[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


                        BOLSTERING DATA PRIVACY 
                         AND MOBILE SECURITY: 
                 AN ASSESSMENT OF IMSI CATCHER THREATS

=======================================================================

                                HEARING

                               BEFORE THE

                       SUBCOMMITTEE ON OVERSIGHT

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                             JUNE 27, 2018

                               __________

                           Serial No. 115-68

                               __________

 Printed for the use of the Committee on Science, Space, and Technology
 
 
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 


       Available via the World Wide Web: http://science.house.gov

              
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
30-878PDF                  WASHINGTON : 2018                     
          
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].               
              
              
              
             
              
              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California         ZOE LOFGREN, California
MO BROOKS, Alabama                   DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois             SUZANNE BONAMICI, Oregon
BILL POSEY, Florida                  AMI BERA, California
THOMAS MASSIE, Kentucky              ELIZABETH H. ESTY, Connecticut
RANDY K. WEBER, Texas                MARC A. VEASEY, Texas
STEPHEN KNIGHT, California           DONALD S. BEYER, JR., Virginia
BRIAN BABIN, Texas                   JACKY ROSEN, Nevada
BARBARA COMSTOCK, Virginia           CONOR LAMB, Pennsylvania
BARRY LOUDERMILK, Georgia            JERRY McNERNEY, California
RALPH LEE ABRAHAM, Louisiana         ED PERLMUTTER, Colorado
GARY PALMER, Alabama                 PAUL TONKO, New York
DANIEL WEBSTER, Florida              BILL FOSTER, Illinois
ANDY BIGGS, Arizona                  MARK TAKANO, California
ROGER W. MARSHALL, Kansas            COLLEEN HANABUSA, Hawaii
NEAL P. DUNN, Florida                CHARLIE CRIST, Florida
CLAY HIGGINS, Louisiana
RALPH NORMAN, South Carolina
DEBBIE LESKO, Arizona
                                 ------                                

                       Subcommittee on Oversight


                  RALPH LEE ABRAHAM, Louisiana, Chair
BILL POSEY, Florida                  DONALD S. BEYER, JR., Virginia
THOMAS MASSIE, Kentucky              JERRY McNERNEY, California
BARRY LOUDERMILK, Georgia            ED PERLMUTTER, Colorado
ROGER W. MARSHALL, Kansas            EDDIE BERNICE JOHNSON, Texas
CLAY HIGGINS, Louisiana
RALPH NORMAN, South Carolina
LAMAR S. SMITH, Texas
                            C O N T E N T S

                             June 27, 2018

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Ralph Lee Abraham, Chairman, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................     4
    Written Statement............................................     6

Statement by Representative Eddie Bernice Johnson, Ranking 
  Member, Committee on Science, Space, and Technology, U.S. House 
  of Representatives.............................................     8
    Written Statement............................................    10

Statement by Representative Donald S. Beyer, Jr., Ranking Member, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................    12
    Written Statement............................................    14

                               Witnesses:

Dr. Charles H. Romine, Director, Information Technology 
  Laboratory, National Institute of Standards and Technology
    Oral Statement...............................................    17
    Written Statement............................................    19

Dr. T. Charles Clancy, Director, Hume Center for National 
  Security and Technology, Virginia Tech
    Oral Statement...............................................    25
    Written Statement............................................    27

Dr. Jonathan Mayer, Assistant Professor of Computer Science and 
  Public Affairs, Princeton University
    Oral Statement...............................................    33
    Written Statement............................................    35

Discussion.......................................................    49

             Appendix I: Answers to Post-Hearing Questions

Letter submitted by Representative Ralph Lee Abraham, Chairman, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives                          62

Articles submitted by Representative Donald S. Beyer, Jr., 
  Ranking Member, Subcommittee on Oversight, Committee on 
  Science, Space, and Technology, U.S. House of Representatives      64

 
                        BOLSTERING DATA PRIVACY
                          AND MOBILE SECURITY:
                 AN ASSESSMENT OF IMSI CATCHER THREATS

