Communications Service Providers Asked to Adopt the FCC CSRIC Guidance on Signaling System 7 Vulnerability Reduction

Last week, the FCC’s Public Safety and Homeland Security Bureau released a Public Notice (“Notice”) urging communications service providers to review and assess how they can incorporate the recommendations from Communications Security, Reliability, and Interoperability Council (“CSRIC”) V, Working Group 10 March 2017 Report to abate security signaling system 7 (“SS7”) protocol vulnerabilities(the “SS7 Report”). SS7 is a communications protocol used within telephone networks to aid call setup, routing, billing and other functions between fixed and mobile service providers.

In the Notice, the FCC notes that there have been several recent reports and research findings that “call attention to security vulnerabilities present within SS7 networks.” One such report, in April 2016, that brought significant attention to the issue involved hackers exploiting the SS7 issues to listen in on the phone calls of Rep. Ted Lieu (CA). Following that report, some members of Congress called for the FCC to examine the issue and report to Congress. Shortly thereafter, the FCC directed CSRIC, an FCC advisory committee, to review the matter and provide recommendations.

In March, Rep. Lieu and Sen. Ron Wyden (OR) sent a letter to current FCC Chairman Ajit Pai expressing concern about the state of telecommunications cybersecurity in America. They noted that the SS7 Report was an important first step, but asked that the FCC implement the Report’s recommendations and renew the CSRIC for another charter to investigate additional security matters. The Notice appears to be an effort to respond to such concerns, highlighting the Report’s findings and encouraging communications service providers to implement them.

The SS7 Report recommends that industry take the following steps to reduce vulnerability risks:

  • Monitor network interconnections used to pass traffic to and from peer networks;
  • Use signaling aggregators’ role as a point of originating network traffic to monitor and filter suspicious traffic;
  • Conduct periodic security assessments of SS7 infrastructure; and
  • Continue threat information sharing efforts with public and private partners and incorporate SS7 risk scenarios into the Department of Homeland Security’s (“DHS’s”) automated information sharing pilot program;
  • Follow the SS7 best practices from the GSM Association, including guidelines on increasing secure signaling and information sharing;
  • Participate in industry and standards forums to address emerging security risks;
  • Explore further work as it relates to the possible benefits of Circles-of-Trust, a concept involving protecting and growing trust between service providers so they can safely pass traffic; and
  • Promote the use of encryption technologies for voice and data communications, particularly for highly sensitive applications or very important persons.
In the Notice, the FCC mentions that issues involving Diameter, a newer communications protocol replacing SS7 on some networks, and 5G networks are being considered by the current CSRIC, which started its new charter in June of this year.