The US Cybersecurity and Infrastructure Security Agency on Tuesday finally agreed to make public an unclassified report from 2022 about American telecommunications networks’ poor security practices.

“CISA intends to release the US Telecommunications Insecurity Report (2022) that was developed but never released under the Biden administration in 2022, with proper clearance,” CISA Director of Public Affairs Marci McCarthy said in an emailed statement to The Register. 

“CISA has worked with telecommunications providers before, during, and after Salt Typhoon — sharing timely threat intelligence, providing technical support and continues to have close collaboration with our federal partners to safeguard America’s communications infrastructure,” the statement continued.

The agency declined to answer The Register‘s specific questions, including when it intends to release the contentious report.

The release of an unclassified, three-year-old document sounds like a minor deal. But this report has been the bane of US Senator Ron Wyden’s (D-OR) existence for years, and has put the nomination of would-be CISA boss Sean Plankey in limbo for months.

Senator Wyden intends to keep his hold in place until CISA has released the report

Wyden, back in April, blocked Plankey’s nomination in an attempt to force the report’s release. This tactic worked for the Democrat from Oregon back in 2018 when he put a hold on Trump’s first CISA director nominee, Chris Krebs, until Homeland Security agreed to hand over information about surveillance on Americans’ mobile devices.

This time around, the feds have pushed saying anything about the document’s release right up to the 11th hour, with the Senate Homeland Security and Governmental Affairs Committee scheduled to vote on Plankey’s nomination during a Wednesday meeting.

And on Monday, the full Senate, without any dissenting votes, passed legislation to require CISA to release the report within 30 days of being signed into law. The bill still needs US House approval and must be signed by President Trump before it takes effect.

Wyden says he’s not lifting his block on Plankey’s nomination just yet.

“CISA has not told Sen. Wyden’s office when they plan to release the report, or explained what ‘proper clearance’ means,” the senator’s deputy policy director Keith Chu told The Register. “Senator Wyden intends to keep his hold in place until CISA has released the report.” 

“There was unanimous support for releasing that report in the Senate last night, and Sen. Wyden intends to keep pushing until Americans are able to see the threats to the phone system for themselves,” Chu said.

Wyden, a senior member of the Senate Intelligence Committee, has been urging CISA to release the report since July 2022. While America’s lead cyber-agency finally allowed the senator’s staff to read the missive in 2023, the full document has yet to be disclosed to the public.

“Congress and the American people must read this report,” Wyden told his fellow senators ahead of the Monday vote. “It includes frankly shocking details about national security threats to our country’s phone system that require immediate action.”

American carriers’ weak security poses a threat to national security — and prompted one of CISA’s lead telecommunications security experts to file a whistleblower report with the Federal Communications Commission. Wyden said of the whistleblower:

What Wyden describes as “CISA’s multi-year cover up of the phone companies’ negligent cybersecurity” also enabled China’s Salt Typhoon cyberspies to hack into telecom companies’ networks in “one of the most serious cases of espionage — ever — against our country,” the senator said.

“Had this report been made public when it was first written in 2022, Congress would have had ample time to require mandatory cybersecurity standards for phone companies, in time to prevent the Salt Typhoon hacks,” according to Wyden.

How these and other Beijing-backed spies managed to break into US government and telecommunications networks and maintain their footholds inside the companies’ systems was also the subject of a Cyber Safety Review Board (CSRB) investigation prior to the board’s dissolution on the day President Trump resumed office.

Last week, US Senator Maria Cantwell (D-WA) demanded that Google-owned incident response firm Mandiant hand over the Salt Typhoon-related security assessments of AT&T and Verizon that, according to the lawmaker, both operators have thus far refused to give Congress. ®