                              ----------                              


                        WEDNESDAY, JUNE 27, 2018

                  House of Representatives,
                          Subcommittee on Oversight
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittee met, pursuant to call, at 2:17 p.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Ralph 
Abraham [Chairman of the Subcommittee] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chairman Abraham. The Subcommittee on Oversight will come 
to order. Without objection, the Chair is authorized to declare 
recesses of the Subcommittee at any time.
    Good afternoon and welcome to today's hearing entitled 
``Bolstering Data Privacy and Mobile Security: An Assessment of 
IMSI Catcher Threats.''
    I recognize myself for five minutes for an opening 
statement.
    Good afternoon again. Welcome to today's Oversight 
Subcommittee hearing ``Bolstering Data Privacy and Mobile 
Security: An Assessment of IMSI Catcher Threats.'' The purpose 
of today's hearing is to examine the threats that IMSI catchers 
and other similar technologies pose to mobile security and user 
privacy.
    IMSI catchers and rogue base stations, commonly known by 
their brand name ``Stingray,'' are devices used for 
intercepting cellular traffic and data. Today we will hear from 
government and academic experts about the basics of the 
technology, the ways in which it can be used by both legitimate 
and illegitimate actors, and potential methods to mitigate the 
risks these devices pose.
    Regrettably, although they were invited, the Department of 
Homeland Security, DHS, declined to provide a witness today and 
instead provided a briefing to Members and staff last week. 
While this was helpful in giving some context to the matter, it 
was no substitute for a public discussion on such a serious 
issue. It would have been substantially more helpful for DHS to 
have been present today, to be part of the dialogue, inform the 
American public, and answer questions about their work in this 
area. With that said, I would like to thank our witnesses for 
participating today and taking time out of their schedules to 
testify on this very important matter.
    Historically, the use of IMSI catcher technology has been 
limited to law enforcement, Department of Defense, and 
intelligence services. This was due in large part to the high 
cost of acquiring the equipment. However, as sophisticated 
technologies have become more commonplace and advances in 
manufacturing have made the production of highly technical 
products easier and cheaper, IMSI catcher technology and 
nefarious actors looking to exploit it have been proliferated.
    While awareness is important, it is simply not enough to 
acknowledge an issue that needs to be addressed. Instead, we 
must also gain an understanding of the technology--the nature 
of the technology, the complexity of the technology, and the 
disruptive ability like IMSI catchers challenge, and the 
challenges they present. This is a responsibility the Committee 
takes seriously, and one which the Committee has a long history 
of meeting through vigorous oversight of emerging forms of 
research and technology. I believe today's hearing will yet add 
another important chapter to that history.
    As with much of technology in the modern age, IMSI catchers 
are a double-edged sword. On one hand, when used for legitimate 
law enforcement purposes, these technologies have the potential 
to positively impact society in a substantive and meaningful 
way. The ability to covertly track a suspect or intercept their 
data has the potential to help law enforcement coordinate safer 
arrests and certainly put more criminals behind bars, keeping 
our men and women in uniform, as well as our communities, safe.
    However, as we have seen with many new technologies and law 
enforcement tools, striking the appropriate balance between 
safety and privacy is not always easy. Just this past week, the 
Supreme Court ruled in Carpenter v. United States that cell 
phone location records are protected under the Fourth 
Amendment, previously a legal grey area. While this ruling does 
not purport to apply to real-time data tracking, the type IMSI 
catcher technology could provide, it raises the question of 
what the appropriate balance is between protecting privacy and 
empowering law enforcement to do their job.
    Similarly, we must consider what defenses we can and should 
employ to protect our privacy and national security. IMSI 
catcher technology is ripe for exploitation by foreign nations 
seeking to spy on American government officials and is likely 
already being used to do so. The cryptographic standards and 
methods used to protect U.S. government officials and important 
government information are something the National Institute of 
Standards and Technology is well positioned to produce, but 
this too creates a dilemma.
    As we saw with the San Bernardino terrorist's iPhone, 
sophistication--sophisticated encryption meant to protect user 
data and privacy brings with it a set of different, but no less 
consequential, issues. In the case of IMSI catcher 
technologies, to what degree should the general public be able 
to shield themselves from being caught in a foreign 
intelligence operation? To what degree might techniques meant 
to shield data from prying eyes prevent law enforcement from 
doing their jobs? How much privacy should we trade for security 
at the civilian and governmental levels? These are fundamental 
questions that must be asked.
    While I doubt we will hear an easy answer to these 
questions during today's hearing, we will hear informed 
perspectives from our witnesses on these and other important 
questions. It is my hope that we will leave here not only with 
a better understanding of this technology, but with forward-
looking thoughts about possible answers to, and solutions for, 
these tough questions. Again, I want to thank our witnesses for 
agreeing to be here to highlight this important topic.
    [The prepared statement of Chairman Abraham follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Abraham. At this time, I'd ask unanimous consent 
that we include in the record the letter--I've got it here--
that was sent to the Subcommittee this morning by the 
Electronic Privacy Information Center, or EPIC. Although I'm 
not sure I agree with the entirety of their statement, we will 
include this letter in the record.
    [The information appears in Appendix I]
    Chairman Abraham. I now recognize Ranking Member of the 
Full Committee, Ms. Johnson, for an opening statement.
    Ms. Johnson. Thank you very much, Chairman Abraham.
    Cell-site simulators, also known as Stingrays, or IMSI 
catchers, is a technology that can be used to locate cellular 
devices and possibly intercept voice calls, text messages, and 
data communications from the cellular device. It is a valuable 
tool for our law enforcement and intelligence communities.
    It is also, undoubtedly, a technology used by foreign 
intelligence services operating here in the United States. 
Indeed, the genesis of today's hearing were recent press 
reports that a Department of Homeland Security pilot program 
found rogue cell sites throughout Washington, D.C., including 
near the White House, FBI headquarters, and the Pentagon.
    It is clear that foreign intelligence agencies are seeking 
to use cell-site simulators to collect intelligence on federal 
officials. What are we as a government doing to counter this 
particular threat? Unfortunately, neither the Department of 
Homeland Security nor the Federal Bureau of Investigation is 
here today to help provide some answers to these questions.
    It is also unfortunate that President Trump appears to be 
taking no safeguards to protect himself from these cyber 
threats, and the Science Committee has taken no steps to use 
our oversight authority to investigate the White House's lack 
of cybersecurity precautions that we expect all other federal 
agencies to follow. I reiterate that Mr. Beyer's call and his 
statement and request that we hold a hearing on this subject in 
the near future.
    I am glad though to have our witness panel here today, who 
can provide us with advice on what Congress should be doing to 
protect federal officials and federal agencies from cell-site 
simulators that exploit our cybersecurity vulnerabilities, 
particularly those that impact our national security interests.
    Cell-site simulator technology also has implications for 
the privacy of Americans, as a law enforcement operation 
utilizing a cell-site simulator could be gathering data from 
thousands of nearby innocent citizens. In Baltimore, for 
instance, police used this technology without obtaining a 
warrant thousands of times in violation of the Fourth Amendment 
of the U.S. Constitution regarding an unreasonable search. Last 
week, the U.S. Supreme Court weighed in on this issue requiring 
police to obtain a warrant to gather cell phone location data. 
However, their decision did not specifically apply to cell-site 
simulators. So, it is unclear how these key privacy issues will 
be addressed by law enforcement agencies in the future.
    I am glad Dr. Jonathan Mayer from Princeton University--a 
lawyer and a computer scientist--is here today. He is uniquely 
qualified to speak on these important privacy issues, as well 
as the wider implications of this technology and the dangers it 
poses to our national security and our privacy. I look forward 
to hearing from him and other witnesses about how we can 
protect our national security and the privacy of our citizenry 
from attack by these rogue cell sites and other cyber threats 
that can target our mobile devices.
    Thank you, Chairman Abraham, and thanks all of our 
witnesses for being here.
    [The prepared statement of Ms. Johnson follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chairman Abraham. Thank you, Ms. Johnson.
    I now recognize the Ranking Member of the Oversight 
Subcommittee, the gentleman from Virginia, Mr. Beyer, for an 
opening statement.
    Mr. Beyer. Thank you, Chairman Abraham, very much, and 
thank you for your initiative to create this hearing.
    Cell-site simulators, or IMSI catchers, pose risks to both 
our national security and our personal privacy. These devices 
are about the size of a laptop computer and can be placed in a 
van, hotel room, drone aircraft, or operated by someone sitting 
on a park bench. These rouge cell stations masquerade as 
legitimate cell towers and gather the data of cell phones in 
their proximity. They are powerful tools employed by both 
friendly and hostile intelligence agencies, criminals and 
others. They also play an important role in the operations of 
U.S. law enforcement and the U.S. intelligence community. 
However, U.S. law enforcement agencies have not always obtained 
appropriate authorization from the courts before they have 
employed these tools against suspected criminals, and this has 
led to improper incursions into the private lives of hundreds 
of American citizens.
    Last week, the Supreme Court ruled that the government must 
now obtain a warrant when collecting cell phone data in certain 
cases. The court found, and I quote, ``A cell phone faithfully 
follows its owner beyond public thoroughfares and into private 
residences, doctor's offices, political headquarters, and other 
potentially revealing locales. Accordingly, when the government 
tracks the location of a cell phone it achieves near perfect 
surveillance, as if it had attached an ankle monitor to the 
phone's user.'' However, the court added that it was a narrow 
ruling, specifically stating, ``We do not express a view on 
matters not before us: real-time CSLI, Cell-Site Location 
Information, or tower dumps.'' Unfortunately, it seems the 
constitutionality of cell-site simulator use by law enforcement 
agencies without a warrant remains unsettled.
    Rogue cell-site simulators have not only affected our 
privacy, but they have endangered our national security. Last 
year, a Department of Homeland Security pilot project 
identified several rogue cell-site simulators near the White 
House and Pentagon, raising the specter of foreign intelligence 
agencies using IMSI catchers to target senior U.S. government 
officials right here in our Nation's Capital.
    Ironically, at the same time we are holding an oversight 
hearing on the threat to mobile security of these sorts of 
rogue cell sites, President Trump continues to ignore basic 
cybersecurity practices. This has created a threat not only to 
his own personal privacy but also to our national security. A 
headline from a CNN story in April read, ``Trump ramps up 
personal cell phone use.'' In May, POLITICO summed up the 
President's attitude towards the cybersecurity issues we're 
discussing today. The headline read ``Too Inconvenient--Trump 
Goes Rogue on Phone Security.'' And making matters worse, 
President Trump recently said that he provided his direct phone 
number to North Korean dictator Kim Jong-un. Doing this has 
opened up an additional threat known as a Signaling System 
Seven, or SS7, attack that may permit access to President 
Trump's personal cell phone remotely by North Korean 
intelligence operatives. Earlier this month, WIRED magazine 
published a story with the headline ``Trump Says He Gave Kim 
Jong-un His Direct Number. Never Do That.''
    I am attaching all three articles to my statement.
    Ongoing use of a reportedly unsecure cell phone by the 
President of the United States raises serious cybersecurity 
issues that this Committee should be examining. The Majority's 
Oversight Plan said the Science Committee would investigate 
cybersecurity incidents and compliance with ``federal 
information security standards and guidelines'' ``regardless of 
where they may be found.'' Let me repeat, quote, ``regardless 
of where they may be found.'' I wrote to Chairman Smith with 
Ranking Member Johnson and Mr. Lipinski in February of this 
year pointing out numerous cybersecurity practices of serious 
concern at the White House that warranted investigation. 
Unfortunately, we have not yet seen efforts by this Committee 
to uphold its oversight responsibilities to the American public 
and investigate these issues.
    My good friend Chairman Abraham, I am asking you again, 
let's look at holding this hearing and investigating the 
potential threat by holding--by rogue cell-site simulators, but 
while we do this, we can't ignore the specific threats within 
blocks of the White House and President Trump's own failure to 
abide by cybersecurity best practices.
    You know, In January 2018, the White House Chief of Staff 
Kelly banned the use of personal cell phones in the West Wing 
by White House employees. Yet, multiple media stories have 
continued to report that the President refuses to give up his 
personal cell phone or take proper cybersecurity measures to 
help identify and diminish cybersecurity threats. The President 
should not be held to a different standard than the rest of the 
federal government and our Committee should help the Executive 
Branch protect Mr. Trump from foreign adversaries, even if the 
President won't.
    So I look forward to hearing from all of our witnesses 
today who help us explore ways to enhance our cybersecurity. It 
is unfortunate we don't have anyone from DHS or the 
telecommunications, but I hope we will be able to hear from 
them in the future. Successfully addressing these issues is 
going to take a collective effort and a continued commitment 
from a wide range of stakeholders.
    Thank you, Chairman Abraham, and I yield back.
    [The prepared statement of Mr. Beyer follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chairman Abraham. And now I will introduce our witnesses.
    Our first witness is Dr. Charles H. Romine, director of the 
Information Technology Laboratory at NIST. Dr. Romine joined 
NIST in 2009 as an associate director for the program 
implementation. In November 2011, Dr. Romine became the 
director of Information Technology Laboratory at NIST. Dr. 
Romine received both his bachelor of arts degree in mathematics 
and his Ph.D. in applied mathematics from the University of 
Virginia. Welcome.
    Dr. T. Charles Clancy, our next witness, he is the director 
of Virginia Tech's Hume Center for National Security and 
Technology. Dr. Clancy has worked with Virginia Tech since 2010 
as a professor. Prior to that he worked at the National 
Security Agency from 2000 to 2010. He holds a bachelor's degree 
in computer engineering from Rose-Hulman Institute of 
Technology, and a master's degree in electrical engineering 
from the University of Illinois, Urbana-Champaign. Dr. Clancy 
also received a doctorate from the University of Maryland, 
College Park, in computer science.
    Dr. Jonathan Mayer, our last witness, assistant professor 
at Princeton University's Department of Computer Science, and 
the Woodrow Wilson School of Public and International Affairs. 
Dr. Mayer previously worked for Senator Kamala Harris as a 
technology advisor in 2017. Prior to that he worked for the 
Federal Communications Commission Enforcement Bureau as a chief 
technologist from 2015 to 2017. He holds a bachelor's degree in 
public and international affairs from Princeton University. Dr. 
Mayer also received his juris doctorate and Ph.D. from Stanford 
University.
    I now recognize Dr. Romine for five minutes to present his 
testimony.

