Understanding Cybersecurity of Mobile Networks Act
- Bill Number
- H.R. 1709
- Origin Chamber
- House
- Congress
- 119th Congress, Session 1
- Policy Area
- Science, Technology, Communications
- Status
- Passed House
- Latest Action
- 2025-07-15: Received in the Senate and Read twice and referred to the Committee on Commerce, Science, and Transportation.
- Last Updated
- 2026-07-10T19:58:20Z
AI-Generated Summary
Purpose
The "Understanding Cybersecurity of Mobile Networks Act" (H.R. 1709) aims to increase congressional oversight of mobile network security by requiring a detailed federal report on vulnerabilities in mobile services. It focuses on assessing risks from cyberattacks and surveillance by adversaries (such as unauthorized hackers or foreign entities posing threats to U.S. national security), excluding 5G networks, to inform future policy without mandating immediate changes.
Key Provisions
- Report Requirement: Within one year of enactment, the Assistant Secretary of Commerce for Communications and Information (part of the National Telecommunications and Information Administration, or NTIA) must submit a report to the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science, and Transportation. The report, prepared in consultation with the Department of Homeland Security (DHS), examines cybersecurity in mobile service networks (commercial mobile services and data services provided to U.S. customers) and vulnerabilities in networks and devices.
- Report Contents:
- Assessment of how mobile service providers have addressed (or failed to address) known cybersecurity vulnerabilities identified by researchers, standards groups, experts, and federal agencies like NTIA, the National Institute of Standards and Technology (NIST), and DHS components (Cybersecurity and Infrastructure Security Agency, or CISA, and Science and Technology Directorate). Focuses on vulnerabilities exploited in real-world (non-lab) settings or feasibly exploitable, while noting effective mitigations by device manufacturers.
- Discussion of customer (consumers, businesses, government) views on cybersecurity when buying mobile services or devices, and availability of tools for evaluating risks versus costs.
- Evaluation of providers' use of cybersecurity best practices and risk assessment frameworks.
- Estimates on the use and effectiveness of encryption (methods to secure data) and authentication (verifying user or device identity) in mobile services, equipment, phones, devices, operating systems, and apps.
- Analysis of barriers preventing providers from adopting stronger encryption/authentication or banning outdated, vulnerable ones.
- Review of technologies that verify legitimate mobile services and equipment connections.
- Estimates on the prevalence, costs, availability, and adversary use in the U.S. of cell site simulators (devices like "IMSI catchers" that mimic cell towers to intercept signals) and similar surveillance tools.
- Consultation Process: The Assistant Secretary must consult, where practical, with a wide range of experts, including:
- Federal entities (e.g., Federal Communications Commission or FCC, NIST, intelligence community, CISA, DHS Science and Technology Directorate).
- Academics, independent researchers, and standards groups (e.g., 3rd Generation Partnership Project, Internet Engineering Task Force).
- International partners (via the Department of State), mobile providers (including small and rural ones), equipment manufacturers, device makers, software developers, and other experts.
- Report Format and Scope:
- Produced unclassified, with an optional classified annex.
- Redacts (removes) unclassified but potentially exploitable details from the public version; full unredacted report goes to the specified committees.
- Strictly limited to non-5G mobile networks; considers only practical, real-world vulnerabilities.
- Definitions: Clarifies terms like "adversary" (hackers or foreign actors harming U.S. security), "mobile service" (commercial mobile and data services for U.S. users), and "U.S. person" (citizens, permanent residents, U.S. entities, or anyone in the U.S.).
Significant Changes to Existing Law
This act introduces a new, standalone reporting requirement without amending prior laws. It builds on existing frameworks (e.g., references to the Communications Act of 1934 and the Middle Class Tax Relief and Job Creation Act of 2012 for defining mobile services) but does not alter regulations, enforcement powers, or penalties. It emphasizes information-gathering over regulatory mandates.
Potential Impacts
- Government Agencies: Requires coordination and resource allocation at NTIA, DHS, and other agencies for report preparation, potentially leading to enhanced inter-agency collaboration on cybersecurity. Could influence future budgets or policies for mobile security without direct funding.
