After China's Salt Typhoon, the reconstruction starts now
- Reference: 1736155870
- News link: https://www.theregister.co.uk/2025/01/06/opinion_column_cybersec/
- Source link:
The news is still fragmentary and incoherent, but each new revelation from official sources builds the picture. This wasn't a freak weather occurrence, it is evidence of a climate that is dangerously unstable, and remains dangerously unstable.
Reminder: China-backed crews compromised 'multiple' US telcos in 'significant cyber espionage campaign' [1]READ MORE
There are now [2]nine telcos known to have been hit by Chinese government-backed snoops whom they say accessed parts of their systems earlier this year. Millions of users have had their geolocation data taken. One compromised admin account controlled 100,000 routers. This isn’t a security incident, a few missed patches or lucky phishing, this is an entire sector in scandalous disarray.
That’s not the telco sector, that’s enterprise security as a whole. These people sold security to others, they partnered with enterprise security suppliers, moving billions of dollars around... and for what? To be taken apart by Chinese online attackers at industrial scale? If a Potemkin village had its idiots, they’d work in cyber security marketing.
We know how deeply rotten things are because Salt Typhoon used the same techniques used in a break-in into another national telco 40 years ago, when the UK's British Telecom's [3]Prestel text message service was attacked. The Prestel mailbox of the husband of the late Queen, Prince Philip, was famously accessed during the attack. And as in the case of Prestel, Salt Typhoon scooped up unguarded accounts with huge privileges. The attackers could live off the land - there was no need to install special tools, because those already installed on the target were lethally capable and uncontrolled. Malicious activities can look indistinguishable from legitimate actions.
[4]
An industry unable to learn something in 40 years has no legitimacy. And there’s no sign it is learning now. Verizon’s corporate emissions are full of bland statements that there wasn’t much of a problem, it’s been "contained," and all of its highly respected friends agree. There are no specifics, nothing independently verifiable, just words they want us to believe.
[5]
[6]
In peacetime, this sort of bland denialist corporate propaganda is just part of the great game of complacent capitalism. In wartime, it’s treason. Are we at war? Ask a vandalized [7]Baltic cable . Ask a filet of drones, on their way back from [8]surveilling an airbase in the UK . Ask a Cisco router, snug in its rack in North Virginia but [9]reporting back to Beijing. If we woke up one day to find an unfriendly foreign power in control of our domestic road, rail and air transport, the answer would be easy. Why is our data infrastructure different? Nobody needs to die and nothing needs to blow up, after all.
A war plan needs intelligence, logistics, tactics, strategy and a clear final goal. How many of these are in place when we look at cyber security - we being the nations who belong to their people, rather than vice versa. Assuredly, the bad guys have the set. We don’t know the extent of infiltration or all the potential on-ramps, we have no strategy for an infrastructure that isn’t open to 40-year-old attack ideas, and we have no vision of what a properly secured infrastructure would look like.
[10]
The first step is to strip away all the commercial flim-flam and send in steely-eyed data forensic specialists to build an accurate map of the landscape and its inhabitants. How many accounts can compromise security? Where can such accounts be created? How much is protected by 2FA or better? Prove it. It would be like every CISO’s worst enemies being let in with complete access, except for two things: those worst enemies are already here, and these worst enemies are actually your friends.
Once the map is drawn and the fog of shareholder value blown away, the emergency work begins. It’s resources, risk and reward, same as always, but this time the risks and rewards are defined by the public security interest, not what looks good on the books. It’s called a wartime economy, it is unbelievably expensive, and nothing else works. You do have to find the money from somewhere. We suggest finding an industry that has indulged its gargantuan appetite on the benefits of digital infrastructure while not investing in its security.
[11]Eight things that should not have happened last year, but did
[12]Telco security is a dumpster fire and everyone's getting burned
[13]The sweet Raspberry taste of success masks a missed opportunity
[14]Microsoft starts boiling the Copilot frog: It's not a soup you want to drink at any price
[15]Huawei's farewell to Android isn't a marketing move, it's chess
Who knows what we’ll find? Telcos are notorious nincompoops. But they’re not the only nincompoops in town. We assume that cloud providers haven’t been infiltrated like the telcos: if that’s true, then knowing how is vital. If it’s not - you can finish this sentence yourself. Without the big picture, though, nothing much will work: with it, a start can be made to lock things down.