         TESTIMONY OF DR. CHARLES H. ROMINE, DIRECTOR,

               INFORMATION TECHNOLOGY LABORATORY,

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

    Dr. Romine. Chairman Abraham, Ranking Member Beyer, Ranking 
Member Johnson, and Members of the Subcommittee, I am Charles 
Romine, director of the Information Technology Laboratory at 
the National Institute of Standards and Technology, known as 
NIST. Thank you for the opportunity to appear before you today 
to discuss our role in mobile device security.
    In the cybersecurity realm, NIST has worked with federal 
agencies, industry, and academia since 1972, and NIST's role 
has been expanded to research, develop, and deploy information 
security standards and technology to protect the federal 
government's information systems against threats, as well as to 
facilitate and support the development of voluntary industry-
led cybersecurity standards and best practices for critical 
infrastructure.
    Today, I'd like to talk about our work related to rogue 
base stations and the NIST Special Publication 800-187, Guide 
to LTE Security, released in December 2017.
    Rogue base stations are unlicensed, cellular devices that 
are not owned or operated by a duly-licensed mobile network 
operator. They're known by many names, such as cell-site 
simulators, Stingrays, or International Mobile Subscriber 
Identity, or IMSI, catchers. Rogue base stations act as a cell 
tower and broadcast a signal pretending to be a legitimate 
mobile network that may trick an individual's device into 
connecting to it. The necessary hardware to build a rogue base 
station is inexpensive, easily obtained, and the software 
required is freely available.
    Rogue base stations exploit the fact that mobile devices 
will connect to whichever base station is broadcasting as a 
device's preferred carrier network and is transmitting at the 
highest power level. Therefore, when a rogue base station is 
physically near a mobile device that is transmitting at higher 
power levels than the legitimate antenna, the device may 
attempt to connect to that malicious network.
    The threats from rogue base stations can come from their 
performing a passive attack, known as IMSI catching. This 
attack collects mobile device identities without the user's 
knowledge. It poses a significant threat to user privacy and 
security and safety because a malicious actor can determine if 
a subscriber is in a given location at a given time. 
Unfortunately, IMSI catching is no longer an advanced or 
complex attack only accessible to a small number of 
individuals.
    A more advanced attack that can be executed using a rogue 
base station is a type of man in the middle attack in which a 
malicious actor can force a user to downgrade to an older and 
less secure mobile network technology, such as 2G or 3G, that 
exposes that user to less robust security protections that 
exist in older versions of mobile networks, tricking the device 
into connecting to the rogue base station.
    A complex denial of service attack can occur when a mobile 
device first connects to a network when certain messages can be 
sent to a device by a rogue base station, essentially fooling 
the device to into the equivalent of airplane mode. This can 
cause a denial of service that may persist until a hard reboot 
is done.
    Since 2012, NIST has been working in cybersecurity aspect 
of telecommunications, focusing on 4G LTE networks used by 
public safety. This work enabled NIST to develop the guide to 
LTE security, which serves as a guide to the fundamentals of 
how LTE networks operate. It explores the LTE security 
architecture, and it provides an analysis of the threats posed 
to LTE networks and supporting mitigations. The guide is 
intended to educate federal agencies and other organizations 
that rely on 4G LTE networks as part of their operational 
environment.
    NIST has been an active participant in the working group of 
the Standards Development Organization responsible for security 
and privacy of 3G and 4G LTE, and recently, 5G. Active 
participation with the mobile network ecosystem developing 
security standards for future networks is an important way NIST 
works to address security vulnerabilities in mobile networks 
today.
    Security standards for 5G are, in fact, seeking to address 
issues surrounding rogue base stations through the introduction 
of optional privacy functionality. Once this functionality 
standard is developed for future networks, its implementation 
by mobile network operators will have the potential to 
eliminate the threat of today's passive sniffing IMSI catchers. 
In addition, the use of the optional security settings and next 
generation 5G technologies will go a long way to mitigate the 
usage of rogue base station technology.
    Much work still needs to be done to ensure secure 
deployments. NIST will continue its research and development in 
the security of telecommunications, the publication of 
guidelines and best practices, and our work with international 
standards bodies and technical committees.
    Thank you for the opportunity to testify on NIST's work 
regarding telecommunications security, and I will be pleased to 
answer any questions you may have.
    [The prepared statement of Dr. Romine follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Abraham. Thank you, Romine--Dr. Romine.
    All right, I now recognize Dr. Clancy for five minutes to 
present his testimony.

