In the wake of a widespread telecommunications breach at the hands of China, a US senator is proposing legislation aimed at enforcing cybersecurity standards across the communications industry — but it's unclear how efficacious they could be.
Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, UNC2286) recently overtook Volt Typhoon as China's threat actor du jour, thanks to a year-plus campaign of cyber espionage against at least eight telcos, including AT&T, Verizon, and T-Mobile. Its winnings were remarkable: Not only did the group manage to steal extensive metadata on calls and text messages between ordinary Americans, but they also reportedly accessed and even recorded calls involving high-ranking government officials. Reports from the same time highlighted breaches of both the Trump and Harris campaigns and the Biden administration. They're also active globally.
In the wake of that national security failure, Sen. Ron Wyden (D-Ore.) on Dec. 10 released draft legislation aimed at securing US phone networks. The "Secure American Communications Act" would require the Federal Communications Commission (FCC) to issue new cybersecurity rules for telcos and enforce those that have already been applied based on older legislation.
Related:Lessons From the Largest Software Supply Chain Incidents
"Sen. Wyden deserves credit for putting critical infrastructure security in the spotlight," says Madison Horn, former congressional candidate for Oklahoma's 5th district. She suggests, however, that the proposal is less revolutionary than rhetorical. "His push for stronger cybersecurity standards is important, but let's be clear — most of what he's calling for already exists."
Has the FCC Been Negligent in Enforcing Telco Security?
In a press release, Wyden's staff framed his bill not as a major change to the telecommunications industry, but a wake-up call — "to fix [the FCC's] own failure to fully implement telecom security requirements already required by federal law."
At issue is Title I, Section 105 of the Communications Assistance for Law Enforcement Act (CALEA), which:
Requires a carrier to ensure that any interception of communications or [call-identifying information] access effected within its switching premises can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of a carrier officer or employee acting in accordance with Federal Communications Commission (FCC) regulations.
Wyden's camp argues that this proposition, formulated without specific regard for cyber systems, "required providers to secure their systems from unauthorized interceptions, and gave the FCC the authority to issue regulations to implement this requirement," adding that "in the years since, the FCC has never fully implemented this provision."
Related:Google Launches Open Source Patch Validation Tool
FCC Chairwoman Jessica Rosenworcel agreed, in a draft Declaratory Ruling shared with her fellow commissioners last week. And besides affirming that interpretation of Section 105, Rosenworcel floated a proposal requiring communications services providers (CSPs) to submit annual reports, "attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks." Unlike the newly drafted bill in the Senate, this ruling would take effect immediately if it were adopted.
What Wyden's Telco Security Bill Misses
The Secure American Communications Act, similarly, proposes that CSPs conduct, document, and report annual vulnerability testing, and engage with independent auditors for annual assessments of FCC cybersecurity compliance. Above all, the bill proposes that the FCC enforce the spirit of Section 105 by implementing cybersecurity requirements aimed at blocking unauthorized access to these networks.
Related:Large-Scale Incidents & the Art of Vulnerability Prioritization
Are these the steps necessary to prevent the next Salt Typhoon-style attack against American communications?
In Horn's view, "The problem isn’t a lack of rules. Telcos are required to follow FCC rules, NIST standards, and ISO 27001 protocols. They conduct annual cybersecurity certifications, report breaches to multiple agencies — with CISA being a prime example — and manage supply chain risks. The efforts to secure supply chains, especially after Huawei’s impact, have already led to significant regulatory action."
Instead of a lack of rules and regulations, she argues, "It's largely a resources and scaling problem. We’re talking about a US telecommunications network that spans 800,000 miles of fiber-optic cables and 113,000 miles of long-haul fiber routes, not to mention undersea cables and satellite links. Every mile of that network introduces new endpoints and attack surfaces. The real challenge is ensuring the frameworks we already have can be implemented faster, more effectively, and at this monumental scale."
Bulky legacy systems ill-equipped to adapt to new cybersecurity guidelines, insufficient funding for cybersecurity projects, and an insufficient pool of cybersecurity talent nationwide aren't problems that can be fixed with any wave of a pen, either.
"Our adversaries are operating at the speed of war, while we’re moving at the speed of paperwork," she laments. "Attacks like Salt Typhoon don’t succeed because our policies failed — they succeed because our capacity to act didn’t keep pace with the threat."