The latest edition of the Seriously Risky Business cybersecurity newsletter, now on Lawfare.
The U.S. government and lawmakers are scrambling to deal with the ongoing compromise of U.S. telecommunications companies by a Chinese espionage group dubbed Salt Typhoon. In the U.S., the campaign has compromised at least eight telecommunications companies and been ongoing for a year or more. The Cyber Safety Review Board examination of the incident has kicked off, but we already know the rough shape of what has happened.
At some U.S. telcos, the hackers were able to penetrate the portals used to submit court orders for interception requests, letting them see what phone numbers were being tasked. This attack would be a counterintelligence boon as these portals were also used for foreign surveillance, so Chinese intelligence services would be able to see whether their activities were being watched. All in all, it’s pretty bad and to top it off, U.S. officials said they had not yet been able to evict the hackers. So it is not surprising the U.S. administration and lawmakers are lining up to impose security regulations on telcos.
At a press briefing last week, Anne Neuberger, the deputy national security adviser for cyber, said the White House wanted “minimum cybersecurity practices at telecoms, from secure configurations to architecting to monitor for anomalous behavior to strong key management.” An unnamed senior official at the briefing said, “We believe that if the companies had in place minimum [security] practices … that would make it far riskier, harder, and costlier for the Chinese to gain access and maintain access.” “We believe that the voluntary approach has proved inadequate for the most critical companies that underpin our critical infrastructure,” the official added.
Also last week, Federal Communications Commission (FCC) chairwoman Jessica Rosenworcel proposed a ruling that would interpret a section in the U.S.’s 1994 lawful intercept law (CALEA) as making it clear that carriers had a legal obligation to secure their networks against unlawful access and interception. The ruling would require that telcos create, update, and implement cybersecurity risk management plans.
At a glance, simply requiring a cybersecurity plan seems like a good idea. However, it is only a first step toward a comprehensive regime. The U.K.’s Telecommunications Security Code of Practice is highly detailed and includes specific security requirements spanning supply-chain management, physical security, identity management, and network architecture.
The code of practice grew out of the 2019 U.K. Telecoms Supply Chain Review, which was motivated by concerns about the involvement of Chinese firms such as Huawei and ZTE in U.K. critical infrastructure. The review determined that increasingly capable telecommunications services came with higher risk and therefore required more robust security.
That kind of detailed planning takes years, and the code wasn’t published until 2022, after new legislation was passed in 2021. The U.S. is already in deep doo doo and doesn’t have that time.
At the opposite end of the spectrum, Australian law simply requires that telcos “do their best” to prevent unauthorized access or interference and protect confidentiality, integrity, and availability. This positive obligation to protect security was introduced way back in 2017, which in retrospect seems amazingly farsighted. This grew out of a recognition by some key people in government that security at telcos wasn’t as good as it should be and that telcos having an obligation to protect security was a good idea, as documented in this 2013 parliamentary committee national security review.
Although the approaches taken by the U.K. and Australia are very different, the underlying intent of these laws and regulations is simply to increase telecommunications companies’ attention to and investment in security. In that regard, requiring a cybersecurity risk management plan seems like a sensible first step, albeit one that should have been taken years ago.
Of course, another short-term plan would be to give up on making telcos secure and just use Signal and WhatsApp like the FBI and Department of Homeland Security suggest. Shrug.
Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.