(Credit: Tom Williams/CQ-Roll Call, Inc via Getty Images)
To stop China’s "Salt Typhoon" hacking group, the Federal Communications Commission is considering invoking new legal authority to force US telecommunications companies to bolster their defenses or face fines for noncompliance.
The FCC announced the proposal after White House officials said the Chinese hacking group breached at least eight US telecommunications firms in a spying campaign that began up to two years ago. Making matters worse is that the hackers remain inside US networks when there’s no clear timeframe on when they’ll be booted out.
In response, outgoing FCC Chairwoman Jessica Rosenworcel said: “We need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”
To do so, the FCC is mulling a broader interpretation of a single sentence within the Communications Assistance for Law Enforcement Act (CALEA), a wiretapping law that the US passed in 1994. Specifically, Section 105 of the Act requires US telecommunications carriers “to ensure that any interception of communications” be done under a court order or lawful authorization and under FCC regulations.
According to the FCC, the same section also “affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications,” the commission said in the announcement. On Thursday, Rosenworcel circulated a draft Declaratory Ruling to the rest of the commission with the goal of securing a vote and hammering the interpretation into an official FCC ruling, forcing it to take immediate effect.
In addition, Rosenworcel has submitted a proposed rulemaking, requiring telecommunications providers to go through an annual certification requirement, forcing them to implement a cybersecurity risk management plan and to ensure compliance.
The Washington Post reports the proposals could entail the FCC pursuing fines and even criminal penalties against companies that fail to meet the cybersecurity standards. According to federal investigators, the Chinese hackers breached multiple telecommunications firms by leveraging existing vulnerabilities, rather than executing novel attacks.
Hence, it looks like the breaches could have been preventable. However, a US senator has indicated evicting the Chinese hackers from US networks could require physically replacing thousands of outdated routers and switches.
Although Rosenworcel will step down as FCC Chair next month, her successor, Commissioner Brendan Carr, has also made shoring up US telecom defenses a priority. “The Salt Typhoon intrusion is a serious and unacceptable risk to our national security. It should never have happened,” he tweeted on Wednesday. “I will be working with national security agencies through the transition and next year in an effort to root out the threat and secure our networks.”
If the FCC passes the proposed rulemaking on the annual certification requirement, it'll then kick off a months-long process to solicit public comment on the draft regulations before potentially revising them and putting them to a vote.
It's unclear what specific vulnerabilities the Chinese hackers exploited, although in some cases Cisco-specific features were targeted. In 2019, the FCC approved a program to “rip and replace” Chinese-developed Huawei and ZTE equipment from US networks over alleged national security risks. However, the program has only secured about $1.9 billion in federal funding when an estimated $5 billion is needed. This week, Rosenworcel sent a letter to Congress, urging lawmakers to secure the additional funds.