- Citizens: Raises public awareness of mobile vulnerabilities through the report's findings, empowering consumers to make informed choices about secure devices and services. May indirectly improve privacy and security by highlighting surveillance risks from tools like cell site simulators.
- International Relations: Involves consultations with foreign stakeholders, which could foster global standards for mobile security but might strain relations if the report critiques foreign adversaries' surveillance activities.
Main Stakeholders Affected
- Federal Government: NTIA (lead agency), DHS (CISA and Science Directorate), FCC, NIST, intelligence community, and congressional committees overseeing the report.
- Industry: Mobile service providers (large, small, rural), equipment manufacturers, device makers (e.g., phone producers), and software developers, who must provide input and may face scrutiny on practices.
- Consumers and Businesses: U.S. individuals, companies, and government users of mobile services, affected by discussions on risk evaluation and security tradeoffs.
- Researchers and Experts: Academics, independent analysts, and standards organizations contributing to the report.
- Adversaries and International Actors: Foreign governments or entities involved in cyber threats, indirectly targeted through vulnerability assessments.
Notable Legal, Constitutional, or Political Implications
- Legal: Establishes a procedural obligation for federal reporting without creating new enforceable rights, liabilities, or criminal penalties. The redaction of exploitable information balances transparency with national security, potentially setting a precedent for handling sensitive cyber data in public reports.
- Constitutional: Aligns with Congress's oversight powers under Article I (e.g., regulating commerce and national security) and does not raise First Amendment or privacy concerns, as it focuses on assessment rather than surveillance or speech restrictions.
- Political: Signals bipartisan concern over mobile cybersecurity amid rising threats from foreign adversaries, potentially pressuring industry for voluntary improvements. Could spur future legislation if the report reveals gaps, but its non-binding nature limits immediate controversy. The exclusion of 5G avoids overlapping with ongoing debates on next-generation networks.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Cosponsors (4)
Rep. Cammack, Kat [R-FL-3], Rep. Fitzpatrick, Brian K. [R-PA-1], Rep. Houchin, Erin [R-IN-9], Rep. Nunn, Zachary [R-IA-3]
Recent Actions
- 2025-07-15: Received in the Senate and Read twice and referred to the Committee on Commerce, Science, and Transportation.
- 2025-07-14: Motion to reconsider laid on the table Agreed to without objection.
- 2025-07-14: On motion to suspend the rules and pass the bill Agreed to by the Yeas and Nays: (2/3 required): 360 - 10 (Roll no. 191). (text: CR H3209-3210) (Roll call 191)
- 2025-07-14: Passed/agreed to in House: On motion to suspend the rules and pass the bill Agreed to by the Yeas and Nays: (2/3 required): 360 - 10 (Roll no. 191). (Roll call 191)
- 2025-07-14: Considered as unfinished business. (consideration: CR H3230-3231)
- 2025-07-14: At the conclusion of debate, the Yeas and Nays were demanded and ordered. Pursuant to the provisions of clause 8, rule XX, the Chair announced that further proceedings on the motion would be postponed.
- 2025-07-14: DEBATE - The House proceeded with forty minutes of debate on H.R. 1709.
- 2025-07-14: Considered under suspension of the rules. (consideration: CR H3209-3211)
- 2025-07-14: Mr. Latta moved to suspend the rules and pass the bill.
- 2025-06-30: Placed on the Union Calendar, Calendar No. 143.
- 2025-06-30: Reported by the Committee on Energy and Commerce. H. Rept. 119-177.
- 2025-06-30: Reported by the Committee on Energy and Commerce. H. Rept. 119-177.
- 2025-03-04: Ordered to be Reported by Voice Vote.
- 2025-03-04: Committee Consideration and Mark-up Session Held
- 2025-02-27: Referred to the House Committee on Energy and Commerce.
Bill Versions
- Understanding Cybersecurity of Mobile Networks Act — issued 2025-07-14 — PDF (10 pages)
- Understanding Cybersecurity of Mobile Networks Act — issued 2025-02-27 — PDF (9 pages)
- Understanding Cybersecurity of Mobile Networks Act — issued 2025-07-15 — PDF (9 pages)
- Understanding Cybersecurity of Mobile Networks Act — issued 2025-06-30 — PDF (12 pages)