Lawmakers press agencies, telecoms for more details on Salt Typhoon hacks
Members of Congress are pressing federal agencies and telecommunications companies for more information about a reported Chinese government-backed hacking campaign that breached the networks of at least three major U.S. telecoms.
Earlier this month, the Wall Street Journal reported that a hacking group tied to Beijing successfully broke into the networks of Verizon, AT&T and Lumen Technologies. The hackers reportedly went undetected for months, possibly gaining access to systems and infrastructure used to process court-authorized wiretaps.
On Thursday, Republican and Democratic leaders on the House Energy and Commerce Committee wrote to the three telecommunication firms asking for more information on their response, calling the incident “extremely alarming for both economic and national security reasons.”
“In an age where Americans rely heavily on your services for communication and connectivity, the integrity of your networks is paramount,” wrote Reps. Cathy McMorris Rodgers, R-Wa., and Frank Pallone, D-N.J., chair and ranking member on the committee, as well as Bob Latta, R-Ohio, and Doris Matsui, D-Calif., chair and ranking member of the Communications and Technology subcommittee. “It is vital that cybersecurity protocols are enhanced to better protect American’s [sic] data against increasingly sophisticated attacks, especially from our foreign adversaries.”
The members requested a briefing with the telecoms to learn more about when they became aware of the compromise, findings from any internal investigations and subsequent engagement with law enforcement, their plans to notify affected customers and what if any corrective steps have been taken to harden cybersecurity in the wake of the incident.
The House Homeland Security Committee has also requested a briefing on the hack from the Cybersecurity and Infrastructure Security Agency, according to a committee aide.
An aide for Sen. Mark Warner, D-Va., chair of the Senate Intelligence Committee, told CyberScoop that the incident is something the committee is “following closely, and I expect there to be briefings scheduled once Congress returns.”
The Federal Communications Commission has also reportedly requested a briefing from national security officials on the hack, according to Nextgov.
For some, the potential penetration of private IT infrastructure used to process lawful wiretaps revived longstanding arguments around the potential collateral damage that can come with government surveillance.
Sen. Ron Wyden, D-Ore., a longtime critic of federal surveillance programs who sits on the Senate Intelligence Committee, told CyberScoop in a statement that the alleged hacks call into question the government’s efforts to persuade — and in some cases compel — private companies to build specific channels for law enforcement access.
Wyden and others have repeatedly warned that technical pathways built into private products that make it easier for law enforcement to access data can also be used by malicious actors, something the Salt Typhoon hack demonstrates.
“A compromise of networks associated with government surveillance would constitute both a serious threat to national security and a violation of the implicit social contract that comes with that surveillance,” Wyden said. “If the government wants to listen in on Americans’ calls and read their texts, its surveillance system must be secure against hacks.”
“These reports,” he continued, “if accurate, cast doubt on the integrity of that compact and raise further questions about government assertions that it can be trusted with expanded surveillance authorities that include weakening of Americans’ encryption.”
On Friday, Wyden sent a letter to Attorney General Merrick Garland and FCC Commissioner Jessica Rosenworcel, saying that while telecommunications companies are ultimately responsible for their own cybersecurity lapses, the federal government shares some of the blame in this instance.
Under the Communications Assistance to Law Enforcement Act (CALEA), phone companies were compelled to build in technology to facilitate requests from the FBI and law enforcement agencies to tap into phone lines during investigations, a mandate that was later expanded by the FCC to broadband providers. Those laws, however well-justified, helped to create the kind of vulnerability in telecommunications networks that cybersecurity professionals had warned would inevitably be leveraged by malicious actors and foreign governments.
“During the Congressional hearings for CALEA, cybersecurity experts warned that these backdoors would be prime targets for hackers and foreign intelligence services. However, these concerns were dismissed by then-FBI Director Louis J. Freeh, who testified to Congress that experts’ fears of increased vulnerability were ‘unfounded and misplaced,’” Wyden wrote.
He urged Rosenworcel to update its CALEA regulations to include baseline cybersecurity standards for telecommunications carriers, while pressing the FBI to focus less on indicting and prosecuting foreign hackers overseas who will likely never see a U.S. courtroom and more on prosecuting large corporations that neglect their cybersecurity obligations. He suggested starting with an investigation into whether the cybersecurity practices of the telecoms involved in the Salt Typhoon hack violate legal requirements in CALEA or the False Claims Act.
“These companies are corporate scofflaws that have harmed the public and our national security through their negligence,” Wyden continued. “DOJ can prevent future cyberattacks and incentivize improvements in corporate cybersecurity by working with regulators to hold companies accountable for security failures, which will inform much-needed Congressional oversight, enable consumers and investors to protect themselves by voting with their wallets, and ultimately, protect national security.”
Tim Starks contributed to this story.
This story was updated Oct. 11, 2024, with Wyden’s letter to Garland and Rosenworcel.