As US finally details Chinese Salt Typhoon attack, FCC Chair proposes new rules for telcos

In keeping with the theme of the top tips offered to telcos by US security agencies earlier this week Jessica Rosenworcel, the Chair of US comms regulator FCC, has suggested ‘telecom carriers’ raise their network security game.

“The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said Rosenworcel. “As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses. 

“While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”

Rosenworcel’s cunning plan is to make CSPs submit some kind of annual certification to the FCC, proving their cybersecurity measures are up to scratch. The clear inference from the attack itself and all the subsequent attempts to shut the stable door after the horse has bolted is that those efforts currently fall short of the mark. But, understandably, none of the specific deficiencies have been publicly detailed. Consequently we don’t yet know which boxes would need to be ticked in order to get the FCC clean bill of health.

The press release refers to a recent WSJ report based on an unpublished briefing from US national security adviser Anne Neuberger, in which she detailed the scale of the Salt Typhoon attack. “The Chinese compromised private companies, exploiting vulnerabilities in their systems as part of a global Chinese campaign that’s affected dozens of countries around the world,” she was quoted as saying.

If the WSJ story is paywalled for you, the X thread below seems to be a good account of what was discussed. The number of US CSPs affected has now risen to eight but we’re not aware of any public list of all the countries affected. The first reports of Salt Typhoon emerged back in October and it seems that the reason information continues to be drip-fed is that the full nature and extent of the attack is still being investigated.

Here's how the FCC’s Salt Typhoon fact sheet summarises the situation: “On December 4, 2024, a top U.S. security agency confirmed reports that foreign actors, state-sponsored by the People’s Republic of China, infiltrated at least eight U.S. communications companies, compromising sensitive systems and exposing vulnerabilities in critical telecommunications infrastructure. This was part of a massive espionage campaign that has affected dozens of countries.”

A couple of US Senators have decided to join the party by writing a public letter to the Inspector General of the Department of Defense, asking him what he thinks he’s playing at. They are especially aggrieved at the DoD’s use of unencrypted communications channels such as Microsoft Teams.

“DOD’s failure to secure its unclassified voice, video, and text communications with end-to-end encryption technology has left it needlessly vulnerable to foreign espionage,” they wrote. “Moreover, although DOD is among the largest buyers of wireless telephone service in the United States, it has failed to use its purchasing power to require cyber defenses and accountability from wireless carriers.”

China, of course, denies everything, but the current lack of righteous indignation on the pages of state-controlled media such as the Global Times at the very least suggests a certain sheepishness. At this stage, given the claimed extent of the attack, it seems very unlikely that the US is just making it all up in a bid to smear China.

One clear consequence of all this is that operators throughout the US sphere of influence are going to face a lot more government scrutiny of their security measures. It will be interesting to see if lists of approved vendors and solutions are drafted and it seems like this is a good time to be in the network security game.