[Congressional Record Volume 167, Number 206 (Tuesday, November 30, 2021)]
[House]
[Pages H6687-H6689]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




           UNDERSTANDING CYBERSECURITY OF MOBILE NETWORKS ACT

  Mr. PALLONE. Mr. Speaker, I move to suspend the rules and pass the 
bill (H.R. 2685) to direct the Assistant Secretary of Commerce for 
Communications and Information to submit to Congress a report examining 
the cybersecurity of mobile service networks, and for other purposes, 
as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 2685

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Understanding Cybersecurity 
     of Mobile Networks Act''.

     SEC. 2. REPORT ON CYBERSECURITY OF MOBILE SERVICE NETWORKS.

       (a) In General.--Not later than 1 year after the date of 
     the enactment of this Act, the Assistant Secretary, in 
     consultation with the Department of Homeland Security, shall 
     submit to the Committee on Energy and Commerce of the House 
     of Representatives and the Committee on Commerce, Science, 
     and Transportation of the Senate a report examining the 
     cybersecurity of mobile service networks and the 
     vulnerability of such networks and mobile devices to 
     cyberattacks and surveillance conducted by adversaries.
       (b) Matters to Be Included.--The report required by 
     subsection (a) shall include the following:
       (1) An assessment of the degree to which providers of 
     mobile service have addressed, are addressing, or have not 
     addressed cybersecurity vulnerabilities (including 
     vulnerabilities the exploitation of which could lead to 
     surveillance conducted by adversaries) identified by academic 
     and independent researchers, multistakeholder standards and 
     technical organizations, industry experts, and Federal 
     agencies, including in relevant reports of--
       (A) the National Telecommunications and Information 
     Administration;
       (B) the National Institute of Standards and Technology; and
       (C) the Department of Homeland Security, including--
       (i) the Cybersecurity and Infrastructure Security Agency; 
     and
       (ii) the Science and Technology Directorate.
       (2) A discussion of--
       (A) the degree to which customers (including consumers, 
     companies, and government agencies) consider cybersecurity as 
     a factor when considering the purchase of mobile service and 
     mobile devices; and
       (B) the commercial availability of tools, frameworks, best 
     practices, and other resources for enabling such customers to 
     evaluate cybersecurity risk and price tradeoffs.
       (3) A discussion of the degree to which providers of mobile 
     service have implemented cybersecurity best practices and 
     risk assessment frameworks.
       (4) An estimate and discussion of the prevalence and 
     efficacy of encryption and authentication algorithms and 
     techniques used in each of the following:
       (A) Mobile service.
       (B) Mobile communications equipment or services.
       (C) Commonly used mobile phones and other mobile devices.
       (D) Commonly used mobile operating systems and 
     communications software and applications.
       (5) A discussion of the barriers for providers of mobile 
     service to adopt more efficacious encryption and 
     authentication algorithms and techniques and to prohibit the 
     use of older encryption and authentication algorithms and 
     techniques with established vulnerabilities in mobile 
     service, mobile communications equipment or services, and 
     mobile phones and other mobile devices.
       (6) An estimate and discussion of the prevalence, usage, 
     and availability of technologies that authenticate legitimate 
     mobile service and mobile communications equipment or 
     services to which mobile phones and other mobile devices are 
     connected.
       (7) An estimate and discussion of the prevalence, costs, 
     commercial availability, and usage by adversaries in the 
     United States of cell site simulators (often known as 
     international mobile subscriber identity-catchers) and other 
     mobile service surveillance and interception technologies.
       (c) Consultation.--In preparing the report required by 
     subsection (a), the Assistant Secretary shall, to the degree 
     practicable, consult with--
       (1) the Federal Communications Commission;
       (2) the National Institute of Standards and Technology;
       (3) the intelligence community;
       (4) the Cybersecurity and Infrastructure Security Agency of 
     the Department of Homeland Security;
       (5) the Science and Technology Directorate of the 
     Department of Homeland Security;
       (6) academic and independent researchers with expertise in 
     privacy, encryption, cybersecurity, and network threats;
       (7) participants in multistakeholder standards and 
     technical organizations (including the 3rd Generation 
     Partnership Project and the Internet Engineering Task Force);
       (8) international stakeholders, in coordination with the 
     Department of State as appropriate;
       (9) providers of mobile service, including small providers 
     (or the representatives of such providers) and rural 
     providers (or the representatives of such providers);
       (10) manufacturers, operators, and providers of mobile 
     communications equipment or services and mobile phones and 
     other mobile devices;
       (11) developers of mobile operating systems and 
     communications software and applications; and
       (12) other experts that the Assistant Secretary considers 
     appropriate.
       (d) Scope of Report.--The Assistant Secretary shall--
       (1) limit the report required by subsection (a) to mobile 
     service networks;
       (2) exclude consideration of 5G protocols and networks in 
     the report required by subsection (a);
       (3) limit the assessment required by subsection (b)(1) to 
     vulnerabilities that have been shown to be--

