Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
China United States Cellphones Communications Government

America's Phone Networks Could Soon Face Financial - and Criminal - Penalties for Insecure Networks (msn.com) 55

The head of America's FCC "has drafted plans to regulate the cybersecurity of telecommunications companies," reports the Washington Post, and the plans could include financial penalties phone network operators with insufficient security — "the first time the agency has asserted such powers under federal wiretapping law." Rosenworcel said the FCC's authority in this matter comes from Section 105 of the Communications Assistance for Law Enforcement Act [passed in 1994] — a single sentence that stipulates, without elaboration, that telecommunications carriers should ensure systems security "in accordance with regulations prescribed by the Commission." As one of the measures, she is seeking to require network providers to submit an annual certification to the FCC that they are implementing a cybersecurity risk management plan. In addition to imposing fines, the FCC could coordinate with other agencies to pursue criminal penalties against carriers deemed too careless on cybersecurity...

Biden administration officials said voluntary efforts to protect against aggressive Chinese hacking activity have fallen short. "We've had for the last decade voluntary public-private partnership efforts," Neuberger told The Post in a recent interview. "But we continue to see successful breaches, and in many cases, as with ransomware attacks, we continue to see pretty basic cybersecurity practices not being followed." With China's hackers becoming more brazen, pre-positioning themselves in U.S. critical networks, "we need to lock our digital doors," Neuberger said...

Cyber requirements can make a difference, she said. After the Colonial Pipeline ransomware attack in 2021 shut down one of the nation's largest energy pipelines for several days, creating a national security scare, the Transportation Security Administration issued several security directives, and today, all of the country's several dozen critical pipeline companies are in compliance, she said. Similar directives were subsequently issued for rail and aviation sectors, and the compliance rates in those industries are now at 68 and 57 percent respectively, she said.

This discussion has been archived. No new comments can be posted.

America's Phone Networks Could Soon Face Financial - and Criminal - Penalties for Insecure Networks

Comments Filter:
  • by Chromium_One ( 126329 ) on Sunday December 08, 2024 @11:40AM (#64999425)

    OF COURSE voluntary efforts have fallen short. Corps do not voluntarily throw proper resources at (perceived) cost sinks until forced to do so.

    • by gweihir ( 88907 ) on Sunday December 08, 2024 @01:30PM (#64999615)

      Indeed. No major industry has ever successfully "self-regulated". In Europe some are even admitting that this cannot work.

      • by shanen ( 462549 ) on Sunday December 08, 2024 @02:23PM (#64999713) Homepage Journal

        But do you really understand the scope of this particular problem?

        Here is a video about SS7 vulnerabilities He's a mathematician and approached the problem from an unusual perspective, but the results of his little experiments certainly dismayed me. Sad historical stuff, too. https://www.youtube.com/watch?... [youtube.com]

        Trying to think of a short summary, but it's difficult... Basically if a bad actor has sufficient financial resources, then your so-called smartphone is not your friend. But seems too obvious?

        • Re: (Score:3, Informative)

          by gweihir ( 88907 )

          You invalid AdHominem is invalid. I have attended my first talk on SS7 vulnerabilities about 25 years ago. The problem is that the US telco industry is lazy and does not even try to address the problems. But get this: I have had 3 spam calls in the last 20 years. Because a telco provider that does not use effective SS7 firewalling and anomaly detection here (some place in Europe) faces some pretty stiff fines.

          • by shanen ( 462549 )

            My, my, such thin skin. I was merely reacting to your comment as it stood and even looking for an excuse to share the video.

            Doesn't sound like you watched it. Perhaps too sure of yourself? However it did support some of your defensive extension. In particular, as regards the main violence the attackers went after a number of targets within a few minutes, but the post mortem research was only able to get data (from the firewall logs, presumably) for the many attempts that were blocked and circumstantial evid

            • by gweihir ( 88907 )

              You expect me to watch a _video_? Do you know where you are? People here do not even read the story!

              • by shanen ( 462549 )

                What did I expect? Not the flood of sock puppets targeting me with censor mod points. That is really an unfunny coincidence considering the evidence of your thin skin. I have already clarified that no ad hominem was intended.

                And I did NOT send a bare video link. I deliberately explained why I thought I hadn't wasted my time with that particular video. Should I have mentioned more about what sort of heavy duty mathematician he is? For examples, he's done a number of quite interesting videos about generative

        • by tlhIngan ( 30335 )

          Or just watch Veritasium cover the same aspect - where he hijacks a friend's cellphone while on a video call with them.

          https://youtu.be/wVyu7NB7W6Y?s... [youtu.be]

          Of course, it's interesting that 5G wireless doesn't use SS7 anynmore

          • Interesting, on New Pipe those links are you the same video, with the same comments. I'll watch later, thanks for sharing the link.
        • Just so you know,.... You're arguing with the thinnest skinned user around, he had me find out that Slashdot has an enemy setting... Anyway, I'll watch your video, as soon as I have time after work.
    • I used to work on telco enterprise systems. Netcracker is a major vendor in that world, and for the longest time one of their main programming shops was in Moscow (even though Netcracker was ostensibly located in Boston). I know that was 10 or 15 years ago and maybe they don't use that shop now, but those systems are huge and go in with the umbrella principle. (They're like an umbrella being shoved in your ass, and when they go live the umbrella opens and you're not getting it out for very long fucking time
    • by srone ( 124495 )

      Since I am now retired, I can peruse Slashdot endlessly. I applaud this info since it convinces me that my voicing the statement “That is just par for the course” is Never overused.

