Communications Daily is a service of Warren Communications News.
Subscriber Login

CISA Plans to Release 2022 Report on US Telecom Vulnerabilities After Senate Pressure

July 30, 2025 by Jimm Phillips|Capitol Hill

The Cybersecurity and Infrastructure Security Agency said Tuesday it plans to release an unclassified 2022 report it commissioned on U.S. telecom networks’ security vulnerabilities amid a renewed pressure campaign from Sen. Ron Wyden, D-Ore. The Senate on Monday night passed by unanimous consent Wyden’s Telecom Cybersecurity Transparency Act (S-2480) to force the CISA report’s release, but the measure still requires approval from the House, which is on recess until Sept. 2. Wyden has also placed a hold on CISA director nominee Sean Plankey, which would prevent a swift confirmation process if the Homeland Security Committee advances him Wednesday.

Sign up for a free preview to unlock the rest of this article

Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!

Start My Free Preview

CISA “intends to release [the 2022 report] that was developed but never released under the Biden administration … with proper clearance,” a spokesperson emailed. The agency “has worked with telecommunications providers before, during and after" the 2024 Salt Typhoon hacking incident, which was affiliated with the Chinese government (see 2411190073), "sharing timely threat intelligence, providing technical support and continues to have close collaboration with our federal partners to safeguard America’s communications infrastructure.”

Wyden said on the Senate floor ahead of S-2480’s passage that the 2022 CISA report includes “frankly shocking details about national security threats to our country’s phone system that require immediate action.” Wyden, who has been seeking the report’s release since 2022, said his staff was able to read it at the agency’s office, but it “has marked this unclassified report ‘For Official Use Only’ and has refused to provide copies of the report to Congress or to make it public in response to Freedom of Information Act requests.”

He also noted the FCC’s January declaratory ruling and NPRM in response to the Salt Typhoon incident, which followed a CISA official’s whistleblower report to the commission (see 2501160041). “Had this report been made public when it was first written in 2022, Congress would have had ample time to require mandatory cybersecurity standards for phone companies, in time to prevent” Salt Typhoon, Wyden said.