The publication is reproduced in full below:
UNDERSTANDING CYBERSECURITY OF MOBILE NETWORKS ACT
Mr. PALLONE. Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 2685) to direct the Assistant Secretary of Commerce for Communications and Information to submit to Congress a report examining the cybersecurity of mobile service networks, and for other purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 2685
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Understanding Cybersecurity of Mobile Networks Act''.
SEC. 2. REPORT ON CYBERSECURITY OF MOBILE SERVICE NETWORKS.
(a) In General.--Not later than 1 year after the date of the enactment of this Act, the Assistant Secretary, in consultation with the Department of Homeland Security, shall submit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report examining the cybersecurity of mobile service networks and the vulnerability of such networks and mobile devices to cyberattacks and surveillance conducted by adversaries.
(b) Matters to Be Included.--The report required by subsection (a) shall include the following:
(1) An assessment of the degree to which providers of mobile service have addressed, are addressing, or have not addressed cybersecurity vulnerabilities (including vulnerabilities the exploitation of which could lead to surveillance conducted by adversaries) identified by academic and independent researchers, multistakeholder standards and technical organizations, industry experts, and Federal agencies, including in relevant reports of--
(A) the National Telecommunications and Information Administration;
(B) the National Institute of Standards and Technology; and
(C) the Department of Homeland Security, including--
(i) the Cybersecurity and Infrastructure Security Agency; and
(ii) the Science and Technology Directorate.
(2) A discussion of--
(A) the degree to which customers (including consumers, companies, and government agencies) consider cybersecurity as a factor when considering the purchase of mobile service and mobile devices; and
(B) the commercial availability of tools, frameworks, best practices, and other resources for enabling such customers to evaluate cybersecurity risk and price tradeoffs.
(3) A discussion of the degree to which providers of mobile service have implemented cybersecurity best practices and risk assessment frameworks.
(4) An estimate and discussion of the prevalence and efficacy of encryption and authentication algorithms and techniques used in each of the following:
(A) Mobile service.
(B) Mobile communications equipment or services.
(C) Commonly used mobile phones and other mobile devices.
(D) Commonly used mobile operating systems and communications software and applications.
(5) A discussion of the barriers for providers of mobile service to adopt more efficacious encryption and authentication algorithms and techniques and to prohibit the use of older encryption and authentication algorithms and techniques with established vulnerabilities in mobile service, mobile communications equipment or services, and mobile phones and other mobile devices.
(6) An estimate and discussion of the prevalence, usage, and availability of technologies that authenticate legitimate mobile service and mobile communications equipment or services to which mobile phones and other mobile devices are connected.
(7) An estimate and discussion of the prevalence, costs, commercial availability, and usage by adversaries in the United States of cell site simulators (often known as international mobile subscriber identity-catchers) and other mobile service surveillance and interception technologies.
(c) Consultation.--In preparing the report required by subsection (a), the Assistant Secretary shall, to the degree practicable, consult with--
(1) the Federal Communications Commission;
(2) the National Institute of Standards and Technology;
(3) the intelligence community;
(4) the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security;
(5) the Science and Technology Directorate of the Department of Homeland Security;
(6) academic and independent researchers with expertise in privacy, encryption, cybersecurity, and network threats;
(7) participants in multistakeholder standards and technical organizations (including the 3rd Generation Partnership Project and the Internet Engineering Task Force);
(8) international stakeholders, in coordination with the Department of State as appropriate;
(9) providers of mobile service, including small providers
(or the representatives of such providers) and rural providers (or the representatives of such providers);
(10) manufacturers, operators, and providers of mobile communications equipment or services and mobile phones and other mobile devices;
(11) developers of mobile operating systems and communications software and applications; and
(12) other experts that the Assistant Secretary considers appropriate.
(d) Scope of Report.--The Assistant Secretary shall--
(1) limit the report required by subsection (a) to mobile service networks;
(2) exclude consideration of 5G protocols and networks in the report required by subsection (a);
(3) limit the assessment required by subsection (b)(1) to vulnerabilities that have been shown to be--
(A) exploited in non-laboratory settings; or
(B) feasibly and practicably exploitable in real-world conditions; and
(4) consider in the report required by subsection (a) vulnerabilities that have been effectively mitigated by manufacturers of mobile phones and other mobile devices.
