Understanding Cybersecurity of Mobile Networks Act

This bill requires the Commerce Department’s telecom office to deliver a report to Congress within one year on how secure mobile phone networks are, and how vulnerable those networks and everyday phones are to hacking and spying by adversaries. The report must look at whether wireless carriers are fixing known security problems, how much customers weigh security when choosing service or devices, how widely protections like encryption and authentication are used, and what blocks companies from using stronger protections or dropping older, weaker ones. It also has to examine tools that mimic cell towers (often called IMSI catchers), including how common and available they are in the United States.

The study is limited to mobile service networks (not 5G) and focuses on weaknesses proven outside the lab or clearly workable in the real world. The report will be public but may include a classified annex, and sensitive details can be redacted in the public version. In preparing the report, the agency should consult groups like the FCC, NIST, DHS/CISA, standards bodies (such as 3GPP and IETF), researchers, international partners, wireless carriers (including small and rural), and device and software makers.

• Who is affected: Wireless carriers; phone, equipment, and software makers; researchers and standards groups; and customers (people, businesses, and government) who use mobile service.
• What changes: No new rules on consumers. The government must gather and share a clear picture of mobile network security, including use of encryption and the spread of fake-tower tools (IMSI catchers).
• When: The report is due within one year of the law taking effect; it will be public, with a possible classified annex and some sensitive details removed from the public version.