FEDERAL COMMUNICATIONS COMMISSION
WASHINGTON

OFFICE OF
THE CHAIRMAN

November 13, 2018

The Honorable Ron Wyden
United States Senate
221 Dirksen Senate Office Building
Washington, D.C. 20510

Dear Senator Wyden:
I write in response to your letter regarding the importance of protecting our
communications networks. I agree with you that our nation's networks must be robust and
resilient. As you know, the Department of Homeland Security's Office of Cybersecurity and
Communications is the designated agency responsible for overseeing cybersecurity preparedness
of the communications sector. The Commission plays a supporting role, as a partner with DHS,
in identifying vulnerabilities and working with stakeholders to increase security and resiliency in
communications network infrastructure.
The Commission's efforts in this area primarily operate through the Communications
Security, Reliability, and Interoperability Council (CSRIC). Last year, CSRIC V recommended
best practices to prevent exploitation of Signaling System 7 (SS7). The Commission encouraged
carriers to adopt those best practices in August 2017. Earlier this year, we sought comment from
the public, industry, and other stakeholders on the implementation of those best practices, and
our staff are reviewing the responses. We hope this additional information will help inform the
Commission on their use and effectiveness. You also request in your letter a copy of the CSRIC
V Working Group 10 Risk Assessment Report. We welcome you or your staff to come to the
Commission to review that report in camera.
Further, CSRIC VI released its Final Report on recommendations to mitigate security
risks on the Diameter protocol in March, and continues its work on assessing the risks and
recommending best practices for 5G, including those risks associated with the Internet of Things
devices. I appreciate the hard work of CSRIC, which includes the participation of DHS officials.
Regarding Customer Proprietary Network Information (CPNI) breaches, including SS7specific breaches, I should note that carriers do not report this information to the FCC. Instead,
as required by federal law and in line with the Commission's supporting role when it comes to
cybersecurity matters, they report that information to the law enforcement agencies that may take
action on it through the CPNI Breach Reporting Facility, managed by the U.S. Secret Service.
For more than a decade, the Commission's rules have required electronic notification of CPNI
breaches to the U.S. Secret Service and the Federal Bureau of Investigation so those entities can
conduct criminal investigations as appropriate. The Commission has only indirect access to the
CPNI Breach Reporting Facility and only for the purpose of ensuring compliance with our CPNI
rules. If you would like additional data, you may wish to contact those agencies that oversee the

 Page 2-The Honorable Ron Wyden

CPNI Breach Reporting Facility. Additionally, the Commission's rules require that carriers,
rather than the Commission, notify individuals of any breaches that involve their CPNJ.
I appreciate your interest in this matter. Please let me know if I can be of any further
assistance.