Salt Typhoon forces FCC's hand on making telcos secure their networks

The head of America's Federal Communications Commission (FCC) wants to force telecoms operators to tighten network security in the wake of the Salt Typhoon revelations, and to submit an annual report detailing measures taken.

Jessica Rosenworcel, outgoing chair of the US telecoms regulator, has proposed rules that would require the nation's carriers to safeguard their infrastructure against illicit access or interception of communications in an effort to bolster them against cyberattacks.

The proposal centers on a draft Declaratory Ruling that puts a new interpretation on section 105 of the Communications Assistance for Law Enforcement Act (CALEA) as requiring telcos to take action to lock down their networks.

This particular legislation was passed 30 years ago during the presidency of Bill Clinton and ensures telcos have the ability to comply with wiretapping requests from law enforcement. Section 105 requires a carrier to make certain that any interception of communications can only be carried out with lawful authorization.

The FCC also wants these network service providers to submit an annual certification attesting they have created, updated, and implemented a cybersecurity risk management plan.

"The cybersecurity of our nation's communications critical infrastructure is essential to promoting national security, public safety, and economic security," Rosenworcel said in a statement. "As technology continues to advance, so do the capabilities of adversaries, which means the US must adapt and reinforce our defenses."

If adopted, the Declaratory Ruling would take effect immediately, according to the FCC. The agency is to also seek comment on security risk management requirements for communications providers, as well as other ways to boost the resilience of communications systems and services.

The urgent call for action follows discovery that China-backed cyber baddies entirely compromised telecommunications infrastructure in the US and elsewhere via the so-called months-long Salt Typhoon campaign which affected at least eight operators in the US alone.

• Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday'
• T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'
• Salt Typhoon's surge extends far beyond US telcos
• China has utterly pwned 'thousands and thousands' of devices at US telcos

It was reported last month that a great many devices within US telcos were targeted by the attackers, allowing them to establish a persistent presence that may require the replacement of "literally thousands and thousands and thousands" of switches and routers.

The attackers are believed to have compromised the wiretapping systems used by law enforcement in at least some instances, hence the focus on the CALEA legislation being taken by the FCC to address the issue.

It isn't just the US alone that is affected, as The Reg reported at the end of November. The same vulnerabilities which left American telecoms networks wide open to foes are likely replicated worldwide and are a result of regulatory failures and a lax attitude to security by companies.

The situation is so dire the US Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week including advice on using encrypted messaging to protect information – a notable shift from governments constantly trying to erode encryption so they can snoop on communications themselves. ®