              TESTIMONY OF DR. T. CHARLES CLANCY,

  DIRECTOR, HUME CENTER FOR NATIONAL SECURITY AND TECHNOLOGY,

                         VIRGINIA TECH

    Dr. Clancy. Chairman Abraham, Ranking Members Beyer and 
Johnson, Subcommittee Members, my name is Charles Clancy and I 
am a professor of electrical and computer engineering at 
Virginia Tech where I direct the Hume Center for National 
Security and Technology. My current research sits at the 
intersection of 5G wireless, the internet of things, 
cybersecurity, and artificial intelligence. Prior to joining 
Virginia Tech, I led a portfolio of wireless research and 
development programs at the National Security agency.
    It is my distinct pleasure to address this Committee on 
topics of critical national importance.
    Security of wireless infrastructure is critical. These 
devices, wireless base stations, and core network 
infrastructure are a key part of our critical infrastructure 
ecosystem. While each generation of cellular technology 
improves security and privacy, the backward compatibility 
challenge means that even if we deploy highly secure 5G 
networks, most phones can still connect to insecure 2G 
networks, even though many of the national carriers in the 
United States have already decommissioned their 2G 
infrastructure.
    This mixture of old and new technologies means that 
insecurity will always be part of the cellular ecosystem. 
Combatting threats to wireless network infrastructure requires 
a risk management approach that constantly evaluates potential 
vulnerabilities, observes threats, engineers countermeasures, 
and communicates best practices.
    Specifically with respect to IMSI catchers, as we've heard, 
IMSI catchers, also known as Stingrays, have come to symbolize 
a wide range of different cellular surveillance technologies. 
Rogue base stations, a particular class of surveillance 
technology, also known as a cell-site simulator, are devices 
that act like cell towers. 2G technology is particularly 
susceptible to these threats because authentication in 2G is 
weak and the encryption has been cracked. 2G rogue base 
stations are able to lure a phone into connecting, eliciting 
that phone's identity, also known as IMSI, prevent it from 
disconnecting, query the phone's precise GPS location, and in 
certain cases, intercept voice, data, and SMS content. 3G and 
4G rogue base stations are less capable because the underlying 
standards are more secure; however, they are still able to 
elicit a phone's identity.
    Earlier this year, 5G adopted a proposal known as IMSI 
encryption, which prevents 5G rogue base stations from 
successfully eliciting a phone's identity, which was seen 
generally as a very positive step forward.
    Rogue base stations can be used for a variety of 
applications, but are most commonly associated with IMSI 
catching. They interact with a phone for a few milliseconds to 
learn the phone's identity, and then pass that phone back to 
the real network.
    Another class of device is a more generic cell phone 
interception system. These devices are purely passive. They 
don't transmit anything. They don't pretend to be a cell tower. 
However, particularly for 2G standards, which have been 
cracked, they are able to intercept in bulk voice, SMS, and 
data traffic that is traversing those networks. For 3G and 4G 
networks that are protected by stronger encryption, there are 
much fewer capabilities that are possible.
    However, these technologies can be used together, for 
example, in conjunction with a jammer. Imagine jamming the 3G 
and 4G signal spectrum, which causes a phone to downgrade to 
2G, and then is vulnerable to the widest range of potential 
attacks. So these downgrade attacks undermine the improved 
security features that we see in the newer cellular standards.
    So with respect to closing the gap, 2G, in my opinion, 
represents one of the weakest links. The weak encryption and 
authentication is a major security challenge with modern cell 
phones. And interestingly, carriers have already decommissioned 
much of the 2G infrastructure here in the United States. So if 
carriers were able to push policies to phones that would 
prevent phones from connecting to vulnerable 2G networks, this 
would go a long way into addressing this issue. Currently 
iPhones lack the ability to do this, and with android phones, 
you have to know a secret number to type in that results in a 
secret diagnostic menu that allows you to change this setting. 
Not exactly user-friendly, and I think with improved user 
interfaces and making this the default, we would make users 
much more secure.
    As we think about downgrade--sort of the decommissioning of 
2G, we have to be careful though. Many rural networks still 
rely on 2G, and there are many devices from vehicle telematics 
to home alarm systems that rely on 2G networks to provide 
connectivity.
    Lastly would be is if we do want to try and identify the 
tech and track rogue base stations, it's important to 
understand the motivation for doing so. There certainly are 
telltale signs that a base station is a rogue base station, and 
phones are able to differentiate that with a variety of 
hardware and software modifications. Also there are standards 
within the cell phone networks that would allow cell phone 
carriers to be able to track rogue base station activity. In 
fact, the new 5G security standards makes a specific 
recommendation about how this data can be used.
    However, when we consider this, we must consider to what 
end we seek to track down these base stations, to notify the 
user, to notify the carrier, and if so, how that data should be 
used.
    So looking forward, I recommend the Subcommittee consider 
the following: first, as 2G network infrastructure is 
decommissioned, phones should not prefer 2G in any 
circumstances; next, individuals who are likely targets of 
foreign intelligence should use phones that meet the needed 
security countermeasures; and finally, if you do seek to track 
down IMSI catchers, first address to what end and how that data 
will be used.
    Thank you for the opportunity to address the Subcommittee 
today, and I look forward to your questions.
    [The prepared statement of Dr. Clancy follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Abraham. Thank you, Dr. Clancy.
    Dr. Mayer, five minutes.