      So it goes Thank you K. Vonnegut

  • Risk? What risk?

    This is data that the telecoms sell to third parties already. So, other than ensuring that they recieve compensation for (customers) data that they market, what else is at risk?

    If a shopkeeper looks the other way when a poor person swipes a loaf of bread because they are hungry, is that of any concern of the governments?

    • by ClickOnThis ( 137803 ) on Sunday December 08, 2024 @12:53PM (#64999545) Journal

      If a shopkeeper looks the other way when a poor person swipes a loaf of bread because they are hungry, is that of any concern of the governments?

      Your analogy fails spectacularly.

      The entities doing the stealing are not poor. They are government agencies of sovereign nations. And they're not stealing bread to eat it, they're stealing information for nefarious purposes. Information about you and me.

      • > The entities doing the stealing are not poor.

        So, stealing bread to poison it and serve to the king?

      • by PPH ( 736903 )

        The entities doing the stealing are not poor.

        That doesn't matter. Stealing what AT&T was going to sell anyway isn't a security issue. If AT&T wants to file a police report for theft, that's up to them.

        they're stealing information for nefarious purposes.

        Who cares what the purpose is? If they paid AT&T for the data, these entities would be free to use it for "nefarious purposes". Or spreading peanut butter on it and eating it.

        Information about you and me.

        Doesn't matter. It belongs to AT&T. And they can sell it if they want.

  • Pointless effort (Score:3, Insightful)

    by RogueWarrior65 ( 678876 ) on Sunday December 08, 2024 @12:00PM (#64999449)

    Instead of requiring them to do this, the FCC should be requiring them to eliminate spam calls.

    • assert("walking" XOR "chewing gum")?

    • by gweihir ( 88907 )

      What is a "spam call"? Ah, you mean like the "Indian MS tech support call" I got about 12 years ago? Or maybe the other call I got about 7 years ago where they tried to make me sign up for a different health-insurance, but then the call-center got raided and everybody got arrested a few days later? Those calls? Of course, I am in Europe.

      Seriously, this is because your politicians do not care and want to do these things themselves to manipulate your votes. Vote better, make your voice heard and these calls w

      • What is a "spam call"?

        Probably like the 12 that my iPhone blocked on Friday alone. Or the 8 on Thursday. Wednesday was a good day and I only blocked 3. So like a lot of people, unless you're whitelisted you go directly to voicemail. And these spam calls almost never leave voicemail. Then before the election it was spam call and spam text hell from both sides.

  • But but... (Score:3, Interesting)

    by fluffernutter ( 1411889 ) on Sunday December 08, 2024 @12:02PM (#64999451)
    But banks and healthcare companies get off scott free??
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      The healthcare company might lose a CEO, but otherwise, yes.
    • I don't think you understand the intricacies of HIPAA. There is nothing "scott-free" about what happens to healthcare companies that lose private information to breaches. These companies face BIG fines and penalties for breaches, even if they did everything by the book.

  • No, they won’t (Score:5, Interesting)

    by hdyoung ( 5182939 ) on Sunday December 08, 2024 @12:06PM (#64999463)
    Absolute clickbait headline. The FCC chair has a “draft” of a “guideline” for a new regulation. Actual new regulations require an act of congress or at least agreement from the courts, and nowadays something like that would go all the way up to the SCOTUS. The head of the FCC is gonna change on January 20th. You think they’re gonna allow anything that creates a liability for one of Trump’s buddies?

    Some civil servant scribbled down an idea and posted it on the internet. Oh noes
  • by atheos ( 192468 ) on Sunday December 08, 2024 @12:11PM (#64999469) Homepage
    While we're at it, can they also be penalized for the dozens of fraudulent calls I receive on a daily basis? The ones they know have forged DIDs, yet they don't have any interest in blocking.
    • I would like to know what you, and many others, are doing to get all these spam calls. I'm trying to remember the last time I got one of those. It has definitely been months, if not over a year. Aside from the spam from the recent election, I never get these fraud calls.

    • While we're at it, can they also be penalized for the dozens of fraudulent calls I receive on a daily basis? The ones they know have forged DIDs, yet they don't have any interest in blocking.

      Um, how will they finance their second yacht if they don't sell those services? If you have a yacht on the West Coast, it is easier to just buy another yacht for the Caribbean than to have your crew sail your yacht there.

