Feds lay blame while Chinese telecom attack continues

The United States’ telecommunications infrastructure has been infiltrated by actors affiliated with China. Some of our nation’s most powerful leaders have been targeted — including President-elect Donald Trump and Vice President-elect JD Vance. This is one of the most severe cybersecurity incidents against telecom the United States has ever been subject to, and — worse yet — it is ongoing. 

Commonly called Salt Typhoon, actors affiliated with China have successfully gained access to at least eight of our nation’s largest communications companies. In fact, federal officials say that no networks have fully removed the threat and that individuals should rely on encrypted messaging platforms in the meantime.

Given the national security implications, one would assume that our government is rushing to secure communications and make sure something like this can’t happen again. Instead, the current administration’s response is to call for regulation and point out industry failures. For example, the Federal Communications Commission has proposed new requirements on carriers, such as expanded legal obligations, and the White House has also amplified this, saying that voluntary measures have proven inadequate. This follows similar calls for regulatory requirements and liability on industry over the past four years.

This is not the time for new regulations, and rushing to implement them would be a massive misstep. There is no shortage of existing federal agencies or authorities pertaining to cybersecurity. Instead, security teams face overlapping and even contradictory security requirements and standards. This places compliance burdens on security practitioners. For example, there have been instances where their time and resources were diverted to responding to government inquiries instead of defending networks.

During a Dec. 11 Senate Commerce Committee hearing, Sen. Ted Cruz, R-Texas, urged federal leaders not to rush new regulations and instead see how they can assist telecom companies in a time of need. That is precisely right. The first priority must be to fully understand how China gained access, what and who is impacted, short- and long-term remedies, and ultimately ensuring this does not happen again.

This is not to say there is no room for security standards and baselines. But what is currently in place should be assessed to determine if there is a way to harmonize our system. This would help security teams ultimately keep their focus on security, help cut down on critical resources being diverted elsewhere, and provide flexibility to decide what is best for their specific company. Rushing new regulations will simply exacerbate the problem and create an ever more complex patchwork of laws. Given Trump’s calls for deregulation and the creation of a Department of Government Efficiency, this is a perfect time to tackle cybersecurity.

Moving forward, there are several realities to account for.

First, no critical infrastructure sector is immune to threats like Salt Typhoon. Nation-state actors, especially China, are constantly getting more sophisticated and looking for new, easy targets. If our largest telecommunications companies faced an incident of this magnitude, then smaller critical infrastructure operators like a local water provider or hospital are certainly at risk, as are operators across all sectors, from health care to energy. This will require a continued effort to better secure critical infrastructure and more work to deter China in the first place.

Second, the federal government has a key role in supporting critical infrastructure. It is unrealistic to think critical infrastructure can defend itself alone against a nation-state actor. The federal government needs to help make the lives of critical infrastructure security teams easier and bolster the resources available to them. With Salt Typhoon in particular, the government should look internally at its own response and at how it could have been improved rather than blaming industry.

Third, we cannot neglect our technology. It is not uncommon to see outdated products embedded in our critical infrastructure or even continued use of products made by foreign adversaries. These weak spots carry cybersecurity challenges, along with national security and privacy concerns. The cost of replacing and updating technology is not trivial, and local and state restrictions make things more difficult. It is ultimately important to modernize our technology over time to best defend against advanced actors.

One thing is for certain: China and other foreign adversaries will continue to try to compromise our critical infrastructure systems and exploit our data. This makes it imperative that government and industry are truly in sync rather than pointing fingers or seeking to add new burdens in a crisis.

Brandon Pugh is the director of the R Street Institute’s cybersecurity and emerging threats team and serves as a cyber law professor in the military. Brian Harrell is a former assistant secretary for infrastructure protection at the U.S. Department of Homeland Security.