The Cybersecurity and Infrastructure Security Agency is urging critical infrastructure owners and operators to plan for delivering essential services under emergency conditions – potentially for months at a time.

The federal government’s top cybersecurity agency warned that state-sponsored hackers, particularly two Chinese groups known as Salt Typhoon and Volt Typhoon, continue to threaten critical sectors like electricity, water, and internet. 

The agency is now working with the private sector to protect operational technology – the systems that control the heavy machinery and equipment that powers most critical infrastructure – from attacks that enter through business IT systems or third-party vendor products.

The initiative  — known as CI Fortify – will include CISA conducting targeted technical assessments of critical infrastructure entities and aims to create plans that “allow for safe operations for weeks to months while isolated” from IT networks and third-party tools, according to the agency’s website.

Nick Andersen, CISA’s acting director, told reporters that the goal is “service delivery [that] can still reach critical infrastructure after the asset owner has disconnected with IT and OT, disconnected from third party vendors and service provider connections and disconnected from third party telecommunications equipment.”

Over the past two years, wars in Ukraine, Gaza, Iran and elsewhere have seen water plants, power substations, data centers and other critical infrastructure targeted by kinetic or cyberattacks.

Andersen said the agency has already begun engaging with some companies to pilot the assessments and expects that work to ramp up considerably as CISA hires additional staff in the coming months.

He declined to name the entities involved in the pilot program, but said they will focus on organizations that support national security, defense, public health and safety and economic continuity. He added that CISA’s assessments will vary from sector to sector depending on their unique needs.

“Water isn’t necessarily designed to prioritize specific customer needs outside of recovery periods, while energy and transportation have more immediate tradeoffs for selecting one load or one set of cargo over another,” Andersen said as an example.

One pillar of CISA’s strategy is isolation: essentially turning off all third-party and business network connections to an OT network when facing an emergency or unknown vulnerability.

Organizations also need to develop an internal plan for what acceptable service levels look like under those conditions and reach understandings with their critical customers, like U.S. military installations and lifeline services.

The second pillar, recovery, involves best practices for organizations: backing up files, documenting systems and having manual backups for operations when normal computer systems are down.

In conversations with cybersecurity specialists who focus on critical infrastructure and operational technology, it is widely assumed that China is not the only nation to have broadly compromised Americans critical infrastructure. That hacking groups tied to other nations have almost surely noticed and exploited the same basic vulnerabilities and hygiene issues found by the Typhoons.

Agencies like the FBI and Federal Communications Commission have touted efforts to purge Chinese hackers and work voluntarily with telecoms to harden their network security. But U.S. national security officials and cybersecurity defenders have consistently said both Salt Typhoon and Volt Typhoon remain active threats to U.S. critical infrastructure.

The post CISA wants critical infrastructure to operate ‘weeks to months’ in isolation during conflict appeared first on CyberScoop.

The Federal Communications Commission approved new regulations Wednesday designed to crack down on robocalling, protect telecommunications networks from cyberattacks and further vet equipment-testing labs based overseas.

Commissioners unanimously passed a measure to strengthen telecom companies’ “Know Your Customer” requirements for verifying callers’ identities. Among the potential solutions being considered are requiring telecoms to verify a customer’s name, address, government ID and alternative phone numbers prior to enabling their service.

In a statement ahead of the vote, FCC Chair Brendan Carr said that under current rules some telecoms “do the bare minimum” to verify callers and have “become complicit in illegal robocalling schemes.”

“As we have continued to investigate the problem of illegal robocalls over the last year, it has become clear that some originating providers are not doing enough to vet their customers, allowing bad actors to infiltrate our U.S. phone networks,” he said.

Current rules require telecoms to take “affirmative, effective” measures to verify callers and block illegal calls, but in practice this system has largely relied on self-attestation from the companies. Because a single call can traverse multiple networks, carriers must also often rely on identity verification performed by other telecoms.

For example, the telecom that transmitted thousands of false robocalls imitating then-President Joe Biden during the 2024 New Hampshire presidential primary initially reported to the FCC that they had the highest level of confidence in the identity of those using the phone numbers. That turned out to be false, as the robocallers spoofed a well-known former state Democratic Party official.

