Two U.S. senators are accusing the Department of Defense of not doing enough to protect the communications of its military personnel, as the U.S. government contends with an ongoing Chinese hacking campaign targeting American phone and internet giants. The senators say the Department of Defense still relies too heavily on old fashioned landline calls, and unencrypted cellular calls and texts, which are vulnerable to snooping by foreign spies. 

Democratic Senator Ron Wyden from Oregon and Republican Senator Eric Schmitt from Missouri specifically point to threats, such as the Chinese government espionage group known as Salt Typhoon, which was recently accused of breaking into U.S. major telecommunications providers, including AT&T and Verizon, to spy on Americans.  

“The widespread adoption of insecure, proprietary tools is the direct result of DOD leadership failing to require the use of default end-to-end encryption, a cybersecurity best practice, as well as a failure to prioritize communications security when evaluating different communications platforms,” the senators wrote in a bipartisan letter to the Department of Defense’s government watchdog. “DOD’s failure to secure its unclassified voice, video, and text communications with end-to-end encryption technology has left it needlessly vulnerable to foreign espionage.”

The senators also mention SS7, a decades-old protocol that phone carriers around the world still used to route calls and texts — and is routinely exploited for espionage — and its successor protocol, Diameter, as weaknesses that DOD employees are still vulnerable to, given that global telcos have yet to adopt new methods to protect regular calls and texts in transit.  

Wyden and Schmitt are asking the DOD to reconsider its contracts with the U.S. telcos, and instead “renegotiate with the contracted wireless carriers, to require them to adopt meaningful cyber defenses against surveillance threats, and if requested, to share their third-party cybersecurity audits with DOD.”

The senators’ letter includes two whitepapers — one from earlier in July and another from October — that the DOD sent to Wyden’s office, responding to a series of questions related to the department’s cybersecurity posture. 

Answering a question about SS7, the DOD’s chief information officer concedes that DOD agrees SS7 and Diameter are not secure, writing that, “there are limited protections” against weaknesses the carriers themselves, “therefore DOD managed mobile solutions encrypt data in transit to protect against passive collection.”

At the same time, the CIO wrote that DOD has not conducted its own audits, instead relying on telecommunications’ providers own and third-party commissioned audits. DOD, however, has not reviewed those audits because the carriers consider them protected as attorney-client privileged information.

The CIO also admitted that DOD hasn’t disabled roaming or rejected SS7 and Diameter traffic, even for DOD users in Russia, China, and other high-risk countries that are known for conducting cyberattacks on phones.

Jeffrey Castro, a spokesperson for the DOD’s Inspector General, told TechCrunch that the watchdog has received the letter and is reviewing it.