      TESTIMONY OF DR. JONATHAN MAYER, ASSISTANT PROFESSOR

            OF COMPUTER SCIENCE AND PUBLIC AFFAIRS,

                      PRINCETON UNIVERSITY

    Dr. Mayer. Chairman Abraham, Ranking Member Beyer, Ranking 
Member Johnson, and Members of the Subcommittee, thank you for 
the opportunity to address cell-site simulators and the broader 
topic of communication security and privacy at today's hearing.
    These issues were central to my recent service as chief 
technologist of the Federal Communications Commission 
Enforcement Bureau. They have been an essential component of my 
computer science and legal research.
    In last week's groundbreaking Carpenter v. United States 
decision, the Supreme Court recognized that ``Cell phones and 
the services they provide are such a pervasive and insistent 
part of daily life that carrying on is indispensable to 
participation in modern society.'' The private sector, the 
public sector, and the American people all depend on our 
communications infrastructure. The security and privacy 
safeguards for that infrastructure have not kept pace with its 
growing importance to the Nation. Our communications networks 
have significant cybersecurity vulnerabilities that could be 
exploited by criminals and foreign adversaries. And when law 
enforcement agencies seek to conduct investigations using 
wireless technology, the applicable federal law is imprecise, 
outdated, likely unconstitutional, and leaves police 
departments in legal limbo.
    In this brief opening statement, I will focus on security 
and privacy risks associated with cell-site simulators. My 
written testimony highlights several other areas of 
cybersecurity vulnerability, including insecure call and text 
message routing, delayed mobile device software updates, and 
unauthenticated caller ID, the last of which is responsible for 
the nationwide explosion of fraudulent robocalls.
    Cell-site simulators, commonly dubbed IMSI catchers, 
Stingrays, or dirt boxes, are devices that exploit omissions 
and mistakes in the trust between mobile devices and cellular 
towers. A cell-site simulator mimics a legitimate cellular 
tower and tricks nearby mobile devices into connecting to it. 
The cell-site simulator then takes advantage of the connection 
to extract information from those devices. The most serious 
cell-site simulator risks are associated with second 
generation, or 2G, wireless protocols which were initially 
deployed in the 1990s and remain operational today to support 
legacy devices and offer service in rural areas. The 2G 
wireless protocols do not include authentication for cellular 
towers. As a result, 2G cell-site simulators can fully mimic a 
cellular tower, and these cell-site simulators can identify and 
track nearby mobile devices, can intercept or block voice, 
text, and data communications involving those devices.
    While more recent 3G and 4G wireless protocols include 
authentication for cellular towers, they still have significant 
cell-site simulator vulnerabilities. And while the latest 5G 
protocols do include a new protection against cell-site 
simulators, that protection is only optional and only effective 
against some of the known attacks against 3G and 4G networks.
    The possible criminal uses of cell-site simulators are 
limited only by our collective imagination. Criminals could 
capture private financial information, for example, and steal 
funds. They could collect sensitive medical information and 
conduct blackmail. Or they could obtain confidential business 
information for commercial gain.
    Cell-site simulators also pose a serious national security 
threat. The federal government is the Nation's largest consumer 
of commercial wireless services, and is susceptible to the same 
cybersecurity risks in our communications infrastructure. A 
foreign intelligence service could easily use cell-site 
simulators to collect highly confidential information about 
government operations, deliberations, and personnel movements.
    In responding to the threat of cell-site simulators, as 
well as the other serious cybersecurity risks associated with 
insecure call and text message routing, delayed mobile device 
software updates, and unauthenticated caller ID, I encourage 
the members of this Subcommittee to consider leveraging the 
federal government's communications acquisitions. According to 
OMB, the United States Government spends about $1 billion every 
year on wireless service and mobile devices, and yet, as DHS 
acknowledged in a recent report, the federal government has 
little assurance that it is paying for wireless service and 
mobile devices that incorporates cybersecurity best practices. 
Congress should condition its substantial communications 
outlays on implementation of appropriate cybersecurity 
safeguards.
    Before I close, I would like to briefly address law 
enforcement use of cell-site simulators. Federal, state, and 
local law enforcement agencies use cell-site simulators in the 
course of criminal investigations, either to track the location 
of a suspect's mobile device, or to identify all the mobile 
devices nearby. At present, the federal government owns over 
400 cell-site simulators and at least 73 State and local law 
enforcement agencies also own cell-site simulators. Under 
current law is a violation of Section 301 of the Communications 
Act for State or local law enforcement agency to operate a 
cell-site simulator, because they're transmitting unlicensed 
wireless spectrum without authorization. Police departments may 
also run afoul of Section 333, which prohibits wireless jamming 
because law enforcement cell-site simulators could disrupt 911 
calls and other wireless connectivity.
    I believe that cell-site simulators are legitimate 
investigative tools and that they should be available to law 
enforcement agencies when subject to appropriate procedural 
safeguards. But until Congress takes action, the Nation's 
police departments will remain in legal limbo. I encourage the 
Members of the Subcommittee to consider legislation that both 
resolves the Communications Act issues with cell-site 
simulators, and codifies a warrant requirement for cell-site 
simulator operation.
    Thank you again for the opportunity to address 
communications security and privacy at today's hearing, and I 
look forward to questions from the Subcommittee.
    [The prepared statement of Dr. Mayer follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chairman Abraham. Thank you, Dr. Mayer. I thank all the 
witnesses for that very compelling testimony.
    I'm going to recognize myself for five minutes for the 
opening round of questions. Dr. Clancy, I'll direct my first 
one to you.
    You previously detailed that you see two possible scenarios 
moving forward with this overall issue. One is a status quo 
with the possibility of increased training and acknowledgment 
of these targeted attacks. The second is a substantive dive and 
to address the issue, which includes a comprehensive assessment 
of how we treat cell phone towers, permissioned access, and 
policy changes through updates to phones. Can you provide a 
little more detail about the difference in the two options, and 
which would you prefer?
    Dr. Clancy. So I think there are a number of solutions that 
are possible within this space. There are technical solutions, 
there are policy solutions, there are legal solutions. I think 
that there are--the key thing, though, is to ensure that any 
action that's taken to, I guess, close the gaps that IMSI 
catchers leverage takes into consideration a path forward for 
law enforcement around being able to conduct their operations.
    So I could imagine scenarios where we essentially look to 
prevent phones from connecting to IMSI catchers, scenarios 
where we shut down 2G preference for phones in order to prevent 
them from being as susceptible to IMSI catchers. But I think 
any action that we take should be complemented with efforts to 
ensure that law enforcement still are able to get timely access 
to location information in order to support their 
investigations.
    Chairman Abraham. Who should lead the effort to have a 
comprehensive solution to these issues? What set of agencies or 
people?
    Dr. Clancy. Indeed. So certainly any time we talk about 
telecommunications and cellular it's tricky because there are 
so many stakeholders. DHS is the sector-specific agency 
associated with telecommunications, so they would seem like a 
logical choice to take the lead. But certainly the FBI, the 
FCC, and others are key stakeholders in this process.
    Chairman Abraham. Okay, thank you.
    Dr. Mayer, how does the recent Supreme Court decision on 
Carpenter v. United States addressing citizens' Fourth 
Amendment rights change the acceptable use of this technology?
    Dr. Mayer. Thank you for the question. Carpenter, by its 
own terms, does not regulate real time location tracking by law 
enforcement. The majority was clear on that point. It does, 
however, express a growing concern by the Supreme Court with 
the scope of law enforcement capability using modern 
technology, and to the extent it affects court's views on cell-
site simulators, it will only serve to heighten the level of 
protection.
    That said, I want to be very clear to note that to my 
knowledge, every recent court decision has addressed the 
question of whether cell-site simulators are regulated by the 
Fourth Amendment has concluded they are regulated by the Fourth 
Amendment and a warrant is required for their operation.
    Chairman Abraham. Do you think it will have an impact on 
