Blocking Chinese spies from intercepting calls? There ought to be a law
(2024/12/12)
- Reference: 1733958186
- News link: https://www.theregister.co.uk/2024/12/11/telecom_cybersecurity_standards/
- Source link:
US telecoms carriers would be required to implement minimum cyber security standards and ensure their systems are not susceptible to hacks by nation-state attackers – like Salt Typhoon – under legislation proposed by senator Ron Wyden (D-OR).
The [1]Secure American Communications Act [PDF], if signed into law, would require the Federal Communications Commission to issue binding rules for telecom systems, following what Wyden calls the FCC's "failure" to implement security standards already required by federal law.
He's referring to the [2]CALEA of 1994 – aka the Communications Assistance for Law Enforcement Act – which required telecom providers to design their systems to comply with wiretapping requests from law enforcement.
[3]
The law also requires providers to secure their own systems against unauthorized interception – such as [4]Chinese spies , who we recently learned did access these systems to [5]steal communications and other sensitive information. While the feds haven't disclosed whose calls and texts were accessed by Salt Typhoon, the victims reportedly included [6]president-elect Donald Trump and his VP pick JD Vance, people working for current VP Kamala Harris's presidential campaign, and other [7]high-ranking political figures .
[8]
[9]
"It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cyber security rules," Wyden [10]asserted in a statement.
"Telecom companies and federal regulators were asleep on the job and as a result, Americans' calls, messages, and phone records have been accessed by foreign spies intent on undermining our national security," he continued. "Congress needs to step up and pass mandatory security rules to finally secure our telecom system against an infestation of hackers and spies."
[11]China's Salt Typhoon recorded top American officials' calls, says White House
[12]Salt Typhoon forces FCC's hand on making telcos secure their networks
[13]T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'
[14]Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday'
Wyden's proposal gives the FCC one year to design specific security requirements in consultation with the head of the US Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence.
The legislation doesn't specify what these safety measures should include, other than they must "prevent the interception of communications or access to call-identifying information without lawful authorization by any person or entity, including by an advanced persistent threat."
[15]
It would also require the carriers to conduct annual testing to evaluate whether these systems are working as intended. If they're not, then the carriers must fix the issues. Further, telcos would need to hire an independent auditor to conduct an annual assessment of compliance with FCC cyber security rules, and submit the results of the audits to the commission.
Outgoing FCC chair Jessica Rosenworcel has also [16]proposed rules that would require the nation's carriers to safeguard their infrastructure against illicit access or interception of communications.
Wyden's proposal follows [17]legislation the senator introduced earlier this year that would require the government to adopt secure communications software. He also [18]proposed a bipartisan bill in 2023, which would have blocked the export of US citizens' personal information to unfriendly nations, making it more difficult for foreign spies to target Americans for hacking and spying. That proposal never made it out of committee. ®
Get our [19]Tech Resources
[1] https://www.wyden.senate.gov/imo/media/doc/secure_american_communications_act_draft_legislation.pdf
[2] https://www.fcc.gov/calea
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1pt-CqfLBQIO550D_-QrgAAAQg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.theregister.com/2024/11/14/salt_typhoon_hacked_multiple_telecom/
[5] https://www.theregister.com/2024/11/25/salt_typhoon_mark_warner_warning/
[6] https://www.theregister.com/2024/10/28/feds_investigate_chinas_salt_typhoon/
[7] https://www.theregister.com/2024/12/09/white_house_salt_typhoon/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1pt-CqfLBQIO550D_-QrgAAAQg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1pt-CqfLBQIO550D_-QrgAAAQg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.wyden.senate.gov/news/press-releases/wyden-releases-draft-legislation-to-secure-us-phone-networks-following-salt-typhoon-hack
[11] https://www.theregister.com/2024/12/09/white_house_salt_typhoon/
[12] https://www.theregister.com/2024/12/06/salt_typhoon_fcc_proposal/
[13] https://www.theregister.com/2024/12/05/tmobile_cso_telecom_attack/
[14] https://www.theregister.com/2024/12/06/chinese_cyberspy_us_data/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1pt-CqfLBQIO550D_-QrgAAAQg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[16] https://www.theregister.com/2024/12/06/salt_typhoon_fcc_proposal/
[17] https://www.theregister.com/2024/04/24/wyden_government_interoperability/
[18] https://www.wyden.senate.gov/news/press-releases/wyden-lummis-whitehouse-hagerty-heinrich-and-rubio-introduce-bipartisan-bill-to-protect-americans-data-from-unfriendly-foreign-nations-bar-tiktok-employees-in-china-from-accessing-us-information
[19] https://whitepapers.theregister.com/
The [1]Secure American Communications Act [PDF], if signed into law, would require the Federal Communications Commission to issue binding rules for telecom systems, following what Wyden calls the FCC's "failure" to implement security standards already required by federal law.