Unsurprisingly, the commission is also interested in finding ways to better enforce Know Your Customer rules, including tying penalties to the number of illegal calls that were placed.

Since 1999, the FCC has traditionally granted blanket authorization for domestic carriers to operate interstate telecommunications services within U.S. borders. Another rule passed by the commission today would formally end that practice for foreign companies on the FCC’s covered entity list.  

The list bans a small number of foreign companies based in Russia or China from selling their equipment in the U.S. on national security grounds, but Carr said equipment from those companies often wind up in U.S. products by providing services that don’t fall under the current legal definition of international telecommunications authority.

Commissioner Olivia Trusty, who helped lead the development of the rule, said cybersecurity threats facing telecom networks today “exceed those of any recent era” and that updates must be made to modernize and harden networks.

“In response to these growing hostilities, it is imperative that we re-examine policies that permit access to U.S. networks to ensure that frameworks originally designed to promote economic growth are not exploited in ways that jeopardize our national and economic security,” Trusty said in a statement after the vote passed.

The FCC also passed a third measure that would refuse to recognize any testing or equipment lab based overseas that does not have a reciprocity agreement in place with U.S.-based labs. The rule builds off efforts last year to prohibit telecoms from relying on testing and certification labs that are owned or operated by foreign adversarial countries like China or Russia, which led to the FCC withdrawing or denying certification of 23 overseas labs.

The post FCC tightens KYC rules for telecoms, closes loophole for banned foreign services appeared first on CyberScoop.

The Federal Communications Commission is moving to crack down on illegal robocalls and the use of foreign call centers.

At a meeting Thursday, the three-member commission unanimously approved a new proposed regulation to increase certification and disclosure requirements for obtaining phone numbers, while also expanding those same requirements to all providers seeking phone numbers from the North American Numbering Plan Administrator and resellers.

The rule – which will be shaped through public comments – is meant to make it more difficult for spammers, scammers and other illegal robocallers to obtain legitimate phone numbers. The FCC’s Office of Communications said a majority of the agency’s investigations into illegal robocalling have involved resold numbers.

It would also impose stricter disclosure requirements on telecoms about the callers on their networks and their identities, information that will assist organizations like the Industry Traceback Group track and identify robocallers as their calls hop across the nation’s patchwork, decentralized telephone networks.

Commissioner Anna Gomez said the proposed rules would help raise the bar for bad actors to obtain valid phone numbers and help close gaps in reporting that make it harder for industry and regulators to find and expunge robocallers from networks.

“Right now, bad actors are exploiting gaps in a phone number system that was designed for a simpler time,” Gomez said.

The commission plans to explore a range of solutions to strengthen numbering requirements and policies, including cracking down on common tactics that rely heavily on resold numbers — like number cycling where “service providers churn through large quantities of telephone numbers [on] a rotating and even single-use basis to evade detection.”

Commissioner Olivia Trusty said that while changes in technology and the marketplace have brought significant benefits to consumers, it has also “made it more difficult to identify who is using telephone numbers and for what purposes, complicating both robocall enforcement and numbering administration.”

Last month, the FCC finalized regulations that require telecoms to annually certify that their caller information is accurate and provide updated information to the agency’s Robocall Mitigation Database. 

A separate proposed regulation passed by the commission Thursday would place new restrictions on the ability of U.S. telephone providers to outsource their call-center services to foreign countries. It specifically asks about the feasibility of giving consumers the option to require that their calls be routed to U.S.-based call centers, requiring calls involving “certain types of sensitive information” to be processed at U.S. locations, requiring providers to disclose the use of overseas centers to callers during a call and requiring operators to speak proficient English.

FCC Chair Brendan Carr touted the initiative as part of the Trump administration’s stated efforts to convince American companies to onshore more of their services in the U.S.

But organizations like the AARP have also found that overseas call centers operating outside of U.S. or international law play a big role in the nation’s robocalling epidemic. In a press conference after the meeting, Carr echoed that sentiment, claiming that some criminal scammers plaguing Americans today first broke into the industry by working at outsourced call centers.

“I think it also helps us crack down on some of the illegal robocallers,” Carr said about the new onshoring rules. “At the end of the day, I think American callers should expect and deserve to reach American call centers.”

