[Congressional Record Volume 169, Number 43 (Tuesday, March 7, 2023)]
[House]
[Pages H1128-H1130]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
UNDERSTANDING CYBERSECURITY OF MOBILE NETWORKS ACT
Mr. LATTA. Mr. Speaker, I move to suspend the rules and pass the bill
(H.R. 1123) to direct the Assistant Secretary of Commerce for
Communications and Information to submit to Congress a report examining
the cybersecurity of mobile service networks, and for other purposes,
as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 1123
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Understanding Cybersecurity
of Mobile Networks Act''.
SEC. 2. REPORT ON CYBERSECURITY OF MOBILE SERVICE NETWORKS.
(a) In General.--Not later than 1 year after the date of
the enactment of this Act, the Assistant Secretary, in
consultation with the Department of Homeland Security, shall
submit to the Committee on Energy and Commerce of the House
of Representatives and the Committee on Commerce, Science,
and Transportation of the Senate a report examining the
cybersecurity of mobile service networks and the
vulnerability of such networks and mobile devices to
cyberattacks and surveillance conducted by adversaries.
(b) Matters To Be Included.--The report required by
subsection (a) shall include the following:
(1) An assessment of the degree to which providers of
mobile service have addressed, are addressing, or have not
addressed cybersecurity vulnerabilities (including
vulnerabilities the exploitation of which could lead to
surveillance conducted by adversaries) identified by academic
and independent researchers, multistakeholder
[[Page H1129]]
standards and technical organizations, industry experts, and
Federal agencies, including in relevant reports of--
(A) the National Telecommunications and Information
Administration;
(B) the National Institute of Standards and Technology; and
(C) the Department of Homeland Security, including--
(i) the Cybersecurity and Infrastructure Security Agency;
and
(ii) the Science and Technology Directorate.
(2) A discussion of--
(A) the degree to which customers (including consumers,
companies, and government agencies) consider cybersecurity as
a factor when considering the purchase of mobile service and
mobile devices; and
(B) the commercial availability of tools, frameworks, best
practices, and other resources for enabling such customers to
evaluate cybersecurity risk and price tradeoffs.
(3) A discussion of the degree to which providers of mobile
service have implemented cybersecurity best practices and
risk assessment frameworks.
(4) An estimate and discussion of the prevalence and
efficacy of encryption and authentication algorithms and
techniques used in each of the following:
(A) Mobile service.
(B) Mobile communications equipment or services.
(C) Commonly used mobile phones and other mobile devices.
(D) Commonly used mobile operating systems and
communications software and applications.
(5) A discussion of the barriers for providers of mobile
service to adopt more efficacious encryption and
authentication algorithms and techniques and to prohibit the
use of older encryption and authentication algorithms and
techniques with established vulnerabilities in mobile
service, mobile communications equipment or services, and
mobile phones and other mobile devices.
(6) An estimate and discussion of the prevalence, usage,
and availability of technologies that authenticate legitimate
mobile service and mobile communications equipment or
services to which mobile phones and other mobile devices are
connected.
(7) An estimate and discussion of the prevalence, costs,
commercial availability, and usage by adversaries in the
United States of cell site simulators (often known as
international mobile subscriber identity catchers) and other
mobile service surveillance and interception technologies.
(c) Consultation.--In preparing the report required by
subsection (a), the Assistant Secretary shall, to the degree
practicable, consult with--
(1) the Federal Communications Commission;
(2) the National Institute of Standards and Technology;
(3) the intelligence community;
(4) the Cybersecurity and Infrastructure Security Agency of
the Department of Homeland Security;
(5) the Science and Technology Directorate of the
Department of Homeland Security;
(6) academic and independent researchers with expertise in
privacy, encryption, cybersecurity, and network threats;
(7) participants in multistakeholder standards and
technical organizations (including the 3rd Generation
Partnership Project and the Internet Engineering Task Force);
(8) international stakeholders, in coordination with the
Department of State as appropriate;
(9) providers of mobile service, including small providers
(or the representatives of such providers) and rural
providers (or the representatives of such providers);
(10) manufacturers, operators, and providers of mobile
communications equipment or services and mobile phones and
other mobile devices;
(11) developers of mobile operating systems and
communications software and applications; and
(12) other experts that the Assistant Secretary considers
appropriate.
