[Congressional Record Volume 169, Number 43 (Tuesday, March 7, 2023)]
[House]
[Pages H1128-H1130]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




           UNDERSTANDING CYBERSECURITY OF MOBILE NETWORKS ACT

  Mr. LATTA. Mr. Speaker, I move to suspend the rules and pass the bill 
(H.R. 1123) to direct the Assistant Secretary of Commerce for 
Communications and Information to submit to Congress a report examining 
the cybersecurity of mobile service networks, and for other purposes, 
as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 1123

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Understanding Cybersecurity 
     of Mobile Networks Act''.

     SEC. 2. REPORT ON CYBERSECURITY OF MOBILE SERVICE NETWORKS.

       (a) In General.--Not later than 1 year after the date of 
     the enactment of this Act, the Assistant Secretary, in 
     consultation with the Department of Homeland Security, shall 
     submit to the Committee on Energy and Commerce of the House 
     of Representatives and the Committee on Commerce, Science, 
     and Transportation of the Senate a report examining the 
     cybersecurity of mobile service networks and the 
     vulnerability of such networks and mobile devices to 
     cyberattacks and surveillance conducted by adversaries.
       (b) Matters To Be Included.--The report required by 
     subsection (a) shall include the following:
       (1) An assessment of the degree to which providers of 
     mobile service have addressed, are addressing, or have not 
     addressed cybersecurity vulnerabilities (including 
     vulnerabilities the exploitation of which could lead to 
     surveillance conducted by adversaries) identified by academic 
     and independent researchers, multistakeholder

[[Page H1129]]

