in Share Stories & News

FCC to telcos: By law you must secure your networks from foreign spies. Get on it

130 Views

FCC to telcos: By law you must secure your networks from foreign spies. Get on it

Decades-old legislation requiring American telcos to lock down their systems to prevent foreign snoops from intercepting communications isn’t mere decoration on the pages of law books – it actually means carriers need to secure their networks, the FCC has huffed.

On Thursday, the US regulator issued a formal ruling that states telecommunications carriers have a statutory obligation under section 105 of the nation’s Communications Assistance for Law Enforcement Act (CALEA) to secure their systems against unlawful access or interception of communications. Note that leaves the door open for the Feds to gain court-sanctioned access to people’s communications, typically for investigating crimes. Criminals and foreign adversaries, on the other hand at least, must be kept out. This clarification is effective immediately.

This is part of Uncle Sam’s larger efforts to fend off Chinese agents breaking into America’s computer networks to gather intelligence. Beijing’s Salt Typhoon spies just recently compromised telcos including AT&T and Verizon – giving the intruders the capability to geo-locate millions of subscribers, monitor their internet traffic, and record their phone calls – and before that, federal networks.

Ironically enough, the snoops hijacked surveillance systems deployed by telcos under CALEA to allow the Feds to wiretap suspects and gather details about their online and digital activities; China turned our own spying apparatus on ourselves.

To give you an idea of the level of clusterfsck America is facing: FBI reckons Salt Typhoon stole months of their agents’ calls and text logs, according to Bloomberg, which cited a document that stated the crew compromised all FBI devices that were using AT&T’s service for public safety agencies.

The federal bureau declined to comment directly on the report, and instead told us: “The FBI continually adapts our operational and security practices as physical and digital threats evolve. The FBI has a solemn responsibility to protect the identity and safety of any individual who contacts the FBI and provides information every day that keeps the American people safe, often at risk to themselves.”

We asked AT&T if the report was correct, and the telco more or less confirmed it, signaling Salt Typhoon hit operations like the FBI after breaking into the telco’s network.

“After criminals stole customer data last year, we worked closely with law enforcement to mitigate impact to government operations. We appreciate the thorough investigation, which resulted in multiple arrests and federal criminal indictments,” a spokesperson told The Register. “Given the increasing threat from cybercriminals and nation-state actors, we continue to increase investments in security as well as monitor and remediate our networks.”

On Friday, the US Treasury Department imposed sanctions on Yin Kecheng, who lives in Shanghai and was accused of being involved in the recent Treasury network compromise. The Feds also sanctioned Sichuan Juxinhe Network Technology, a Sichuan-based cybersecurity company alleged to have direct involvement in the Salt Typhoon intrusions.

As more and more details emerge of Beijing smashing through the security of global networks, obviously in competition with the NSA, calls to update CALEA, or simply enforce it, have increased. 

When CALEA was adopted in 1994, it required, as we quipped above, telecom providers to design their systems to comply with wiretapping requests from law enforcement. In 2006, the FCC expanded this mandate to cover broadband internet providers.

The law also required all of these covered providers to secure their networks — but that point hasn’t been enforced.

In addition to the formal ruling this week, the FCC issued a proposal requiring communications service providers to develop and implement comprehensive cybersecurity and supply chain risk management plans. These providers would also be required to submit an annual certification to the FCC confirming that these plans have been created, updated, and implemented.

The proposed risk management plans must identify potential cyber threats, detail the controls in place or planned to mitigate these risks, and explain how these controls are effectively applied to their operations.

“We believe that the mere act of creating, updating, and implementing cybersecurity and supply chain risk management plans would not be sufficient on its own, but rather that the cybersecurity and supply chain risk management plans must also be reasonable to avoid an independent breach of the proposed rules,” the FCC wrote [PDF].

“In response to Salt Typhoon, there has been a government-wide effort to understand the nature and extent of this breach, what needs to happen to rid this exposure in our networks, and the steps required to ensure it never happens again,” FCC Chair Jessica Rosenworcel added in a statement.

FCC boss urges speedy spectrum auction to fund ‘Rip’n’Replace’ of Chinese kit

China’s Salt Typhoon spies spotted on US govt networks before telcos, CISA boss says

Blocking Chinese spies from intercepting calls? There ought to be a law

Encryption backdoor debate ‘done and dusted,’ former White House tech advisor says

Rosenworcel first floated this plan in December in response to the Chinese government spies breaking into telcos’ networks, accessing large volumes of customer metadata, and stealing a smaller number of people’s phone calls and text messages.

The Salt Typhoon raids on American telecoms have raised concerns about the effectiveness of CALEA — particularly since carriers’ responsibilities to secure their networks under the law have not been consistently enforced. The security breaches have also reignited calls from lawmakers and privacy advocates to reform the decades-old law and eliminate provisions requiring the aforementioned government-mandated wiretapping backdoors in communications systems. Backdoors that adversaries are clearly happy to use against us.

The Feds have historically argued law enforcement needs this wiretapping for crime-fighting and terrorism-preventing purposes.

To be clear, the FCC proposal doesn’t touch the wiretap surveillance portion of the law. Instead, it focuses on strengthening protections for communications systems against modern cyber-threats.

“Our existing rules are not modern,” Rosenworcel said in a statement [PDF]. “It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed.”

The FCC ruling comes as CISA boss Jen Easterly this week revealed that Salt Typhoon was first detected on federal networks, before the spies burrowed into AT&T, Verizon, and other providers.

“The FCC’s actions today are an important step in securing the nation’s telecommunications infrastructure against the very real threat posed by the PRC and other threat actors,” Easterly said in a statement. ®

Report

What do you think?

0 Points
Upvote Downvote

Browse and manage your votes from your Member Profile Page

Newbie

Written by Mr Viral

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Biden signs sweeping cybersecurity order, just in time for Trump to gut it

Biden signs sweeping cybersecurity order, just in time for Trump to gut it
Capital One two-day outage leaves customers in free-fall

Capital One two-day outage leaves customers in free-fall