  • by laughingskeptic ( 1004414 ) on Sunday December 08, 2024 @12:39PM (#64999531)
    Most of these companies have contracts with the Department of Defense. How did they get these contracts without meeting the same requirements everyone else doing business with the DoD has to meet? It sounds like like they do not meet CMMC-1, but the general requirement is CMMC-3 -- or before CMMC was defined, "NIST SP 800-53 Moderate" -- first published in 2005 and required for contractors via NIST SP 800-171 in 2015.
    • by gweihir ( 88907 )

      Requirements and fulfilling them somewhat on paper is one thing. Actually fulfilling them in reality is quite another. And I say this as a part-time IT and IT security auditor. Without political will, all these requirements mean nothing. I have one audit customers that simply delays everything and halfasses the rest. They are about to get stomped so that it hurts from the regulator though. But without that regulator, all I can do is document the defects and shortcomings.

  • by fafalone ( 633739 ) on Sunday December 08, 2024 @12:48PM (#64999541)
    Well as long as we're fantasizing, they might as well demand latency lower than the speed of light allows, because as is still being demonstrated, backdoors to 'assist law enforcement' and having a secure network are just physically impossible.
    • That does seem to be the point.

      Brendan Carr is a real civil rights advocate - I've been following him for years. Very consistent.

      The No Bad Press/Too Big to Rig strategy seems to have paid off but I'd give 85% odds S.702 does not get reauthorized.

  • ALL companies that have or collect data about people should be help liable for loss of data. The problem is going to be how do you determine intent? If I have lots of security in place but I am still hacked by a day0 should i be liable? If I have no security, leave a default password is that grounds for penalties? A set of rules on what a company can collect and even better a set of rules that allow the user to remove that data at will would be better use of our legal system.
    • by gweihir ( 88907 )

      The GDPR does not require intent to allocate penalties. Mess up, regardless for whatever reason, get punished. Do not fix the problems and mess up badly enough again 2 or 3 times? Have your business shut down. See, not hard to do. Of course, AFAIK, there is a single case of a company that did things so badly they got a permanent prohibition to process personal data of any kind. That usually kills the organization.

    • by PPH ( 736903 )

      ALL companies that have or collect data about people should be help liable for loss of data.

      That doesn't matter. It's the telephone companies data. Don't like it? Don't do business with the telephone company.

      It would be like charging me criminally every time I lost my car keys.

  • by kmoser ( 1469707 ) on Sunday December 08, 2024 @01:30PM (#64999619)
    Financial penalty? Don't make me laugh. Companies will simply write those off as the cost of doing business and move on. If you really want to stop this from happening, start jailing execs at companies that don't adhere to stated security guidelines.
  • by Sloppy ( 14984 ) on Sunday December 08, 2024 @01:56PM (#64999675) Homepage Journal

    Doesn't CALEA criminalize making phone networks secure?!

    It sounds like if you're a telecommunications provider, then you're required by law to be a criminal. But at least you'll get to pick which kind of criminal. Yay freedom!

  • by Growlley ( 6732614 ) on Sunday December 08, 2024 @04:36PM (#64999857)
    until its some poor sod who has no one to pass the blame (and more importantly no power to change or argue back) on to is held to account
  • ... with insufficient security

    Which government department measures security and audits its providers? Which budget line item pays for that department?

    This isn't about finding a good answer. It's about demanding government work as intended.

    ... public-private partnership ...

    Translation: The government has no authority and/or political will to shine a light on this nest of vipers.

    In which case, this demand for responsibility and intervention will fail.

    ... to lock our digital doors ...

    Using a 30-year old 'key', you mean. It's clear, that has failed, and now the US government is demanding nothing ch

  • A financial penalty . . . . .

    So, here's some trivia. The telecom I work for makes about one point four BILLION a week. A WEEK.
    ( Gross profit for the twelve months ending September 30, 2024 was $73.123B )

    Show of hands for anyone who believes a financial penalty will mean or do anything at those profit levels ?
    ( Hell, they would probably claim the loss against their taxes at the end of the year )

    The company will do the math and determine which will cost them more. Fixing the problem or eating the penalty.
    (

  • This is moot. Trump is coming. He will rescind any sane proposal and give carte blanche to any company willing to lick his ass. He only cares about sycophancy, not facts. Musk will probably abolish the fcc anyhow, or any agency having any oversight over big corporations.
  • We don't believe you.

    > Chinese hacking activity

    You mean the CIA with their vault 7 BS. They can fool you into thinking anyone (else) is the attacker. If you secure the networks the CIA would not be able 50 infiltrate them, so it'll never happen.

    As ever, what are they attempting to distract you from?

  • The idea of the U.S. government holding a member of the ruling class accountable for being terrible at their job is the funniest thing I've heard all week.

Disc space -- the final frontier!

Working...