(e) Form of Report.--
(1) Classified information.--The report required by subsection (a) shall be produced in unclassified form but may contain a classified annex.
(2) Potentially exploitable unclassified information.--The Assistant Secretary shall redact potentially exploitable unclassified information from the report required by subsection (a) but shall provide an unredacted form of the report to the committees described in such subsection.
(f) Authorization of Appropriations.--There is authorized to be appropriated to carry out this section $500,000 for fiscal year 2022. Such amount is authorized to remain available through fiscal year 2023.
(g) Definitions.--In this section:
(1) Adversary.--The term ``adversary'' includes--
(A) any unauthorized hacker or other intruder into a mobile service network; and
(B) any foreign government or foreign nongovernment person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.
(2) Assistant secretary.--The term ``Assistant Secretary'' means the Assistant Secretary of Commerce for Communications and Information.
(3) Entity.--The term ``entity'' means a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.
(4) Intelligence community.--The term ``intelligence community'' has the meaning given that term in section 3 of the National Security Act of 1947 (50 U.S.C. 3003).
(5) Mobile communications equipment or service.--The term
``mobile communications equipment or service'' means any equipment or service that is essential to the provision of mobile service.
(6) Mobile service.--The term ``mobile service'' means, to the extent provided to United States customers, either or both of the following services:
(A) Commercial mobile service (as defined in section 332(d) of the Communications Act of 1934 (47 U.S.C. 332(d))).
(B) Commercial mobile data service (as defined in section 6001 of the Middle Class Tax Relief and Job Creation Act of 2012 (47 U.S.C. 1401)).
(7) Person.--The term ``person'' means an individual or entity.
(8) United states person.--The term ``United States person'' means--
(A) an individual who is a United States citizen or an alien lawfully admitted for permanent residence to the United States;
(B) an entity organized under the laws of the United States or any jurisdiction within the United States, including a foreign branch of such an entity; or
(C) any person in the United States.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from New Jersey (Mr. Pallone) and the gentleman from Ohio (Mr. Latta) each will control 20 minutes.
The Chair recognizes the gentleman from New Jersey.
General Leave
Mr. PALLONE. Mr. Speaker, I ask unanimous consent that all Members may have 5 legislative days in which to revise and extend their remarks and include extraneous material on H.R. 2685.
The SPEAKER pro tempore. Is there objection to the request of the gentleman from New Jersey?
There was no objection.
Mr. PALLONE. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise in strong support of H.R. 2685, the Understanding Cybersecurity of Mobile Networks Act.
There is no shortage of concerning headlines about cybersecurity attacks on our critical infrastructure, including our communications networks. The reports range anywhere from a hacker looking for users' personal information to sophisticated intelligence gathering on U.S. officials by foreign adversaries.
The severe nature of these attacks coupled with the important information carried across wireless networks demands our attention. We must be vigilant in ensuring our networks are as secure as possible. That is the goal of H.R. 2685, the Understanding Cybersecurity of Mobile Networks Act. It will help us gain additional data and insights from experts to determine what more we can do to make that happen.
Specifically, Mr. Speaker, the legislation requires the Assistant Secretary of Commerce for Communications and Information to lead a study with the Department of Homeland Security. This study will examine the cybersecurity of mobile service networks and the vulnerability of those networks and mobile devices to cyberattacks and surveillance by adversaries. It not only includes an assessment of what providers are doing to keep their networks secure, but also an examination of consumer expectations with respect to network security.
I am proud of the bipartisan work that the Energy and Commerce Committee has undertaken over the past several years to secure our communication networks. This is another important step toward that effort, and I applaud Representatives Eshoo and Kinzinger for their leadership on this bill.
Mr. Speaker, I urge all my colleagues to support this bill, and I reserve the balance of my time.
Mr. LATTA. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise today in support of H.R. 2685, the Understanding Cybersecurity of Mobile Networks Act, which was introduced by Representatives Eshoo and Kinzinger.
Congress tasked the National Telecommunications and Information Administration with ensuring the national security of our Nation's telecommunications networks. In recent years we have seen large scale cybersecurity attacks that put Americans at risk.