     standards and technical organizations, industry experts, and 
     Federal agencies, including in relevant reports of--
       (A) the National Telecommunications and Information 
     Administration;
       (B) the National Institute of Standards and Technology; and
       (C) the Department of Homeland Security, including--
       (i) the Cybersecurity and Infrastructure Security Agency; 
     and
       (ii) the Science and Technology Directorate.
       (2) A discussion of--
       (A) the degree to which customers (including consumers, 
     companies, and government agencies) consider cybersecurity as 
     a factor when considering the purchase of mobile service and 
     mobile devices; and
       (B) the commercial availability of tools, frameworks, best 
     practices, and other resources for enabling such customers to 
     evaluate cybersecurity risk and price tradeoffs.
       (3) A discussion of the degree to which providers of mobile 
     service have implemented cybersecurity best practices and 
     risk assessment frameworks.
       (4) An estimate and discussion of the prevalence and 
     efficacy of encryption and authentication algorithms and 
     techniques used in each of the following:
       (A) Mobile service.
       (B) Mobile communications equipment or services.
       (C) Commonly used mobile phones and other mobile devices.
       (D) Commonly used mobile operating systems and 
     communications software and applications.
       (5) A discussion of the barriers for providers of mobile 
     service to adopt more efficacious encryption and 
     authentication algorithms and techniques and to prohibit the 
     use of older encryption and authentication algorithms and 
     techniques with established vulnerabilities in mobile 
     service, mobile communications equipment or services, and 
     mobile phones and other mobile devices.
       (6) An estimate and discussion of the prevalence, usage, 
     and availability of technologies that authenticate legitimate 
     mobile service and mobile communications equipment or 
     services to which mobile phones and other mobile devices are 
     connected.
       (7) An estimate and discussion of the prevalence, costs, 
     commercial availability, and usage by adversaries in the 
     United States of cell site simulators (often known as 
     international mobile subscriber identity catchers) and other 
     mobile service surveillance and interception technologies.
       (c) Consultation.--In preparing the report required by 
     subsection (a), the Assistant Secretary shall, to the degree 
     practicable, consult with--
       (1) the Federal Communications Commission;
       (2) the National Institute of Standards and Technology;
       (3) the intelligence community;
       (4) the Cybersecurity and Infrastructure Security Agency of 
     the Department of Homeland Security;
       (5) the Science and Technology Directorate of the 
     Department of Homeland Security;
       (6) academic and independent researchers with expertise in 
     privacy, encryption, cybersecurity, and network threats;
       (7) participants in multistakeholder standards and 
     technical organizations (including the 3rd Generation 
     Partnership Project and the Internet Engineering Task Force);
       (8) international stakeholders, in coordination with the 
     Department of State as appropriate;
       (9) providers of mobile service, including small providers 
     (or the representatives of such providers) and rural 
     providers (or the representatives of such providers);
       (10) manufacturers, operators, and providers of mobile 
     communications equipment or services and mobile phones and 
     other mobile devices;
       (11) developers of mobile operating systems and 
     communications software and applications; and
       (12) other experts that the Assistant Secretary considers 
     appropriate.
       (d) Scope of Report.--The Assistant Secretary shall--
       (1) limit the report required by subsection (a) to mobile 
     service networks;
       (2) exclude consideration of 5G protocols and networks in 
     the report required by subsection (a);
       (3) limit the assessment required by subsection (b)(1) to 
     vulnerabilities that have been shown to be--
       (A) exploited in non-laboratory settings; or
       (B) feasibly and practicably exploitable in real-world 
     conditions; and
       (4) consider in the report required by subsection (a) 
     vulnerabilities that have been effectively mitigated by 
     manufacturers of mobile phones and other mobile devices.
       (e) Form of Report.--
       (1) Classified information.--The report required by 
     subsection (a) shall be produced in unclassified form but may 
     contain a classified annex.
       (2) Potentially exploitable unclassified information.--The 
     Assistant Secretary shall redact potentially exploitable 
     unclassified information from the report required by 
     subsection (a) but shall provide an unredacted form of the 
     report to the committees described in such subsection.
       (f) Definitions.--In this section:
       (1) Adversary.--The term ``adversary'' includes--
       (A) any unauthorized hacker or other intruder into a mobile 
     service network; and
       (B) any foreign government or foreign nongovernment person 
     engaged in a long-term pattern or serious instances of 
     conduct significantly adverse to the national security of the 
     United States or security and safety of United States 
     persons.
       (2) Assistant secretary.--The term ``Assistant Secretary'' 
     means the Assistant Secretary of Commerce for Communications 
     and Information.
       (3) Entity.--The term ``entity'' means a partnership, 
     association, trust, joint venture, corporation, group, 
     subgroup, or other organization.
       (4) Intelligence community.--The term ``intelligence 
     community'' has the meaning given that term in section 3 of 
     the National Security Act of 1947 (50 U.S.C. 3003).
       (5) Mobile communications equipment or service.--The term 
     ``mobile communications equipment or service'' means any 
     equipment or service that is essential to the provision of 
     mobile service.
       (6) Mobile service.--The term ``mobile service'' means, to 
     the extent provided to United States customers, either or 
     both of the following services:
       (A) Commercial mobile service (as defined in section 332(d) 
     of the Communications Act of 1934 (47 U.S.C. 332(d))).
       (B) Commercial mobile data service (as defined in section 
     6001 of the Middle Class Tax Relief and Job Creation Act of 
     2012 (47 U.S.C. 1401)).
       (7) Person.--The term ``person'' means an individual or 
     entity.
       (8) United states person.--The term ``United States 
     person'' means--
       (A) an individual who is a United States citizen or an 
     alien lawfully admitted for permanent residence to the United 
     States;
       (B) an entity organized under the laws of the United States 
     or any jurisdiction within the United States, including a 
     foreign branch of such an entity; or
       (C) any person in the United States.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Ohio (Mr. Latta) and the gentlewoman from California (Ms. Eshoo) each 
will control 20 minutes.
  The Chair recognizes the gentleman from Ohio.


