June 22, 2016–An FCC advisory board today formally named a new working group that will seek ways to address security vulnerabilities in the signaling system 7 (SS7) telephony signaling protocol and other legacy systems and services. The FCC’s Communications Security, Reliability, and Interoperability Council added a working group to its existing lineup – working group 10 – to study vulnerabilities in SS7 and other legacy systems. Such systems present organizations with hard choices, said David Simpson, chief of the FCC’s Public Safety and Homeland Security Bureau.
“As you get to the end of life of the system, you really don’t want to put another penny into it if you can avoid it, but that is when risk often is at its greatest,” Mr. Simpson said at today’s CSRIC meeting. The new working group will be headed by two co-chairs, one of whom will be Danny McPherson, chief security officer at Verisign, Inc.
“The working group will be asked to consider and address several questions regarding security improvements to the authentication and encryption of SS7 traffic,” Mr. Simpson said. “We are hopeful that the recommendations that will result from this working group will lead to greater confidence and evidence of secure, resilient communication as the transition to next-generation communications continues.”
“I would ask the whole CSRIC to identify other legacy services or systems that the working group should consider,” he added. “They will have a pretty full schedule just working on SS7, but if there is another protocol or another particular category of systems that is as important as SS7 we want to hear about it and consider whether or not they would have the capacity to help in that regard.” SS7 security gaps were most recently exposed by a report televised on “60 Minutes” that led the FCC and congressional committees to take steps to understand and address the vulnerability.
Also at today’s CSRIC meeting, the group approved reports from working groups on the Emergency Alert System and submarine cable resiliency. The EAS group updated a handbook on EAS procedures that is required at all organizations that issue EAS alerts. The submarine cable group offered recommendations on ways to protect cables from other underwater activities, such as dredging or wind turbine installations. “One of the larger problems is there is really no single ‘call before you dig’ type of function” to protect undersea communications cables, said Catherine Creese, a co-chair of the working group and an official in the U.S. Navy’s Seafloor Cable Protection Office.
The group recommended making the FCC the primary point of contact for information about submarine cables. Ms. Creese noted that the agenda for the FCC’s June 24 meeting included an item regarding outage reporting by submarine cable operators (TRDaily, June 17).
Other CSRIC working groups gave updates on their work on 911 services, WiFi security, and cyber threat information-sharing in the communications sector. – Tom Leithauser, email@example.com