this--from this Carpenter decision on lawful and legitimate use 
of the rogue base stations or the IMSI catchers to thwart 
criminal activity?
    Dr. Mayer. So at the federal level I don't believe there 
will be an effect because by policy, the Department of Justice 
and the Department of Homeland Security already obtain warrants 
to operate these devices. At the State and local level, my 
understanding is that some police departments do currently 
operate these devices without obtaining a search warrant, and 
they may continue to do those things notwithstanding the 
Carpenter decision. This issue has not been fully litigated in 
every jurisdiction.
    Chairman Abraham. Dr. Romine, NIST has published the Mobile 
Threat Catalog which provides incredible useful information 
about the overall issue of mobile device security. How is NIST 
getting this information out and in front of vendors and people 
that need to see it?
    Dr. Romine. Thank you, Mr. Chairman.
    We have a collection of stakeholders that are in contact 
with us on a regular basis. We have thousands of people who 
subscribe to our newsletters. In general, those are 
stakeholders that are monitoring the work that we do. We are 
working through the Standards Development Organizations, the 
3GPP, for example, which has a lot of the work that we're doing 
and involves trying to help improve the security of 
telecommunications activities and their channels associated 
with getting the information out through those mechanisms as 
well. We also manage an active website with many, many--tens of 
thousands of hits on a regular basis for people who are looking 
at what we're doing in cybersecurity broadly and for specific 
topic areas as well.
    Chairman Abraham. Is NIST working with other government 
agencies to promote this, such as a cybersecurity framework?
    Dr. Romine. Well, it is not directly related to the 
cybersecurity framework, but we are working with other federal 
agencies. We encourage a large number of agencies to work, for 
example, in the standards development bodies so that all of the 
requirements and associated concerns can be expressed in those 
bodies.
    Chairman Abraham. Okay, thank you.
    Mr. Beyer.
    Mr. Beyer. Thank you, Mr. Chairman, and it's nice to have a 
Chairman from Texas that loads the panel up with Virginians.
    So Dr. Romine, your PAC from UVA is very much appreciated. 
Dr. Clancy teaching with the Hokies at Virginia Tech. Dr. 
Mayer, I'm sorry about the Stanford Princeton background, you 
know, but you can--they can slum it today.
    Dr. Mayer. I enjoy visiting the state.
    Mr. Beyer. That's good. Dr. Mayer, you know, according to 
press reports the President frequently uses his unsecured cell 
phone and routinely refuses to change that to an official 
secured phone. That was one of the recommendations that people 
in very sensitive roles have these highly secure phones. We 
talked about the cell phone number to Kim Jong-un.
    Can you describe why these practices may put the 
President's phone at risk from being hacked or penetrated by 
foreign intelligence agencies?
    Dr. Mayer. Any senior official in any of the branches of 
government--and for that matter, any senior executive in the 
private sector--should take heightened precautions with respect 
to their telecommunications equipment. There are possible 
attacks involving interception of voice and text messages. In 
my written testimony, I describe how those might proceed. There 
are also the cell-site simulator risks that we've discussed. 
And in addition, there's an issue of security updates not 
necessarily getting delivered in a timely fashion to consumer 
devices, such that they could be remotely compromised.
    So there are a number of cybersecurity risks that are very 
significant in this ecosystem that could result in essentially 
total compromise of communications, and again, anyone in a 
sensitive position should take heightened precautions.
    Mr. Beyer. Great, thank you very much.
    Dr. Romine, in Dr. Mayer's presentation he talks about 
femtocells, consumer hardware sold by wireless providers that 
extend coverage indoors and into rural areas. Are these the 
things I bought from Google that allow my wife to use her 
wireless thing upstairs?
    Dr. Romine. I think that's probably a good example of 
exactly what was described.
    Mr. Beyer. So one of the things that we consumers may have 
been totally unaware of is by buying essentially the wireless 
extenders within our home, that we have set up these rogue IMSI 
devices?
    Dr. Romine. I'd have to double check the particulars, but I 
don't think that's quite the same kind of thing that we're 
talking about. In the case of these devices, these are lawfully 
provisioned to provide extended coverage and are not considered 
camping illegally on spectrum that hasn't been authorized.
    Mr. Beyer. I wasn't so worried about us breaking the law as 
we were setting up bad guys to get our----
    Dr. Romine. Oh, I see what you're saying. I don't know the 
particulars of the femtocells and whether they have similar 
kinds of cybersecurity built into them. I think it would depend 
on the manufacturer and on the way that they're provisioned. 
I'll have to get back to you on whether I think there's 
additional vulnerability associated with having femtocells in 
your home.
    Mr. Beyer. Great. Dr. Clancy, I loved your recommendations 
at the end. You talked about the default setting that the major 
phone carriers need to set default stuff within the androids 
and the iPhones that would basically disable the 2G thing 
unless they're specifically roaming. How do we make that 
happen? Is there a role for Congress there?
    Dr. Clancy. That's a good question. It's a fairly simple 
change to the software of the devices. It could even be done as 
a policy push from the carrier networks.
    Right now, users have the ability to shut off 3G and 4G 
particularly on iPhones, but they do not have the ability to 
shut off 2G, which is sort of backwards in my opinion. So with 
some minor policy shift pushes from the carriers that have 
already decommissioned 2G, these devices would default to only 
using 3G and 4G.
    Mr. Beyer. Is this something that they could tell all of us 
with our iPhones and androids to do, or do you have to do that 
in the units they sell going forward?
    Dr. Clancy. Well it would need to be an update that they 
push from the networks to the phones. It wouldn't necessarily 
just be new devices. There is not a way for a user to do it by 
themselves within the current infrastructure. Even the secret 
code I talked about that brings up the diagnostic menu where 
you can change it yourself, it doesn't--once you reboot your 
phone, the setting goes away so you have to sort of constantly 
go in and make sure that 2G is disabled.
    So there are some very simple things that could be done 
with the user interface through software updates that would 
cause phones to not connect to 2G unless roaming.
    Mr. Beyer. Okay, great. Mr. Chairman, I yield back.
    Chairman Abraham. Thank you.
    Mr. McNerney?
    Mr. McNerney. Well I thank the Chair and I thank the 
witnesses. I apologize for leaving during your testimony, but 
you did have written testimony that we reviewed beforehand.
    My question is similar to Mr. Beyer's question, the Ranking 
Member's question. Dr. Mayer, in your testimony you state that 
the most serious cell-site simulator risks are associated with 
2G wireless protocols, which were deployed in the 1990s and 
remain operational today to support the legacy devices that are 
out there. Who are the consumers that are most likely to 
possess these legacy devices?
    Dr. Mayer. Well as Dr. Clancy testified, there are a number 
of devices like home alarm systems, connected devices that were 
deployed in the 1990s or early 2000s that just don't have newer 
cellular technology built into them. Nowadays we call these 
things the internet of things, but back then it was just your 
alarm system.
    So those are the types of devices that might be affected, 
and it's also important to note that rural connectivity is 
sometimes provided by 2G, because those networks were built out 
and have not been updated since.
    That said, I think providing the security protection 
associated with disabling 2G need not come at the expense of 
disabling those legacy devices or rural connectivity. You know, 
for folks who live in an area that doesn't have 2G--or that has 
3G, 4G, or now 5G coverage, disabling 2G wouldn't be a problem.
    Mr. McNerney. But there are a lot of legacy devices out 
there that they are going to continue to require 2G protocols, 
right?
    Dr. Mayer. I'm afraid I don't have a handle on the scale of 
the use of 2G networks at this point, but it is not an area 
where we have to make a tradeoff between supporting those 
devices and securing the latest devices. We can do both.
    Mr. McNerney. Well you note that while most 3G and 4G 
protocols include authentication for cell towers, they still 
have significant site cell tower vulnerabilities. Could you 
expand on that a little bit?
    Dr. Mayer. Sure. In my written testimony, I describe three 
classes of vulnerability in addition to taking advantage of 2G 
networks. One class of vulnerability is location tracking. 
There are certain components of the 3G and 4G cellular 
protocols that enable location tracking, even though the base 
station isn't properly authenticated. So that's one class of 
attack.
    Another class of attack is taking advantage of femtocells, 
as Ranking Member Beyer noted. These are home devices that 