                             General Leave

  Mr. LATTA. Mr. Speaker, I ask unanimous consent that all Members may 
have 5 legislative days in which to revise and extend their remarks and 
insert extraneous material in the Record on the bill.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Ohio?
  There was no objection.
  Mr. LATTA. Mr. Speaker, I yield myself such time as I may consume.
  I rise in support of H.R. 1123, the Understanding Cybersecurity of 
Mobile Networks Act.
  In recent years, we have seen a rise in large-scale cybersecurity 
attacks that put Americans at risk. While mobile service providers take 
numerous steps to address vulnerabilities in their networks, threats to 
our mobile networks continue to exist.
  To sufficiently address threats across networks, Congress needs a 
sophisticated and comprehensive assessment of what vulnerabilities 
persist, what issues have been resolved, and where mobile cybersecurity 
policymaking should be focused.
  The Understanding Cybersecurity of Mobile Networks Act requires the 
National Telecommunications and Information Administration, NTIA, to 
submit to Congress a comprehensive report examining the cybersecurity 
of existing wireless networks and vulnerabilities to cyberattacks and 
surveillance by adversaries.
  This bipartisan bill will ensure that communication networks are safe 
and protect the privacy and security of the American people.
  I thank the gentlewoman from California's 16th District (Ms. Eshoo) 
and the gentlewoman from Florida's Third District (Mrs. Cammack) for 
leading this bipartisan legislation, and I urge my colleagues to 
support it.
  Mr. Speaker, I reserve the balance of my time.
  Ms. ESHOO. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise this evening in strong support of H.R. 1123, the 
Understanding Cybersecurity of Mobile Networks Act. It is bipartisan 
legislation, and I am proud to have authored it.
  Every single day Americans make calls, they send texts, and they 
access data on 2G, 3G, and 4G networks.
  Yet, we lack a comprehensive assessment of what vulnerabilities exist 
on these networks, what issues have been resolved, and where mobile 
cybersecurity policymaking should be focused.
  That is what this legislation addresses. It requires the NTIA, as the 
chairman said, in consultation with the Department of Homeland 
Security, to

[[Page H1130]]

conduct a comprehensive study on the cybersecurity vulnerabilities of 
these networks and report those findings to Congress.
  Americans need to trust the networks that they use and know that 
Congress is working to ensure that these networks are safe. This bill 
will help us accomplish that.
  I thank Congresswoman Kat Cammack for her partnership, and I urge all 
of my colleagues to support the passage of H.R. 1123.
  Mr. Speaker, I don't believe I have anyone on this side that wishes 
to speak, and I yield back the balance of my time.
  Mr. LATTA. Mr. Speaker, I yield 3 minutes to the gentlewoman from 
Florida (Mrs. Cammack).
  Mrs. CAMMACK. Mr. Speaker, I rise in strong support of H.R. 1123, the 
Understanding Cybersecurity of Mobile Networks Act.
  H.R. 1123 would require the National Telecommunications and 
Information Administration, in partnership with relevant agencies and 
other stakeholders, to study the current state of U.S. mobile 
communications networks and to report to Congress on its findings.
  This report is developed by compiling government and nongovernmental 
research and would assess the cybersecurity of these networks and 
vulnerabilities in the networks or mobile devices for cyberattacks and 
surveillance conducted by our adversaries.
  Americans rely on their phones and mobile networks more than ever to 
communicate with family and friends and to conduct business all across 
the country.
  At the same time, cybersecurity threats to these essential U.S. 
communications networks have never been higher.
  Accordingly, Congress must be informed of these threats and any 
successful tools or methods used to counter or mitigate existing cyber 
threats. This bill would do just that by simply providing Congress an 
overview of the status of mobile network cybersecurity, which would 
include the degree to which cyber vulnerabilities have been addressed, 
are being addressed, or will be addressed.
  The report required by this bill takes an important first step in 
tackling network security by informing Congress, stakeholders, and most 
important, the American people of the security or lack thereof of these 
vital mobile networks.
  I am so proud to lead this bill along with my colleague, Ms. Eshoo, 
and I thank my good friend, our chairman of the subcommittee, for his 
leadership on this important issue.
  Mr. Speaker, I urge all my colleagues to vote in support of this 
bill.
  Mr. LATTA. Mr. Speaker, cyberattacks are increasing in this country, 
not decreasing. Again, that is why this bipartisan bill will ensure 
that communications networks are safe and that they will protect the 
privacy and security of the American people.
  Mr. Speaker, I urge support of this very important legislation, and I 
yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from Ohio (Mr. Latta) that the House suspend the rules and 
pass the bill, H.R. 1123, as amended.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. LATTA. Mr. Speaker, on that I demand the yeas and nays.
  The yeas and nays were ordered.
  The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further 
proceedings on this motion will be postponed.

                          ____________________