[[Page H6688]]

       (A) exploited in non-laboratory settings; or
       (B) feasibly and practicably exploitable in real-world 
     conditions; and
       (4) consider in the report required by subsection (a) 
     vulnerabilities that have been effectively mitigated by 
     manufacturers of mobile phones and other mobile devices.
       (e) Form of Report.--
       (1) Classified information.--The report required by 
     subsection (a) shall be produced in unclassified form but may 
     contain a classified annex.
       (2) Potentially exploitable unclassified information.--The 
     Assistant Secretary shall redact potentially exploitable 
     unclassified information from the report required by 
     subsection (a) but shall provide an unredacted form of the 
     report to the committees described in such subsection.
       (f) Authorization of Appropriations.--There is authorized 
     to be appropriated to carry out this section $500,000 for 
     fiscal year 2022. Such amount is authorized to remain 
     available through fiscal year 2023.
       (g) Definitions.--In this section:
       (1) Adversary.--The term ``adversary'' includes--
       (A) any unauthorized hacker or other intruder into a mobile 
     service network; and
       (B) any foreign government or foreign nongovernment person 
     engaged in a long-term pattern or serious instances of 
     conduct significantly adverse to the national security of the 
     United States or security and safety of United States 
     persons.
       (2) Assistant secretary.--The term ``Assistant Secretary'' 
     means the Assistant Secretary of Commerce for Communications 
     and Information.
       (3) Entity.--The term ``entity'' means a partnership, 
     association, trust, joint venture, corporation, group, 
     subgroup, or other organization.
       (4) Intelligence community.--The term ``intelligence 
     community'' has the meaning given that term in section 3 of 
     the National Security Act of 1947 (50 U.S.C. 3003).
       (5) Mobile communications equipment or service.--The term 
     ``mobile communications equipment or service'' means any 
     equipment or service that is essential to the provision of 
     mobile service.
       (6) Mobile service.--The term ``mobile service'' means, to 
     the extent provided to United States customers, either or 
     both of the following services:
       (A) Commercial mobile service (as defined in section 332(d) 
     of the Communications Act of 1934 (47 U.S.C. 332(d))).
       (B) Commercial mobile data service (as defined in section 
     6001 of the Middle Class Tax Relief and Job Creation Act of 
     2012 (47 U.S.C. 1401)).
       (7) Person.--The term ``person'' means an individual or 
     entity.
       (8) United states person.--The term ``United States 
     person'' means--
       (A) an individual who is a United States citizen or an 
     alien lawfully admitted for permanent residence to the United 
     States;
       (B) an entity organized under the laws of the United States 
     or any jurisdiction within the United States, including a 
     foreign branch of such an entity; or
       (C) any person in the United States.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from New 
Jersey (Mr. Pallone) and the gentleman from Ohio (Mr. Latta) each will 
control 20 minutes.
  The Chair recognizes the gentleman from New Jersey.


                             General Leave

  Mr. PALLONE. Mr. Speaker, I ask unanimous consent that all Members 
may have 5 legislative days in which to revise and extend their remarks 
and include extraneous material on H.R. 2685.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from New Jersey?
  There was no objection.
  Mr. PALLONE. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise in strong support of H.R. 2685, the Understanding 
Cybersecurity of Mobile Networks Act.
  There is no shortage of concerning headlines about cybersecurity 
attacks on our critical infrastructure, including our communications 
networks. The reports range anywhere from a hacker looking for users' 
personal information to sophisticated intelligence gathering on U.S. 
officials by foreign adversaries.
  The severe nature of these attacks coupled with the important 
information carried across wireless networks demands our attention. We 
must be vigilant in ensuring our networks are as secure as possible. 
That is the goal of H.R. 2685, the Understanding Cybersecurity of 
Mobile Networks Act. It will help us gain additional data and insights 
from experts to determine what more we can do to make that happen.
  Specifically, Mr. Speaker, the legislation requires the Assistant 
Secretary of Commerce for Communications and Information to lead a 
study with the Department of Homeland Security. This study will examine 
the cybersecurity of mobile service networks and the vulnerability of 
those networks and mobile devices to cyberattacks and surveillance by 
adversaries. It not only includes an assessment of what providers are 
doing to keep their networks secure, but also an examination of 
consumer expectations with respect to network security.
  I am proud of the bipartisan work that the Energy and Commerce 
Committee has undertaken over the past several years to secure our 
communication networks. This is another important step toward that 
effort, and I applaud Representatives Eshoo and Kinzinger for their 
leadership on this bill.
  Mr. Speaker, I urge all my colleagues to support this bill, and I 
reserve the balance of my time.
  Mr. LATTA. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise today in support of H.R. 2685, the Understanding 
Cybersecurity of Mobile Networks Act, which was introduced by 
Representatives Eshoo and Kinzinger.
  Congress tasked the National Telecommunications and Information 
Administration with ensuring the national security of our Nation's 
telecommunications networks. In recent years we have seen large scale 
cybersecurity attacks that put Americans at risk.