(d) Scope of Report.--The Assistant Secretary shall--
(1) limit the report required by subsection (a) to mobile
service networks;
(2) exclude consideration of 5G protocols and networks in
the report required by subsection (a);
(3) limit the assessment required by subsection (b)(1) to
vulnerabilities that have been shown to be--
(A) exploited in non-laboratory settings; or
(B) feasibly and practicably exploitable in real-world
conditions; and
(4) consider in the report required by subsection (a)
vulnerabilities that have been effectively mitigated by
manufacturers of mobile phones and other mobile devices.
(e) Form of Report.--
(1) Classified information.--The report required by
subsection (a) shall be produced in unclassified form but may
contain a classified annex.
(2) Potentially exploitable unclassified information.--The
Assistant Secretary shall redact potentially exploitable
unclassified information from the report required by
subsection (a) but shall provide an unredacted form of the
report to the committees described in such subsection.
(f) Definitions.--In this section:
(1) Adversary.--The term ``adversary'' includes--
(A) any unauthorized hacker or other intruder into a mobile
service network; and
(B) any foreign government or foreign nongovernment person
engaged in a long-term pattern or serious instances of
conduct significantly adverse to the national security of the
United States or security and safety of United States
persons.
(2) Assistant secretary.--The term ``Assistant Secretary''
means the Assistant Secretary of Commerce for Communications
and Information.
(3) Entity.--The term ``entity'' means a partnership,
association, trust, joint venture, corporation, group,
subgroup, or other organization.
(4) Intelligence community.--The term ``intelligence
community'' has the meaning given that term in section 3 of
the National Security Act of 1947 (50 U.S.C. 3003).
(5) Mobile communications equipment or service.--The term
``mobile communications equipment or service'' means any
equipment or service that is essential to the provision of
mobile service.
(6) Mobile service.--The term ``mobile service'' means, to
the extent provided to United States customers, either or
both of the following services:
(A) Commercial mobile service (as defined in section 332(d)
of the Communications Act of 1934 (47 U.S.C. 332(d))).
(B) Commercial mobile data service (as defined in section
6001 of the Middle Class Tax Relief and Job Creation Act of
2012 (47 U.S.C. 1401)).
(7) Person.--The term ``person'' means an individual or
entity.
(8) United states person.--The term ``United States
person'' means--
(A) an individual who is a United States citizen or an
alien lawfully admitted for permanent residence to the United
States;
(B) an entity organized under the laws of the United States
or any jurisdiction within the United States, including a
foreign branch of such an entity; or
(C) any person in the United States.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
Ohio (Mr. Latta) and the gentlewoman from California (Ms. Eshoo) each
will control 20 minutes.
The Chair recognizes the gentleman from Ohio.
General Leave
Mr. LATTA. Mr. Speaker, I ask unanimous consent that all Members may
have 5 legislative days in which to revise and extend their remarks and
insert extraneous material in the Record on the bill.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from Ohio?
There was no objection.
Mr. LATTA. Mr. Speaker, I yield myself such time as I may consume.
I rise in support of H.R. 1123, the Understanding Cybersecurity of
Mobile Networks Act.
In recent years, we have seen a rise in large-scale cybersecurity
attacks that put Americans at risk. While mobile service providers take
numerous steps to address vulnerabilities in their networks, threats to
our mobile networks continue to exist.
To sufficiently address threats across networks, Congress needs a
sophisticated and comprehensive assessment of what vulnerabilities
persist, what issues have been resolved, and where mobile cybersecurity
policymaking should be focused.