serve as range extenders. Criminals could compromise these 
devices and convert them into their own cell-site simulators, 
and in fact, researchers have demonstrated that this can 
actually be a pretty easy thing to do.
    The third class of attack I describe takes advantage of 
either collaborating with or compromising a foreign cellular 
network, and then effectively tricking devices within the 
United States into roaming on that foreign network.
    So there are multiple other categories of attack in 
addition to the 2G issue.
    Mr. McNerney. So these range extenders, when they're 
attacked, does that give the attacker just access to the person 
that has the range extender or does it go beyond that?
    Dr. Mayer. Those devices could give access to any person 
targeted by whoever's operating the range extender that's been 
compromised, and that could allow intercepting voice, 
intercepting text messages, and intercepting data.
    Mr. McNerney. Thank you.
    Dr. Clancy, when a carrier detects the rogue base station 
is in operation, is it currently required to report that to an 
agency like the FBI?
    Dr. Clancy. Currently the carriers perhaps are collecting 
enough data to make that determination, but they are not 
archiving it in a way that it can be analyzed to produce that 
conclusion. So there is sort of data that exists ephemerally 
within the carrier networks that could be a telltale sign that 
an IMSI catcher is operating in their geographic footprint. 
Right now that data is not being stored. It is not being 
analyzed, and it is only now in the 5G standards that it is 
even proposed that that is a thing that should be done. So I 
think that is sort of unexplored at this moment in terms of 
what should be done with that data.
    Mr. McNerney. Is that a business opportunity or a 
regulatory opportunity to control that?
    Dr. Clancy. So there are other countries where that data is 
handed over to third parties and use for all manners of 
analytics. I think those countries have substantially different 
privacy laws than we do here in the United States, so I think 
it is data, certainly given all the focus on cellular privacy 
we have seen over the last few weeks, that I wouldn't 
necessarily consider a business opportunity. It would need to 
be treated carefully.
    In terms of regulatory, yeah, I mean, I assume you could 
regulate that data needed to be analyzed, and if detection 
was--if you discovered a rogue base station then you should 
tell someone. I guess the question is who? Do you file an 
interference complaint with the FCC? Do you file something with 
the FBI saying that you've detected an IMSI catcher? These 
things, of course, could be being used by--lawfully by federal 
law enforcement, or they could be being used unlawfully. And 
the carrier wouldn't know which it was.
    Mr. McNerney. Mr. Chairman, I'll yield back.
    Chairman Abraham. All right. Well so I'm thinking of 
ditching my cell phone and going to get two cans and a string 
to--you have some questions, Mr.----
    Mr. Beyer. Well I was going to yield to either of you guys.
    Chairman Abraham. I'm going--we're going to have a second 
round of questions now, so we're good. Okay. Yeah, we're--this 
is such an interesting topic, we're going to continue here for 
at least another round.
    Dr. Mayer, is it possible to attribute any legal cell-site 
simulator to a particular actor, specifically particular cell-
site simulators, do they have characteristics associated with 
where they were made or the entity using them? For example, if 
the device was made in China or in Russia, would it have any 
specific identifiers?
    Dr. Mayer. That's a great question, Chairman Abraham. I'm 
not aware of any instance in which a law enforcement or 
regulatory agency has successfully tracked down one of these 
devices, and so I'm not aware of anyone who's tried to 
attribute one of these devices once they get their hands on it 
or having studied the signals emanating from it and concluding 
that it was definitively a cell-site simulator.
    And so I think in principle it could be possible to 
attribute one of these devices. Again, I'm not aware of an 
instance in which folks have gotten close enough to do that.
    Chairman Abraham. Dr. Clancy, do you have anything to add 
to that?
    Dr. Clancy. So in my experience, there's broadly two 
classes of these devices. There are the expensive ones that are 
manufactured principally for military and law enforcement use, 
and their signaling parameters would likely have one set of 
characteristics associated with it. There's another that's 
based on inexpensive open source hardware and software that you 
would likely find being used potentially by foreign 
intelligence. It depends on the sophistication level of the 
adversary.
    I would imagine that you could, with relative simplicity, 
tell the difference between an open source--one that was built 
on open source software versus one that was built for higher 
end military and law enforcement use, and I would imagine that 
that would also then be differentiable from the legitimate cell 
tower networks.
    Chairman Abraham. Okay, Dr. Mayer, back to you. In your 
testimony, you state that to your knowledge, other than the 
recent DHS pilot project, no component of the U.S. Government 
has acknowledged a capability to detect cell-site simulators in 
the field, including wireless carriers.
    Additionally in a response to Senator Wyden, DHS 
specifically claimed it did not currently possess the technical 
capability to detect cell-site simulators. Should DHS have this 
capability, and if so, how difficult would it be for them to 
actually have it?
    Dr. Mayer. So there are commercial tools available for law 
enforcement and regulatory agencies to attempt to detect these 
devices. The inherent challenge with detecting these devices is 
that there is no definitive telltale sign of a cell-site 
simulator. There are only indicia that give rise to suspicion, 
that the tower appears to be configured in an unusual way, and 
it appears to be broadcasting on unusual spectrum or unusual 
power level. But there are many reasons why legitimate cell 
towers are configured in unusual ways, either intentionally or 
unintentionally. They may appear and disappear, such as getting 
set up for a special event, and so again, while there are 
commercial tools available, I'm not aware of anyone who's used 
any of these tools to definitively identify one of these 
devices, and that's why my recommendation is focusing on 
defense rather than whack-a-mole with the folks setting these 
things up.
    Chairman Abraham. Dr. Clancy, in its mobile device security 
study, DHS concluded that it ``believes''--and I will put that 
in quotes--``that all U.S. carriers are vulnerable'' to the SS7 
and the Diameter attacks, in addition to the federal government 
having little assurance that it's paying for cellular service 
and mobile devices that incorporate cybersecurity best 
practices. Since DHS has responsibility for the protection of 
critical infrastructure of the government, in your opinion, 
should DHS continue researching the risks through pilot 
programs and studies like the 2017 pilot? What DHS S and T be--
would be the appropriate division to continue this research?
    Dr. Clancy. So within DHS SNT, there would be two logical 
groups. There's a public safety group and there's a 
cybersecurity group. Perhaps it would be an interesting 
collaboration between the two that could focus on these topics.
    I do think that there's room for continued research on 
developing and maturing these tools. I do also agree that the 
sort of whack-a-mole approach is--would be challenging. Anytime 
you identify what you think is a unique signature for one of 
these devices, a sophisticated adversary could change that 
signature in order to avoid detection.
    So I'll also note that there are apps that are available 
that purport to identify a rogue base station, and there was a 
systematic study done last August--it was published last August 
which showed that they were able to fool all of those apps into 
thinking that their rogue base station was indeed a legitimate 
one. So again, supporting this notion that whack-a-mole would 
be challenging against a sophisticated adversary.
    Chairman Abraham. Mr. Beyer.
    Mr. Beyer. Thank you, Mr. Chairman.
    Dr. Mayer, you wrote that in 2016 the major wireless 
carriers committed to targeting a rollout for caller ID 
authentication in the first quarter of 2018, and as of today, 
not a single major wireless carrier has adopted rigorous caller 
ID authentication. Can you tell us why? Is it ridiculously 
expensive? Have they been otherwise distracted? AT&T, for 
example.
    Dr. Mayer. Ranking Member Beyer, before answering that in 
just a moment, if I might add to Dr. Clancy's response on the 
last question that our allies across the pond in the United 
Kingdom actually have their government audit communications 
carriers to make sure that these SS7 and Diameter 
vulnerabilities have been addressed. The notion of DHS jumping 
into the carriers maybe is not--may be worth further 
discussion, but at any rate, our allies have a different 
approach to this than we do.
    With respect to the robocall issue and call authentication, 
my understanding is that the carriers are not eager to make new 
investments in what they view as a declining area of their 
business. The growth in cellular communications has been in 
data and not in voice, and so investing new money in voice 
security is a bit of a tough proposition when these are systems 