He's referring to the [2]CALEA of 1994 – aka the Communications Assistance for Law Enforcement Act – which required telecom providers to design their systems to comply with wiretapping requests from law enforcement.
[3]
The law also requires providers to secure their own systems against unauthorized interception – such as [4]Chinese spies , who we recently learned did access these systems to [5]steal communications and other sensitive information. While the feds haven't disclosed whose calls and texts were accessed by Salt Typhoon, the victims reportedly included [6]president-elect Donald Trump and his VP pick JD Vance, people working for current VP Kamala Harris's presidential campaign, and other [7]high-ranking political figures .
[8]
[9]
"It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cyber security rules," Wyden [10]asserted in a statement.
"Telecom companies and federal regulators were asleep on the job and as a result, Americans' calls, messages, and phone records have been accessed by foreign spies intent on undermining our national security," he continued. "Congress needs to step up and pass mandatory security rules to finally secure our telecom system against an infestation of hackers and spies."
[11]China's Salt Typhoon recorded top American officials' calls, says White House
[12]Salt Typhoon forces FCC's hand on making telcos secure their networks
[13]T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'
[14]Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday'
Wyden's proposal gives the FCC one year to design specific security requirements in consultation with the head of the US Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence.
The legislation doesn't specify what these safety measures should include, other than they must "prevent the interception of communications or access to call-identifying information without lawful authorization by any person or entity, including by an advanced persistent threat."
[15]
It would also require the carriers to conduct annual testing to evaluate whether these systems are working as intended. If they're not, then the carriers must fix the issues. Further, telcos would need to hire an independent auditor to conduct an annual assessment of compliance with FCC cyber security rules, and submit the results of the audits to the commission.
Outgoing FCC chair Jessica Rosenworcel has also [16]proposed rules that would require the nation's carriers to safeguard their infrastructure against illicit access or interception of communications.
Wyden's proposal follows [17]legislation the senator introduced earlier this year that would require the government to adopt secure communications software. He also [18]proposed a bipartisan bill in 2023, which would have blocked the export of US citizens' personal information to unfriendly nations, making it more difficult for foreign spies to target Americans for hacking and spying. That proposal never made it out of committee. ®
Get our [19]Tech Resources
[1] https://www.wyden.senate.gov/imo/media/doc/secure_american_communications_act_draft_legislation.pdf
[2] https://www.fcc.gov/calea
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1pt-CqfLBQIO550D_-QrgAAAQg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.theregister.com/2024/11/14/salt_typhoon_hacked_multiple_telecom/
[5] https://www.theregister.com/2024/11/25/salt_typhoon_mark_warner_warning/
[6] https://www.theregister.com/2024/10/28/feds_investigate_chinas_salt_typhoon/
[7] https://www.theregister.com/2024/12/09/white_house_salt_typhoon/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1pt-CqfLBQIO550D_-QrgAAAQg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1pt-CqfLBQIO550D_-QrgAAAQg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.wyden.senate.gov/news/press-releases/wyden-releases-draft-legislation-to-secure-us-phone-networks-following-salt-typhoon-hack
[11] https://www.theregister.com/2024/12/09/white_house_salt_typhoon/
[12] https://www.theregister.com/2024/12/06/salt_typhoon_fcc_proposal/
[13] https://www.theregister.com/2024/12/05/tmobile_cso_telecom_attack/
[14] https://www.theregister.com/2024/12/06/chinese_cyberspy_us_data/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1pt-CqfLBQIO550D_-QrgAAAQg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[16] https://www.theregister.com/2024/12/06/salt_typhoon_fcc_proposal/
[17] https://www.theregister.com/2024/04/24/wyden_government_interoperability/
[18] https://www.wyden.senate.gov/news/press-releases/wyden-lummis-whitehouse-hagerty-heinrich-and-rubio-introduce-bipartisan-bill-to-protect-americans-data-from-unfriendly-foreign-nations-bar-tiktok-employees-in-china-from-accessing-us-information
[19] https://whitepapers.theregister.com/
deevee
What a joke, how about some laws stopping the NSA/FBI and CIA using ECHELON (and CALEA etc) to spy on phone calls from EVERYONE!
The USA enforce spying abilities, buy making everyone buy US network equipment that is DESIGNED to allow spying. Its why they won't allow Chinese network gear, because no one could spy if all the network gear was Chinese.
The USA has spying equipment/facilities and staff in pretty much every western country in the world, to enable this.
REPEAL CALEA
What does this idiot think they used to get access?
Making it possible for the pigs to see texts and hear phone calls is WHY such an attack was possible. If calls and texts were end to end encrypted by default, this crap would never have happened.
There is no safe back door.