FCC orders telecoms to secure their networks after Salt Tyhpoon hacks

The Federal Communications Commission (FCC) has ordered U.S. telecommunications carriers to secure their networks following last year's Salt Typhoon security breaches.

Today's action comes after FCC Chairwoman Jessica Rosenworcel said in early December that the FCC would act "urgently" to require U.S. carriers to secure their systems from cyberattacks.

"We now have a choice to make. We can turn the other way and hope this threat goes away. But hope is not a plan," Rosenworcel said on Friday. "In light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks. The time to take this action is now. We do not have the luxury of waiting."

The Commission adopted a declaratory ruling that "takes effect immediately," finding that section 105 of the Communications Assistance for Law Enforcement Act (CALEA) requires telecom companies to secure their networks from communications interception and unlawful access.

The FCC also wants to strengthen communications against future cyberattacks by requiring telecoms to submit annual certifications confirming that they have an up-to-date cybersecurity risk management plan. Additionally, it seeks comment on other ways to strengthen the cybersecurity of communications systems and services.

"The FCC's Declaratory Ruling and Notice of Proposed Rulemaking is a critical step to require U.S. telecoms to improve cybersecurity to meet today's nation state threats, including those from China's well-resourced and sophisticated offensive cyber program," National Security Advisor Jake Sullivan added.

The Salt Typhoon telecom breaches

CISA and the FBI confirmed the hacks in late October following reports that the Salt Typhoon Chinese hacking group had breached the networks of multiple telcos, including Verizon, AT&T, and Lumen Technologies. Throughout this campaign, the threat actors accessed the U.S. law enforcement's wiretapping platform and compromised the "private communications" of a "limited number" of U.S. government officials.

Anne Neuberger, the White House's deputy national security adviser for cyber and emerging technologies, told reporters that the hackers breached nine U.S. carriers (including Windstream, Charter, and Consolidated Communications) and telecom companies in dozens of other countries.

AT&T, Verizon, and Lumen announced on December 30 that they had evicted the Salt Typhoon hackers from their networks. However, this happened after the Chinese hackers accessed targeted individuals' text messages, voicemails, and phone calls.

T-Mobile also disclosed in November that unknown attackers breached some of its routers in a network reconnaissance attempt after connecting from a linked wireline provider's network. However, Jeff Simon, the company's Chief Security Officer, didn't link the incident to Salt Typhoon and said T-Mobile's cyber defenses stopped the attack.

In response to these breaches, U.S. authorities reportedly plan to ban China Telecom's last active operations in the United States. They're also considering banning TP-Link routers if an ongoing investigation shows their use in cyberattacks poses a national security risk.