Next, the hard bit. What does a post Salt Typhoon security landscape look like. There are excellent cyber security design principles that are routinely ignored because they cost money but are otherwise invisible on the bottom line. That has to stop, at gunpoint if need be. The creation, implementation and maintenance of a properly robust infrastructure is as complex and intriguing as any post-war reconstruction: we still know how to do that, again if we care to. And finally, what do we do with hostile state actors who behave badly? Geopolitics of the highest order, but not knowing is not an option. Bad guys drive tanks though that. Literally.
There is an alternative to going to war: surrender. We can’t win, it doesn’t really matter, it’s just the new reality. Students of history know how that ends. When you look up and see Sputnik, it’s best to take the hint. That won’t be the only one. Build a better rocket, and build it quickly. When you look down and find one infrastructure on fire, it won’t be the only one. Build better, Build fast. ®
Get our [16]Tech Resources
[1] https://www.theregister.com/2024/11/14/salt_typhoon_hacked_multiple_telecom/
[2] https://www.theregister.com/2024/12/30/att_verizon_confirm_salt_typhoon_breach/
[3] https://www.theregister.com/2015/03/26/prestel_hack_anniversary_prince_philip_computer_misuse/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z3u31TK4FuHbq-6fef4eewAAANU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z3u31TK4FuHbq-6fef4eewAAANU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z3u31TK4FuHbq-6fef4eewAAANU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/11/19/baltic_sea_cables_cut/
[8] https://news.sky.com/story/whats-going-on-with-drones-spotted-over-us-air-bases-in-uk-13261593
[9] https://www.theregister.com/2019/05/02/cisco_vulnerabilities/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z3u31TK4FuHbq-6fef4eewAAANU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/01/01/opinion_column_tech_fails_2024/
[12] https://www.theregister.com/2024/12/02/telco_security_opinion/
[13] https://www.theregister.com/2024/12/16/opinion_column_future_raspberry_pi/
[14] https://www.theregister.com/2024/11/18/opinion_piece_ai_tools/
[15] https://www.theregister.com/2024/10/28/opinion_column_huawei_harmony_os/
[16] https://whitepapers.theregister.com/
Verizon...
So i checked the Verizon website, including "important announcements", briefly googled about security breaches, even directly querying salt typhoon, and you know what came up? Fuck all.
They've effectively buried this issue, and they're perfectly happy to have it neatly tucked away under the rug. The government needs to step in big time, this is a national security issue and should be heavily regulated. Anything affecting the bottom line is not going to happen by itself.
As a side note, in the Netherlands we are lucky. KPN (The largest mobile network operator and ISP) has created it's own cybersecurity policy which is [1]publicly available and is very comprehensive. It's very much possible to be both secure and profitable. I actually think in the long run it's impossible to remain a profitable telco if you're not secure, PR can save them in this case, but if the threat actors press the big red button and bring everything down, they're done for.
[1] https://policy-public.kpnnet.org/
"An industry unable to learn something in 40 years has no legitimacy. And there’s no sign it is learning now."
They've learned the important lessons well. They've learned that, given a choice, most people buy the cheapest thing they can find and mostly won't pay extra for security or safety. If one of the Telcos had gone the extra mile then it would have been out of business today cos it would have been more expensive. Improvement won't happen until it's made a legal requirement, with criminal sanctions for directors who don't make sure it's done properly, so everyone has to do it and there's no business survival advantage to not doing it.
On the face of it that seems a reasonable assumption, but as time goes on, it's going to get increasingly expensive to not take on proper security practices.
coat -> because I want out of this nightmare.
Now that is what I call an indictment
Impressive article, and I wholeheartedly support the message.
There's only one problem I can see : telcos have been surfing on money for decades and, as long as the money keeps rolling in, they have no reason to change their habits. Containment ? They've contained the media hoopla around the issue, problem solved.
Also, food for thought : what says that China doesn't have interested parties on the Boards of the various telcos ? China is notorious for putting its fingers in every pie it can find. I would actually be surprised if China had absolutely zero influence inside the communication companies of The West.