- Vulnerable U
- Posts
- After Salt Typhoon Hack, Wyden Calls For Telecom Security Mandates
After Salt Typhoon Hack, Wyden Calls For Telecom Security Mandates
Under Wyden's proposed bill, the Federal Communications Commission (FCC) would be required to issue security mandates for telecoms systems, aimed at preventing "unauthorized interceptions"
As details of the unprecedented Salt Typhoon cyberattack continue to emerge, Sen. Ron Wyden (D-Ore.) is proposing a new draft bill aimed at better securing phone and wireless networks.
Why It Matters: The espionage campaign stemmed from a breach of more than eight telecommunication companies, including reportedly AT&T, Lumen Technologies, Verizon and T-Mobile - and recent statements by U.S. officials show that many telecom companies haven’t even been able to fully remove the Chinese threat actors from their networks. Wyden, who for a long time has been highlighting the telecommunications industry’s lax security measures, hopes his new Secure American Communications Act will result in better security requirements and accountability for these companies.
Key Details:
Under the proposed bill, the Federal Communications Commission (FCC) would be required to issue security mandates for telecoms systems, aimed at preventing unauthorized interceptions
Telecom providers would be required to “evaluate whether the systems are susceptible to the interception of communications or access to call-identifying information without lawful authorization”
Providers would also need to undergo audits from independent, third-party companies to ensure that they are complying with these requirements
The Big Picture: The recent Salt Typhoon activity is a major breach, to the point that the FBI and CISA have warned Americans that they should use encrypted messaging apps due to the level of access Chinese threat actors appear to have. But for some telecommunications companies it’s the second - or even third - security incident they’ve dealt with this year, alone. For example, AT&T in July announced a security incident compromising the records of calls and texts of “nearly all” of its customers over certain periods of time, and in March the company responded to a separate incident involving a dataset with “AT&T data-specific fields” being sold on the dark web. While these previous incidents drew scrutiny for AT&T’s security practices from senators, the Salt Typhoon hack, which has impacted several companies and involved communications of U.S. government officials and political figures, puts the industry as a whole in the spotlight.
In his announcement of the Secure American Communications Act, Wyden didn’t pull any punches regarding the state of cybersecurity within the telecom industry, and stressed that Congress needs to “step up” and implement security requirements for providers.
“It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cybersecurity rules,” Wyden said in a statement. “Telecom companies and federal regulators were asleep on the job and as a result, Americans’ calls, messages, and phone records have been accessed by foreign spies intent on undermining our national security.”
As more details about the espionage campaign continue to emerge, government officials and security experts alike are looking at how this type of attack could have been prevented, and Wyden has also pointed to various other failures that amplified the impact of the Salt Typhoon espionage campaign. Earlier in December, the senator called for an investigation into the Department of Defense’s “failure to secure its unclassified voice, video, and text communications with end-to-end encryption technology.”