The ongoing fallout from the Salt Typhoon cyber attack on U.S. telcos may result in new requirements around network security plans
In the wake of the Salt Typhoon cyber attack that penetrated more than half a dozen U.S. telecom networks, the FCC is taking a hard look at network security requirements.
The national security fallout from the Salt Typhoon hack continues to emerge, but Deputy National Security Adviser Anne Neuberger has said that at least eight telecom companies—including AT&T, Verizon and Lumen—and dozens of countries are known to have been affected. More telecom companies may emerge as having been targeted in the attempt by allegedly state-backed Salt Typhoon to access wiretapping capabilities and the communications of specific political figures, the White House warned. Neuberger also said that while the hacked network providers are taking action, none of them “have fully removed the Chinese actors from these networks.”
Neuberger has said that the White House does not believe any classified communications were accessed. The Wall Street Journal has reported that Chinese hacking targets of Salt Typhoon included both the Harris and Trump campaigns, including Vice President Harris, VP-elect J.D. Vance and President-elect Donald Trump, as well as Senate staffers. Politico has also reported that the Chinese hackers were able to access cellular logs on a “vast number of Americans” as a result of the hacks.
Congress and the White House have both been paying close attention as information about the hack is uncovered. A classified briefing for Senators held earlier this week followed an earlier Senate hearing, and another Senate subcommittee hearing is scheduled for next week—at which Tim Donovan, president and CEO of the Competitive Carriers Association, is slated to testify.
FCC Chairwoman Jessica Rosenworcel was one of the officials who briefed Senators during the classified meeting this week. Reuters reported that incoming FCC Chair Brendan Carr said this week that he will work “with national security agencies through the transition and next year in an effort to root out the threat and secure our networks.”
The Federal Communications Commission, meanwhile, is seeking to take quick action on mandating increases in network security.
“While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future,” said Rosenworcel in a statement.
Accordingly, Rosenworcel said that she has proposed a draft ruling that part of the Communications Assistance for Law Enforcement Act (“CALEA”) legislation requires telecommunications carriers to secure their networks from unlawful access or interception of communications. That ruling has been presented to all the members of the FCC and would become effectively immediately upon a passing vote, the FCC noted. Rosenworcel also is proposing that telecom service providers submit annual attestation that they have “created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks.” The FCC would also pursue a Notice of Proposed Rulemaking seeking input on “additional ways to strengthen the cybersecurity posture of communications systems and services.”
The FCC recently proposed similar cybersecurity risk management plan requirements for submarine cable landing applicants and licensees, as incidents of deliberate cuts of sub-sea cables have risen. The Commission has also previously proposed that participants in the Emergency Alert System and Wireless Emergency Alerts maintain cybersecurity risk management plans, to prevent those systems from being hijacked.
“The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said Rosenworcel. “As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses.”