The post FCC pushes new rules to crack down on robocallers, foreign call centers appeared first on CyberScoop.

The ban aligns with a White House determination that all routers produced abroad are a threat to national security.

The post FCC Bans New Routers Made Outside the US Over National Security Risks appeared first on SecurityWeek.

The Federal Communications Commission’s move to ban foreign-made routers touches on a real threat, but critics say the agency rule is overly broad, practically unworkable and doesn’t meaningfully address weaknesses in router security that have led to major breaches on American governments and businesses.

Under the Secure Equipment Act and Secure Networks Act, the FCC may ban foreign technology manufacturers if they are deemed a national security risk. But the federal government has almost always opted to narrowly target specific foreign companies with known or problematic connections to foreign adversaries, like Chinese telecom Huawei or Russian antivirus firm Kaspersky Labs.

The restrictions announced Monday, however, simply ban all routers “produced in a foreign country” except those granted conditional approval by the departments of Defense or Homeland Security.

The order imposes a sweeping and immediate halt to the purchase of non-American routers and Wi-Fi services for government agencies and businesses, along with unanswered questions about where to buy next and what to do with the foreign devices already embedded in their networks.

In justifying the decision, FCC Chair Brendan Carr cited a March 20 White House-led interagency report that concluded foreign-made routers pose “unacceptable” risks to U.S. national security. 

“Following President Trump’s leadership, the FCC will continue [to do] our part in making sure that U.S. cyberspace, critical infrastructure, and supply chains are safe and secure,” Carr said. 

U.S. policymakers have worried about the potential cybersecurity risks of relying on technology and equipment from countries like China or Russia, where local laws compel domestic companies to cooperate in national security investigations and hand over sensitive data. 

In 2024, members of Congress called for the Department of Commerce to investigate Chinese Wi-Fi and router makers like TP-Link, alleging the company’s “unusual degree of vulnerabilities and required compliance with [Chinese] law” amounted to an unacceptable national security risk.

Last year, five House Republican committee chairs urged Commerce Secretary Howard Lutnick to use the department’s authority “to eliminate products and services created by China and other foreign adversaries from domestic supply chains that are shown to have the potential to introduce security vulnerabilities.” An attached list of industries “needing immediate action” included routers and Wi-Fi, while mentioning TP-Link and Huawei as “Chinese or Chinese-controlled” entities.

While router insecurity is a major problem, it’s worth noting that American-made products are far from immune to foreign hacking. Major Chinese hacking campaigns, such as Salt Typhoon, succeeded not because of backdoors in Chinese-made tech but through the exploitation of known, previously reported vulnerabilities in U.S. and Western products.  

One former U.S. intelligence leader told CyberScoop that country of origin matters more when you’re dealing with an adversary like China, which has national security and vulnerability disclosure laws that require Chinese router companies to disclose cybersecurity vulnerabilities to the government first.

But it’s not just Chinese routers, or those made by America’s direct rivals, that concern intelligence officials.

Even in a global, digitally connected world, proximity still matters. Foreign countries can more easily disrupt or infect the supply chain of neighboring or bordering countries that may rely on similar parts, components or internet infrastructure.

“Attackers have so many options with what can be done with router access. [It’s] even easier if you have the country that runs and accesses them in your backyard,” said the official, who requested anonymity to speak candidly.

Investors may be drawing similar conclusions. Notably, stocks for Asian router companies fell following the FCC announcement, while U.S. company NetGear, which does not rely on Chinese supply chains, saw its shares jump 12%.  

A new point of leverage

The broad nature of the order — along with the ability to dole out exemptions to specific companies at will — effectively resets the regulatory relationship between foreign router companies and the U.S. government. Under it, each company with manufacturing operations in China or overseas would have to petition the FCC for an exemption to the rule.

The ambiguity behind what, specifically, a company would need to do to obtain an exemption could open the process up to potential abuse or political patronage, experts said.

A former FCC official told CyberScoop they were puzzled by the move, and questioned whether it was related to national security or if it would even pass legal muster in the courts.

