CISA Gives in to Wyden, Promises Release of Telco Security Report – No Timeline Given

The Unveiling of a Long-Held Cybersecurity Controversy

A long-awaited report on the security vulnerabilities within America’s telecommunications networks is finally set to be released, marking a significant moment in the ongoing battle over transparency and national security. The US Cybersecurity and Infrastructure Security Agency (CISA) has announced its intention to make public an unclassified report from 2022 that details serious weaknesses in the country's telecom infrastructure. This development comes after years of pressure from lawmakers and cybersecurity experts who have raised concerns about the lack of action on the findings.

The report, known as the "US Telecommunications Insecurity Report (2022)," was originally prepared under the Biden administration but never officially released. CISA Director of Public Affairs Marci McCarthy stated that the agency is working to ensure the document is cleared for release, though specific timelines remain unclear. Despite this, the agency has been reluctant to answer direct questions about when the report will become available to the public.

This issue has become a focal point for Senator Ron Wyden (D-OR), who has been advocating for the report's disclosure since July 2022. Wyden’s efforts have had a direct impact on the confirmation process of Sean Plankey, the nominee for CISA director. In April, Wyden blocked Plankey’s nomination in an attempt to force the release of the report. His strategy worked in 2018 when he delayed the confirmation of Chris Krebs, the first CISA director, until information about surveillance on American mobile devices was made available.

Wyden’s current hold on Plankey’s nomination remains in place, as CISA has not yet provided a clear timeline or explanation for the report’s release. According to Keith Chu, deputy policy director for Wyden, the senator is determined to keep his hold until the full report is made public. “Senator Wyden intends to keep his hold in place until CISA has released the report,” Chu said.

On Monday, the Senate passed legislation requiring CISA to release the report within 30 days of being signed into law. While the bill still needs approval from the House and the president, it reflects strong bipartisan support for transparency. Wyden emphasized the importance of the report, calling it a critical piece of information that includes “frankly shocking details about national security threats to our country’s phone system.”

The vulnerabilities in American carriers’ security have been a growing concern for years. One of CISA’s leading telecommunications security experts reportedly filed a whistleblower report with the Federal Communications Commission, highlighting the risks posed by weak cybersecurity measures. Wyden described the situation as a multi-year cover-up, which he claims allowed Chinese cyber espionage group Salt Typhoon to infiltrate telecom companies' networks in one of the most serious cases of espionage against the United States.

According to Wyden, if the report had been released when it was written in 2022, Congress would have had the opportunity to implement mandatory cybersecurity standards for phone companies, potentially preventing the Salt Typhoon attacks. The incident also prompted a Cyber Safety Review Board (CSRB) investigation before the board was dissolved on the day President Trump resumed office.

In addition, Senator Maria Cantwell (D-WA) recently demanded that Mandiant, a Google-owned incident response firm, provide security assessments related to the Salt Typhoon attacks on AT&T and Verizon. Both companies have so far refused to comply with the request.

As the debate over the report continues, the broader implications for national security and public trust in government agencies are becoming increasingly apparent. The release of this document could mark a turning point in how the U.S. addresses cybersecurity threats and ensures transparency in its defense strategies.