n    Mr. Chairman, I yield back.\n    Chairman Abraham. Thank you, Mr. Beyer.\n    Mr. McNerney?\n    Mr. McNerney. Again, I thank the Chair for another round of \nquestions.\n    Dr. Romine, in your testimony you noted that 4G systems \nhave a number of operational capabilities that mobile network \noperators may choose to implement, and that\'s presumably to \nsecure cell phone communications. Has NIST conducted an \nanalysis to determine what has been implemented to date, how \nwidespread that implementation is, and what\'s still needed?\n    Dr. Romine. Thank you, sir. We have not done that analysis. \nWe don\'t do operational activities. We\'re not a provider of \nthese services and we don\'t have any insight into way the \noperators are currently using these, and whether the optional \nsecurity features or privacy features are being turned on or \nnot.\n    From our perspective, I agree with the other two witnesses \nhere that there\'s some low-hanging fruit here. The easiest part \nof this, or the most important, would perhaps be addressing \nthis idea of dropping back to 2G communications--and I want to \nbe clear here. The vendors or the mobile operators are not \ndoing this because of any lack of understanding of the concern \nof security. They are doing it to provide the best user \nexperience, right? So the vulnerability exists because the \ntelecommunications providers are trying to ensure a seamless \ncommunication.\n    That said, I think it\'s going to take a collaboration among \nusers, vendors, and the industry to ultimately complete the \nphaseout of 2G communications.\n    Mr. McNerney. That\'s what it\'s going to take, phasing out \nthe 2G communications?\n    Dr. Romine. That\'s certainly one major focus that I think \nwould make a difference.\n    Mr. McNerney. Thank you. Dr. Clancy, you said that in the \npast, both industry and the federal government need to \nsignificantly increase cybersecurity funding research. You said \nthat the Government often approaches cybersecurity with an \n``after the fact solutions applied with duct tape and bubble \ngum.\'\' You also said that cybersecurity investments by both the \nfederal government and industry are drastically underfunded. Do \nyou have any specific recommendations on funding levels or \ninvestments in federal cybersecurity R&D, or comments on what \nthe federal government can do better to address our \ncybersecurity research efforts?\n    Dr. Clancy. So as an academic, it\'s always--I think I\'m \ncongressionally required to lobby for more university research \nfunding.\n    Mr. McNerney. Yeah.\n    Dr. Clancy. But no, seriously, I think that there is a \ncritical need for continued investment in cybersecurity. The \nWorld Economic Forum states that cyber risk is the number one \nrisk to international organizations doing business in the \nUnited States. This is the challenge of our time and needs to \nbe the focus of significant R&D investment, particularly in the \ncellular spaces where the majority of the R&D investment is \nhappening in the EU. The Horizon 20/20 program out of the EU is \nfunding almost all of the 5G security research right now, and \nwe have very little being funded here in the United States, \neither through the National Science Foundation or DHS. And that \nseems like a key opportunity for the U.S. to take a leadership \nrole in an area as important as this.\n    Mr. McNerney. Well it\'s our responsibility to decide how \nmuch money to spend on these things, and we need guidance. So \nif there\'s a place we can go to find that kind of guidance, I \nthink it would be very useful.\n    Dr. Clancy, you have said the United States needs for one \nmillion cybersecurity-related jobs, that an estimated 31 \npercent of those jobs are vacant now. You also pointed out the \nfact that American universities are not offering the right kind \nof courses to train people in cybersecurity. Do you have any \nrecommendations for Congress to try and help energize efforts \nfor the right source of--sorts of computer security expertise \nthat our nation needs?\n    Dr. Clancy. So yes, there are----\n    Mr. McNerney. Similar question.\n    Dr. Clancy. There are currently, what, 300,000 empty cyber \njobs across the country. Here in the DC. region, we have 42,000 \nunfilled cyber jobs. We have the densest cyber workforce in the \nworld here in the DC. region, and among the highest vacancy \nrate because the talent is so sought after.\n    So there\'s a range of different activities that are needed \nto invest in workforce development programs. The number of new \ncyber jobs that are needed each year exceeds the number of \nstudents graduating with a degree in computer science each \nyear, so this needs to be not just viewed as a computer science \ndomain, this is a domain for business and policy. A wide range \nof skills are needed in order to effectively combat this \nchallenge.\n    So for example, there are federal programs such as the \nCyber Course Scholarship for Service Program that is \nadministered by OPM and the National Science Foundation. I \nthink opportunities to expand that program to focus beyond the \npure technical skills of computer science would be an \nopportunity to densify the workforce pipeline.\n    Mr. McNerney. And you--would you think that there\'s a \nsignificant opportunity for women and underserved minorities \nto--in this field?\n    Dr. Clancy. Certainly. So cybersecurity is notorious for \nits poor performance in diversity, both in terms of gender and \nracial background. So I think programs specifically targeting \nwomen and underrepresented minorities in order to increase \nawareness are critical, and most studies have found that this \nisn\'t something you can\'t start at college. This has to go all \nthe way back to third and fourth grade where people are sort of \nbeginning to decide whether or not a STEM career is what they \nwant to pursue or not.\n    Mr. McNerney. Thank you, Mr. Chairman.\n    Chairman Abraham. All right, good stuff.\n    I thank the witnesses for their testimony, very valuable, \nand Members for their great questions. The record will remain \nopen for two weeks for additional comments and written \nquestions from members.\n    This hearing is adjourned.\n    [Whereupon, at 3:24 p.m., the Subcommittee was adjourned.]\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'