July 28, 2025

Wyden Calls for Release of Unclassified Report on National Security Threats to U.S. Phone System

As prepared for delivery

Watch a video of Wyden deliver his remarks here

Since July 2022, I’ve repeatedly urged CISA to release an important, unclassified report by independent cybersecurity experts that the agency commissioned, titled “U.S. Telecommunications Insecurity 2022.”

Congress and the American people must read this report. It includes frankly shocking details about national security threats to our country’s phone system that require immediate action.

CISA permitted my staff to read the report at the agency’s office in 2023. However, CISA has marked this unclassified report “For Official Use Only” and has refused to provide copies of the report to Congress or to make it public in response to Freedom of Information Act requests.

I asked then-CISA Director Easterly to release the report. When she didn’t act on my request, I wrote to President Biden in February 2024, urging him to address the serious national security threat posed by foreign governments exploiting U.S. phone carriers’ weak cybersecurity. The Biden Administration took no action.

CISA’s top telecommunications security expert was so concerned he filed a whistleblower report with the Federal Communications Commission (FCC). Citing his access to non-public reports and other “very concerning information,” the CISA official told the FCC that “there have been numerous incidents of successful, unauthorized attempts to access the network user location data of communications service providers operating in the USA.” He added that foreign surveillance went beyond location tracking and included “the monitoring of voice and text messages” and “the delivery of spyware to targeted devices.”

CISA’s multi-year cover up of the phone companies’ negligent cybersecurity enabled foreign hackers to perpetrate one of the most serious cases of espionage - ever - against our country. Had this report been made public when it was first written in 2022, Congress would have had ample time to require mandatory cybersecurity standards for phone companies, in time to prevent the Salt Typhoon hacks.

CISA and the Federal Bureau of Investigation have confirmed that the Chinese government hacked multiple phone companies and accessed vast troves of sensitive call records. They even co-opted the system designed for law enforcement to conduct wiretaps and accessed phone calls of politicians and other high-value targets.

Vice President Vance said his communications and President Trump’s were compromised in this hack, and the press reported that then-Leader Schumer was also targeted. This espionage incident was the direct result of phone carriers’ failure to follow cybersecurity best practices, such as installing security updates and using multi-factor authentication. That stuff is cybersecurity 101, and yet federal agencies failed to hold these companies accountable.

As far as I am aware, my office is the only one in the Senate to have read this report. But the contents of this report directly impact Congress, both regarding the security of the Senate’s communications, and issues that have been the subject of prior Congressional oversight.

When Chinese government hackers broke into the major phone networks last year, their targets included several Senators.

The report also directly discusses issues that have been the subject of oversight by Senators. In 2021, I wrote to the FCC, with several other senators, raising concerns about foreign companies remotely administering rural U.S. telecommunications carriers. We wrote that “we are also concerned by media reports suggesting that managed service providers may be partnering with for-profit surveillance companies, creating the possibility that these companies could provide their authoritarian clients with trusted access to U.S. telecommunications networks.”

None of these security vulnerabilities have been addressed, either by the government or the private sector. The federal government still does not even require U.S. phone companies to meet minimum cybersecurity standards. While it is too late to prevent the Salt Typhoon hack, there is still time to prevent the next incident.

###