The Understanding Cybersecurity of Mobile Networks Act requires the
National Telecommunications and Information Administration, NTIA, to
submit to Congress a comprehensive report examining the cybersecurity
of existing wireless networks and vulnerabilities to cyberattacks and
surveillance by adversaries.
This bipartisan bill will ensure that communication networks are safe
and protect the privacy and security of the American people.
I thank the gentlewoman from California's 16th District (Ms. Eshoo)
and the gentlewoman from Florida's Third District (Mrs. Cammack) for
leading this bipartisan legislation, and I urge my colleagues to
support it.
Mr. Speaker, I reserve the balance of my time.
Ms. ESHOO. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise this evening in strong support of H.R. 1123, the
Understanding Cybersecurity of Mobile Networks Act. It is bipartisan
legislation, and I am proud to have authored it.
Every single day Americans make calls, they send texts, and they
access data on 2G, 3G, and 4G networks.
Yet, we lack a comprehensive assessment of what vulnerabilities exist
on these networks, what issues have been resolved, and where mobile
cybersecurity policymaking should be focused.
That is what this legislation addresses. It requires the NTIA, as the
chairman said, in consultation with the Department of Homeland
Security, to
[[Page H1130]]
conduct a comprehensive study on the cybersecurity vulnerabilities of
these networks and report those findings to Congress.
Americans need to trust the networks that they use and know that
Congress is working to ensure that these networks are safe. This bill
will help us accomplish that.
I thank Congresswoman Kat Cammack for her partnership, and I urge all
of my colleagues to support the passage of H.R. 1123.
Mr. Speaker, I don't believe I have anyone on this side that wishes
to speak, and I yield back the balance of my time.
Mr. LATTA. Mr. Speaker, I yield 3 minutes to the gentlewoman from
Florida (Mrs. Cammack).
Mrs. CAMMACK. Mr. Speaker, I rise in strong support of H.R. 1123, the
Understanding Cybersecurity of Mobile Networks Act.
H.R. 1123 would require the National Telecommunications and
Information Administration, in partnership with relevant agencies and
other stakeholders, to study the current state of U.S. mobile
communications networks and to report to Congress on its findings.
This report is developed by compiling government and nongovernmental
research and would assess the cybersecurity of these networks and
vulnerabilities in the networks or mobile devices for cyberattacks and
surveillance conducted by our adversaries.
Americans rely on their phones and mobile networks more than ever to
communicate with family and friends and to conduct business all across
the country.
At the same time, cybersecurity threats to these essential U.S.
communications networks have never been higher.
Accordingly, Congress must be informed of these threats and any
successful tools or methods used to counter or mitigate existing cyber
threats. This bill would do just that by simply providing Congress an
overview of the status of mobile network cybersecurity, which would
include the degree to which cyber vulnerabilities have been addressed,
are being addressed, or will be addressed.
The report required by this bill takes an important first step in
tackling network security by informing Congress, stakeholders, and most
important, the American people of the security or lack thereof of these
vital mobile networks.
I am so proud to lead this bill along with my colleague, Ms. Eshoo,
and I thank my good friend, our chairman of the subcommittee, for his
leadership on this important issue.
Mr. Speaker, I urge all my colleagues to vote in support of this
bill.
Mr. LATTA. Mr. Speaker, cyberattacks are increasing in this country,
not decreasing. Again, that is why this bipartisan bill will ensure
that communications networks are safe and that they will protect the
privacy and security of the American people.
Mr. Speaker, I urge support of this very important legislation, and I
yield back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentleman from Ohio (Mr. Latta) that the House suspend the rules and
pass the bill, H.R. 1123, as amended.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds
being in the affirmative, the ayes have it.
Mr. LATTA. Mr. Speaker, on that I demand the yeas and nays.
The yeas and nays were ordered.
The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further
proceedings on this motion will be postponed.
____________________