On June 27, 2018, the U.S. House of Representatives Science, Space, and Technology Oversight Subcommittee held a hearing entitled “Bolstering Data Privacy and Mobile Security: An Assessment of IMSI Catcher Threats.” While the main purpose of the hearing was to examine current international mobile subscriber identity (“IMSI”) catcher technologies and the related security and privacy threats, the Subcommittee also discussed potential solutions to mitigate these threats, including additional  regulatory requirements for industry stakeholders.

The Subcommittee heard from the following three witnesses: Dr. Charles Romine, Director, Information Technology Laboratory, National Institute of Standards and Technology (“NIST”); Dr. T. Charles Clancy, Director, Hume Center for National Security and Technology, Virginia Tech; and Dr. Jonathan Mayer, Assistant Professor of Computer Science and Public Affairs, Princeton University. In his opening statement, Subcommittee Chairman Abraham (R-LA) expressed disappointment that Department of Homeland Security (“DHS”) had declined to testify at the hearing.

From the outset, the Subcommittee appeared particularly focused on examining threats posed by IMSI catchers (commonly referred to as “stingrays” or “rogue base stations”) in the context of the DHS’s recent acknowledgment of  the apparent unauthorized use of IMSI catchers in and around Washington, D.C. Both Chairman Abraham and Representative Beyer (D-VA) expressed concern regarding device attribution and questioned the witnesses on the ability of the U.S. government and industry stakeholders to detect such devices. Dr. Mayer responded that, while the federal government should be looking at ways to improve detection capabilities, it would be far more effective for federal agencies to focus efforts on defending against IMSI catcher attacks.

Regarding the use of IMSI catcher technologies by law enforcement agencies, Chairman Abraham asked Dr. Mayer whether the Supreme Court’s recent ruling in Carpenter vs. United States would impact law enforcement’s use of such technologies. Mayer responded that he didn’t believe there would be an impact at the federal level, since it already is the established policy of both DHS and the Department of Justice to obtain search warrants before operating such devices. However, Mayer did note that it was his understanding that some state law enforcement agencies use IMSI catcher devices without obtaining search warrants beforehand.

The Subcommittee also asked the witnesses for their views on potential solutions for mitigating the threats posed by IMSI catchers, and what role Congress could play in these efforts. The NIST witness, Dr. Romine, emphasized the importance of NIST’s “active participation with the mobile network manufacturers and carriers in developing security standards for future networks.”  Dr. Clancy recommended that “carriers that have decommissioned their 2G infrastructure should update phone policies to only connect to 3G/4G networks when not roaming.”  He also highlighted the need for significant investment in research and development in the “cellular spaces,” noting the lack of U.S. government funding for 5G security research.

In his testimony, Dr. Mayer recommended that, “Congress should condition federal wireless expenditures” on operating system vendors, device manufacturers, and wireless carriers adopting certain cybersecurity best practices, such near-term rollouts of authenticated caller identification and mandatory, regular cybersecurity audits.

We will continue to monitor the Subcommittee’s activities on these issues and provide updates on any significant developments.