                              {time}  1600

  While mobile service providers take numerous steps to address 
vulnerabilities in their networks and respond to threats, we know that 
threats to our mobile networks continue to exist.
  The Energy and Commerce Committee has focused on securing our 
communications supply chains, and today we are taking another step 
forward to understanding these challenges. This legislation requires 
NTIA to study the cybersecurity of mobile networks and the 
vulnerabilities of these networks and mobile devices to cyberattacks 
and surveillance conducted by our adversaries.
  This report will not only help inform NTIA's cybersecurity 
activities, including its work on the Communications Supply Chain Risk 
Information Sharing Program, but will also help providers understand 
the risks their networks face so they can respond appropriately.
  Mr. Speaker, I want to thank the majority for working with us on this 
legislation. I urge my colleagues to support H.R. 2685, and I yield 
back the balance of my time.
  Mr. PALLONE. Mr. Speaker, I urge support for this legislation, and I 
yield back the balance of my time.
  Ms. ESHOO. Mr. Speaker, I rise in strong support of H.R. 2685, the 
Understanding Cybersecurity of Mobile Networks Act, bipartisan 
legislation I'm proud to have authored.
  While all of us are inundated by advertisements for 5G, nearly all of 
our calls, texts, and mobile data traverse through 2G, 3G, and 4G 
networks today. We're moving toward a 5G world, but for the foreseeable 
future these older networks will handle most of our wireless 
communications.
  Since cellphones became common in the 1990s, government agencies, 
academics, think tanks, industry associations, and independent 
researchers have discovered various cybersecurity vulnerabilities in 
our wireless networks. Wireless network companies, mobile devices 
manufacturers, and other companies have responded to many of these 
vulnerabilities, but recent cybersecurity developments depict that 
vulnerabilities continue to exit in mobile cybersecurity. For example, 
Stingray's cell site simulators continue to intercept calls, texts, and 
mobile data of unwitting victims; SIM swaps are increasing as a means 
of identity fraud; and mobile spyware made by NSO Group and others has 
threatened the safety of journalists, activists, dissidents, and 
government officials around the globe. ln each of these instances 
companies have taken certain actions to mitigate threats, but we lack a 
sophisticated, comprehensive, and independent assessment of what 
vulnerabilities persist, what issues have been resolved, and where 
mobile cybersecurity policymaking should be focused.
  H.R 2685 solves this lack of information. The legislation requires 
the National Telecommunications and Information Administration (NTIA), 
in coordination with the Department of Homeland Security (DHS), to 
conduct a comprehensive study on the cybersecurity vulnerabilities of 
our 2G, 3G, and 4G networks.
  Specifically, the study will include an assessment of responses to 
known vulnerabilities and deployment of best practices; an estimate of 
the prevalence of effective encryption and authentication techniques,

[[Page H6689]]

along with a discussion of barriers to adopting more efficacious 
techniques; a discussion of the prevalence, costs, availability, and 
usage of cell site simulators and other surveillance and interception 
technologies.
  In addition to coordinating with DHS, the NTIA is required to consult 
the various federal agencies with relevant expertise, academic and 
independent researchers, multistakeholder and international 
organizations, and industry groups. While the report will be public, it 
will include a classified annex so details about vulnerabilities that 
could aid our adversaries are not publicized.
  I first introduced the Understanding Cybersecurity of Mobile Networks 
Act last Congress with Rep. Adam Kinzinger, and I thank him for his 
continued partnership on the legislation, and I thank Communications 
and Technology Subcommittee Chairman Doyle and Ranking Member Latta and 
the Energy and Commerce Committee Chairman Pallone and Ranking Member 
Rodgers, for their support of this legislation
  I ask my colleagues to support the passage of H.R. 2685
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from New Jersey (Mr. Pallone) that the House suspend the 
rules and pass the bill, H.R. 2685, as amended.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. ROY. Mr. Speaker, on that I demand the yeas and nays.
  The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution 
8, the yeas and nays are ordered.
  Pursuant to clause 8 of rule XX, further proceedings on this motion 
are postponed.

                          ____________________