{time} 1600
While mobile service providers take numerous steps to address vulnerabilities in their networks and respond to threats, we know that threats to our mobile networks continue to exist.
The Energy and Commerce Committee has focused on securing our communications supply chains, and today we are taking another step forward to understanding these challenges. This legislation requires NTIA to study the cybersecurity of mobile networks and the vulnerabilities of these networks and mobile devices to cyberattacks and surveillance conducted by our adversaries.
This report will not only help inform NTIA's cybersecurity activities, including its work on the Communications Supply Chain Risk Information Sharing Program, but will also help providers understand the risks their networks face so they can respond appropriately.
Mr. Speaker, I want to thank the majority for working with us on this legislation. I urge my colleagues to support H.R. 2685, and I yield back the balance of my time.
Mr. PALLONE. Mr. Speaker, I urge support for this legislation, and I yield back the balance of my time.
Ms. ESHOO. Mr. Speaker, I rise in strong support of H.R. 2685, the Understanding Cybersecurity of Mobile Networks Act, bipartisan legislation I'm proud to have authored.
While all of us are inundated by advertisements for 5G, nearly all of our calls, texts, and mobile data traverse through 2G, 3G, and 4G networks today. We're moving toward a 5G world, but for the foreseeable future these older networks will handle most of our wireless communications.
Since cellphones became common in the 1990s, government agencies, academics, think tanks, industry associations, and independent researchers have discovered various cybersecurity vulnerabilities in our wireless networks. Wireless network companies, mobile devices manufacturers, and other companies have responded to many of these vulnerabilities, but recent cybersecurity developments depict that vulnerabilities continue to exit in mobile cybersecurity. For example, Stingray's cell site simulators continue to intercept calls, texts, and mobile data of unwitting victims; SIM swaps are increasing as a means of identity fraud; and mobile spyware made by NSO Group and others has threatened the safety of journalists, activists, dissidents, and government officials around the globe. ln each of these instances companies have taken certain actions to mitigate threats, but we lack a sophisticated, comprehensive, and independent assessment of what vulnerabilities persist, what issues have been resolved, and where mobile cybersecurity policymaking should be focused.
H.R 2685 solves this lack of information. The legislation requires the National Telecommunications and Information Administration (NTIA), in coordination with the Department of Homeland Security (DHS), to conduct a comprehensive study on the cybersecurity vulnerabilities of our 2G, 3G, and 4G networks.
Specifically, the study will include an assessment of responses to known vulnerabilities and deployment of best practices; an estimate of the prevalence of effective encryption and authentication techniques, along with a discussion of barriers to adopting more efficacious techniques; a discussion of the prevalence, costs, availability, and usage of cell site simulators and other surveillance and interception technologies.
In addition to coordinating with DHS, the NTIA is required to consult the various federal agencies with relevant expertise, academic and independent researchers, multistakeholder and international organizations, and industry groups. While the report will be public, it will include a classified annex so details about vulnerabilities that could aid our adversaries are not publicized.
I first introduced the Understanding Cybersecurity of Mobile Networks Act last Congress with Rep. Adam Kinzinger, and I thank him for his continued partnership on the legislation, and I thank Communications and Technology Subcommittee Chairman Doyle and Ranking Member Latta and the Energy and Commerce Committee Chairman Pallone and Ranking Member Rodgers, for their support of this legislation
I ask my colleagues to support the passage of H.R. 2685
The SPEAKER pro tempore. The question is on the motion offered by the gentleman from New Jersey (Mr. Pallone) that the House suspend the rules and pass the bill, H.R. 2685, as amended.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds being in the affirmative, the ayes have it.
Mr. ROY. Mr. Speaker, on that I demand the yeas and nays.
The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution 8, the yeas and nays are ordered.
Pursuant to clause 8 of rule XX, further proceedings on this motion are postponed.
____________________
SOURCE: Congressional Record Vol. 167, No. 206
The Congressional Record is a unique source of public documentation. It started in 1873, documenting nearly all the major and minor policies being discussed and debated.
House Representatives' salaries are historically higher than the median US income.