that are just not going to be revenue generators in the future.
    Mr. Beyer. Despite the fact that there are billions of 
robocalls made that harass Americans every year?
    Dr. Mayer. That's right, and I think an extra dimension of 
this that I will certainly I find personally frustrating is the 
major wireless carriers not only have not taken steps to 
address the issue, but in fact, charge a monthly fee if you 
would like to use their services to address robocalls.
    Mr. Beyer. Wow. Thank you very much.
    Dr. Clancy, you write that criminal organizations could 
theoretically take advantage of the technology, but they 
haven't. Why not?
    Dr. Clancy. Well it depends on--in order to take advantage 
of the technology, you need a fairly sophisticated sort of 
intelligence analysis function. If you're simply catching 
IMSIs, you have to know to whom those IMSIs belong, and that 
isn't readily available if you're just doing this 
opportunistically.
    So law enforcement and foreign intelligence are spending a 
lot more time on the analytic component in order to develop 
those relationships and know what IMSI they're looking for, 
whereas criminal organizations don't often have the analytic 
capacity to accomplish that, so they've been focused on more 
brute force technologies like just jamming the cellular signals 
in order to accomplish their acts.
    Mr. Beyer. Okay.
    Dr. Clancy. At least that's been my observation.
    Mr. Beyer. Thank you.
    Dr. Romine, I think it was Dr. Mayer who wrote that other 
than the DHS pilot, no component of the United States 
government has acknowledged the capability to detect cell-site 
simulators in the field. No wireless carrier has acknowledged 
such a capability, and the Department of Justice has not 
initiated any prosecution for operating a cell-site simulator. 
Is this a hole in our federal capabilities, and where does NIST 
fit into this?
    Dr. Romine. Thank you for the question. Let me address the 
second part of that first, which is that NIST's role in this 
space, is to strengthen the security of telecommunications 
networks, and we do that principally through our engagement 
with the standards development process and in the guidelines 
that we publish, such as the special publication I referenced 
in my testimony, to try to provide useful input for operators 
and others who might like to strengthen their 
telecommunications activities.
    The question of the gap, or if there is a gap in this, is 
probably a little above my pay grade. I don't know what the 
right answer to that is. I would say that certainly the 
Department of Homeland Security has a role to play as the 
sector-specific agency for the telecommunications sector. 
Beyond that, it's not clear to me.
    Mr. Beyer. Thank you. Dr. Mayer, you wrote that paragraph. 
What was your intent in talking about this gap?
    Dr. Mayer. My view is that while it is worth spending time 
on attempting to improve detection of these devices, the far 
better or far more effective focus for federal policy would be 
on defense. We know how to defend against the worst of these 
attacks, and I think it is a--it would be a very reasonable 
thing for Congress to say when we're spending all this taxpayer 
money on wireless services and devices, we expect at minimum 
defenses against the worst of the worst.
    Mr. Beyer. I agree. Thank you very much.
    Mr. Chairman, I yield back.
    Chairman Abraham. Thank you, Mr. Beyer.
    Mr. McNerney?
    Mr. McNerney. Again, I thank the Chair for another round of 
questions.
    Dr. Romine, in your testimony you noted that 4G systems 
have a number of operational capabilities that mobile network 
operators may choose to implement, and that's presumably to 
secure cell phone communications. Has NIST conducted an 
analysis to determine what has been implemented to date, how 
widespread that implementation is, and what's still needed?
    Dr. Romine. Thank you, sir. We have not done that analysis. 
We don't do operational activities. We're not a provider of 
these services and we don't have any insight into way the 
operators are currently using these, and whether the optional 
security features or privacy features are being turned on or 
not.
    From our perspective, I agree with the other two witnesses 
here that there's some low-hanging fruit here. The easiest part 
of this, or the most important, would perhaps be addressing 
this idea of dropping back to 2G communications--and I want to 
be clear here. The vendors or the mobile operators are not 
doing this because of any lack of understanding of the concern 
of security. They are doing it to provide the best user 
experience, right? So the vulnerability exists because the 
telecommunications providers are trying to ensure a seamless 
communication.
    That said, I think it's going to take a collaboration among 
users, vendors, and the industry to ultimately complete the 
phaseout of 2G communications.
    Mr. McNerney. That's what it's going to take, phasing out 
the 2G communications?
    Dr. Romine. That's certainly one major focus that I think 
would make a difference.
    Mr. McNerney. Thank you. Dr. Clancy, you said that in the 
past, both industry and the federal government need to 
significantly increase cybersecurity funding research. You said 
that the Government often approaches cybersecurity with an 
``after the fact solutions applied with duct tape and bubble 
gum.'' You also said that cybersecurity investments by both the 
federal government and industry are drastically underfunded. Do 
you have any specific recommendations on funding levels or 
investments in federal cybersecurity R&D, or comments on what 
the federal government can do better to address our 
cybersecurity research efforts?
    Dr. Clancy. So as an academic, it's always--I think I'm 
congressionally required to lobby for more university research 
funding.
    Mr. McNerney. Yeah.
    Dr. Clancy. But no, seriously, I think that there is a 
critical need for continued investment in cybersecurity. The 
World Economic Forum states that cyber risk is the number one 
risk to international organizations doing business in the 
United States. This is the challenge of our time and needs to 
be the focus of significant R&D investment, particularly in the 
cellular spaces where the majority of the R&D investment is 
happening in the EU. The Horizon 20/20 program out of the EU is 
funding almost all of the 5G security research right now, and 
we have very little being funded here in the United States, 
either through the National Science Foundation or DHS. And that 
seems like a key opportunity for the U.S. to take a leadership 
role in an area as important as this.
    Mr. McNerney. Well it's our responsibility to decide how 
much money to spend on these things, and we need guidance. So 
if there's a place we can go to find that kind of guidance, I 
think it would be very useful.
    Dr. Clancy, you have said the United States needs for one 
million cybersecurity-related jobs, that an estimated 31 
percent of those jobs are vacant now. You also pointed out the 
fact that American universities are not offering the right kind 
of courses to train people in cybersecurity. Do you have any 
recommendations for Congress to try and help energize efforts 
for the right source of--sorts of computer security expertise 
that our nation needs?
    Dr. Clancy. So yes, there are----
    Mr. McNerney. Similar question.
    Dr. Clancy. There are currently, what, 300,000 empty cyber 
jobs across the country. Here in the DC. region, we have 42,000 
unfilled cyber jobs. We have the densest cyber workforce in the 
world here in the DC. region, and among the highest vacancy 
rate because the talent is so sought after.
    So there's a range of different activities that are needed 
to invest in workforce development programs. The number of new 
cyber jobs that are needed each year exceeds the number of 
students graduating with a degree in computer science each 
year, so this needs to be not just viewed as a computer science 
domain, this is a domain for business and policy. A wide range 
of skills are needed in order to effectively combat this 
challenge.
    So for example, there are federal programs such as the 
Cyber Course Scholarship for Service Program that is 
administered by OPM and the National Science Foundation. I 
think opportunities to expand that program to focus beyond the 
pure technical skills of computer science would be an 
opportunity to densify the workforce pipeline.
    Mr. McNerney. And you--would you think that there's a 
significant opportunity for women and underserved minorities 
to--in this field?
    Dr. Clancy. Certainly. So cybersecurity is notorious for 
its poor performance in diversity, both in terms of gender and 
racial background. So I think programs specifically targeting 
women and underrepresented minorities in order to increase 
awareness are critical, and most studies have found that this 
isn't something you can't start at college. This has to go all 
the way back to third and fourth grade where people are sort of 
beginning to decide whether or not a STEM career is what they 
want to pursue or not.
    Mr. McNerney. Thank you, Mr. Chairman.
    Chairman Abraham. All right, good stuff.
    I thank the witnesses for their testimony, very valuable, 
and Members for their great questions. The record will remain 
open for two weeks for additional comments and written 
questions from members.
    This hearing is adjourned.
    [Whereupon, at 3:24 p.m., the Subcommittee was adjourned.]

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]