The Congressional remedy for Salt Typhoon? More information sharing with industry
When news broke approximately a year ago that Chinese hackers had systemically penetrated at least nine major U.S. communications networks, the level of alarm from policymakers was clear.
At a hearing held Tuesday by the Senate Committee on Commerce, experts offered differing assessments of the threat. While intelligence officials have characterized the Salt Typhoon operation’s targeting of high-level U.S. politicians as falling within the bounds of traditional geopolitical espionage, other experts argued that the unprecedented scale of China’s hacking activity in the U.S. telecom sector — and the country’s pursuit of broader, long-term access — constitutes a more systemic attack on critical infrastructure that poses a serious threat to national security.
Jamil Jaffer, executive director of the National Security Institute at George Mason University, noted before the committee that “the reality is that our adversaries don’t know where our red lines are” when it comes to intrusions like Salt Typhoon, because the U.S. has failed to effectively communicate its boundaries to adversary nations in cyberspace.
“They don’t know what we would do if those red lines are crossed, and to the extent that we do enforce them…in the cyber or telecommunications domain, we do it in a way that other adversaries can’t see,” said Jaffer.
Jaffer also criticized the U.S. government for both not doing enough to stop the attack ahead of time and relying too heavily on regulation to strengthen telecommunications cybersecurity. Instead, he advocated for closer voluntary cooperation and more information sharing between government and industry.
Senate Commerce Committee Chair Sen. Ted Cruz, R-Texas, and telecommunications subcommittee chair Sen. Deb Fischer, R-Neb., both endorsed the FCC’s recent decisions to withdraw a pair of new regulations issued by the agency in the waning days of the Biden administration. The first would have interpreted a decades-old law to say that telecoms have a legal obligation to protect their communications from unauthorized foreign interception. The second would have required telecoms to submit annual verification of their cybersecurity plans to the FCC.
FCC Chair Brendan Carr called those rules rushed and ineffective. He also said they were unnecessary, citing extensive conversations between the FCC and industry that had already produced voluntary cybersecurity improvements across the sector.
Cruz expressed support for the FCC’s decision, saying the rules would have forced telecoms to “chase the false security of compliance checklists instead of engaging in real-world threats” and divert resources from “the necessary partnerships and response capabilities that actually stop intrusions.”
“This [problem] needs foresight and agility, and it doesn’t come from imposing outdated checklists and top down regulations, it arises from a strong partnership between the private sector and government, working together to detect and deter attacks in real time,” said Cruz.
But that view was directly contradicted by a former FCC official at the hearing.
Debra Jordan, former chief of the commission’s Public Safety and Homeland Security Bureau, told lawmakers that the rules put out in January were an attempt by the FCC to “lean forward” and leverage flexible cyber standards rather than “sit back and wait for the next attack to happen.”
While Carr, Cruz and Fischer all cited increased cooperation with industry as sufficient, Jordan noted that the FCC does not cite any process by which providers are actually held accountable to meet specific commitments.
“From my experience as bureau chief, I’m not convinced that providers will take sufficient and sustained actions in the wake of Volt and Salt Typhoon without a strong verification regime,” she said.
Later, Sen. Maria Cantwell, D-Mass., noted that both AT&T and Verizon declined her request earlier this year for additional documentation detailing their response to the Salt Typhoon breach.
“Hardly a transparent effort,” Cantwell said. “I believe the American people deserve to know whether China is still in our telecom networks.”
Other FCC commissioners have also questioned the extent of the agency’s engagement with industry over Salt Typhoon. Last month, FCC Commissioner Anna Gomez told CyberScoop that she has not witnessed any robust discussions with telecom companies over the past year, adding that only evidence she had of such conversations came from Carr’s statements.
She also lamented that the FCC’s withdrawal of telecom cybersecurity regulations would eliminate “the only meaningful regulatory response to Salt Typhoon that I’ve seen.
Carr, Cruz and Fischer all touted existing laws and regulations requiring the removal and replacement of telecommunications equipment from Chinese companies like Huawei and ZTE as evidence the government has taken significant action to address the threat.
But Chinese telecommunications equipment does not appear to have played any role in Salt Typhoon’s intrusions, according to public officials who have said the hackers mostly relied on the poor state of cybersecurity across the telecom industry. Cantwell pointed out that the hackers gained access to telecom networks through basic weaknesses like unpatched vulnerabilities that have been public for years, weak passwords and lack of multifactor authentication.
Sen. Ben Ray Luján, D-N.M., was deeply critical of the FCC’s regulatory removal. He noted that the Senate Commerce Committee held a hearing on Salt Typhoon’s intrusions last year and has done almost nothing since to secure telecom networks, while the FCC was trading away its regulatory power for pinky promises from industry.
“The FCC stripped these protections away, replacing them with voluntary pledges and handshakes with companies whose networks have already proven themselves vulnerable to data breaches,” he said. “To put it plainly, these companies are basically leaving their front doors unlocked after a data break in, and the FCC has decided to take their word when they promise they’ve installed deadbolts and security cameras.”
Gomez, Jordan, Luján and Jaffer all described Salt Typhoon as an active threat to U.S. telecommunications networks and critical infrastructure, and expressed concern over how the vulnerabilities exploited by the group could be leveraged to disrupt or intercept vital U.S. emergency communications.
“We can see that it’s not just the major carriers,” said Lujan. “I’m also concerned that schools, hospitals, libraries, police departments and emergency responders are all exposed and do not have the resources to defend themselves against foreign adversaries.”
