The FCC’s Public Safety and Homeland Security Bureau released a public notice today seeking comments on implementation of best practices recommended by the Communications Security, Reliability, and Interoperability Council to address cyber vulnerabilities in Signaling System 7 (SS7), a 1970s-era technology widely used to connect phone calls.
The bureau released a public notice last August recommending that providers implement the best practices (TR Daily, Aug. 24, 2017), which were recommended by CSRIC in March 2017.
“The Bureau seeks public comment, including from communications service providers and other stakeholders, on the implementation and effectiveness of the March 2017 CSRIC recommendations regarding SS7 security risks. The Bureau also seeks comment on any alternatives to the CSRIC recommendations that communications service providers have implemented or plan to implement to help address SS7 security risks,” today’s public notice said.
In particular, the bureau is seeking comment on specific issues.
“CSRIC’s Legacy Risk Reductions Report contained nine specific recommendations for reducing SS7 security risks and increasing situational awareness,” the public notice observed. “What progress has been made by communications service providers in implementing the recommendations? To the extent communications service providers plan to implement the recommendations but have not yet done so, what are their plans to implement the recommendations? What factors have communications service providers considered in devising these implementation plans? What barriers have communications service providers encountered in implementing the recommendations? What factors have communications service providers used to determine whether any of the recommendations are not suitable for their networks?”
“What successes have communications service providers achieved by implementing the recommendations?” the bureau also asked. “What indicators (qualitative and quantitative) have communications service providers used to determine the correlation between implementation of the recommendations and reduction in SS7 security risks? How effective are the recommended measures in reducing SS7 security risks? Are there alternatives that could be more effective than the measures recommended by CSRIC, and if so, what are these alternatives and why are they more effective?”
“Have communications service providers shared potential SS7 security risks with their various internal business units and key business clients that rely on SS7 signaling (e.g., SMS) as well as to interconnected peer providers, and if so, how?” the bureau asked. “What measures have been implemented to help protect the privacy of subscriber data from SS7 exploits? How long do communications service providers keep SS7 network logs in the normal course of business, and would longer retention times be helpful in responding to potential SS7 security compromises?”
Comments are due May 3 and replies June 4 in PS docket 18-99.- Paul Kirby, firstname.lastname@example.org