• Multiple US telecom networks have been breached by Salt Typhoon hackers
• US regulator says it will require telcos to better secure their networks and prove they have done so
• The FCC is somewhat late to the party, to say the least

The phrase “locking the stable door after the horse has bolted” sprang to mind as US regulator the Federal Communications Commission (FCC) proposed “urgent action” to secure US communications networks in the wake of a major breach by hacking group Salt Typhoon that has been described by US Senate Intelligence Committee Chairman Mark Warner as “the worst telecom hack in our nation’s history – by far.” 

As previously reported, US security authorities have already issued a guide that “provides best practices to protect against a People’s Republic of China (PRC)-affiliated threat actor that has compromised networks of major global telecommunications providers,” following the revelations that eight US communications networks, including Tier 1 telco systems, have been breached by the Salt Typhoon hackers and that some networks are still currently compromised. 

On 4 December, US senators were given a classified briefing about the hacking campaign, reported Reuters. Representatives from the FBI, the FCC, the National Security Council and the Cybersecurity and Infrastructure Security Agency were at the briefing, which resulted in multiple expressions of major concerns from US lawmakers. “The extent and depth and breadth of Chinese hacking is absolutely mind-boggling – that we would permit as much as has happened in just the last year is terrifying,” said Richard Blumenthal, a senator from Connecticut.

Senator Rick Scott from Florida expressed frustration with the briefing: “They have not told us why they didn’t catch it [or] what they could have done to prevent it,” he stated. 

Now FCC chairwoman Jessica Rosenworcel, who is stepping down from the post in January, has “proposed urgent action to safeguard the nation’s communications systems from real and present cybersecurity threats, including from state-sponsored cyber actors from the People’s Republic of China”.  

Rosenworcel stated in this announcement: “The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security. As technology continues to advance, so [do] the capabilities of adversaries, which means the US must adapt and reinforce our defences. While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”

Such a statement makes it sound like no one had thought of this before and that the telcos don’t have security strategies: Telcos around the world face constant cyberattacks, as BT noted earlier this year when it said its systems identified 200 million signals of potential cyberattacks every day – that’s 2,000 per second. 

So it could be argued that the time for close scrutiny and action was a long time ago. Instead, the FCC is proposing that US telcos must “submit an annual certification to the FCC attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks.” The proposal also “invites public comment” on “expanding cybersecurity requirements across a range of communications providers and “identifying additional ways to enhance cybersecurity defences for communications systems.”

The proposal is now with all five members of the FCC and, if adopted, would come into effect immediately. While that might sound like instant action, it’s going to take some time to set the requirements and parameters of what is actually required to successfully complete such a process if it is to be in any way meaningful.  

The main good thing that might come from this is that regulators in other countries might decide to adopt a similar approach and, potentially, help to ward off such attacks in the future. For the US operators the cybersecurity alarm bells have never been ringing this loud and, even with the FCC’s ruling, the pressure is already on to make their cybersecurity defences even stronger. 

- Ray Le Maistre, Editorial Director, TelecomTV