Instead of adding targeted companies with foreign ties or a history of cybersecurity vulnerabilities to the list of banned providers — as the government has done and successfully defended in court in the past — the FCC instead sought to ban all foreign-made routers around the globe. That represents a potentially significant disruptive action to take in an environment where many businesses and governments today use TP-Link and other foreign companies for their internet needs. 

The net effect is “actually creating a new federal program of conditional approvals” for foreign router companies, the FCC alum said, one that is so broad it would take a massive combined federal effort to effectively remove bad actors from the foreign supply chain.

“I have a hard time believing that this administration — given what we’ve seen at CISA and other agencies and the mass departures — will actually roll out a sophisticated and tailored program to adequately address this kind of huge swing of an entire base of consumer products,” said the official, who was granted anonymity to speak candidly.

The official pointed to an attempt earlier this year by the FCC to ban imports of foreign drone components, saying there were similar “big swing” parallels to the legal rationale here. The drone ban is currently being challenged in court, and the official said they expect the FCC’s router order to be subject to similar lawsuits from companies.

Earlier this month, Carr also proposed new regulations that would place English language requirements on offshore call centers and asked the public for insight on potential policies to “encourage” companies to set up U.S.-based call centers, “including limits on call volume from overseas call centers.”

Carr said the FCC was also “opening up a new front in our efforts to block illegal robocalls from abroad by examining the targeted use of tariffs or bonds.”

The former FCC official said Carr’s prioritization on novel application of tariff authorities while discussing the implementation of two laws — the TRACED Act and the Truth In Caller ID Act — that are unrelated to trade makes it impossible to disentangle the agency’s genuine national security concerns from the Trump administration’s broader attempts to gain leverage over foreign companies in their trade fights.

“Those are weird kind of random hops that seem to be in response to this broader picture of the big tariff decision that came out,” the official said.

The post Critics call FCC router rule a ‘big swing’ that could create more supply chain uncertainty appeared first on CyberScoop.

More than a year after national security officials revealed that Chinese hackers had systematically infiltrated U.S. telecommunications networks, the top Senate Democrat on the committee overseeing the industry is calling for hearings with executives from the nation’s biggest telecom companies.

In a public letter released Tuesday, Sen. Maria Cantwell, D-Wash., called for the CEOs of Verizon and AT&T to appear before Congress and explain how the hacking group known as Salt Typhoon breached their networks, as well as what steps they’ve taken to prevent another intrusion.

“For months, I have sought specific documentation from AT&T and Verizon that would purportedly corroborate their claims that their networks are now secure from this attack,” Cantwell wrote to Sen. Ted Cruz, R-Texas, who is the Chair of the Senate Commerce, Science and Transportation Committee. “Unfortunately, both AT&T and Verizon have chosen not to cooperate, which raises serious questions about the extent to which Americans who use these networks remain exposed to unacceptable risk.”

Salt Typhoon’s intrusion into telecom networks exposed major security weaknesses and put sensitive communications and data belonging to U.S. politicians and policymakers at risk. The federal government has done little since to hold the industry publicly accountable.

Congress has neither  proposed or passed meaningful legislation to address the issue.  While a handful of federal departments and agencies began public regulatory and oversight reviews, most of those efforts have been shut down or rolled back.

An investigation by the Cyber Safety Review Board at the Department of Homeland Security into the intrusions was abruptly stopped when the Trump administration eliminated the advisory body. One former member remarked recently that the failure to finish the investigation ranked among her biggest career regrets.

Weeks before President Joe Biden left office, his Federal Communications Commission issued emergency regulations aimed at holding telecom companies legally responsible – under federal wiretapping laws – for securing their communications. The rules would have also required carriers to file annual certifications with the FCC confirming they have cyber risk management plans in place. That certification would include addressing common security gaps, like lack of multifactor authentication, that are widely believed to have been exploited by Salt Typhoon.

While outgoing Chair Jessica Rosenworcel told CyberScoop the rules were badly needed to hold telecoms accountable for their cybersecurity, Brendan Carr— an FCC commissioner and Rosenworcel’s successor as chair—rescinded those rules, arguing they were unnecessary because the FCC and telecoms could work together voluntarily on cybersecurity. Another commissioner, Anna Gomez, told CyberScoop she had seen no evidence her agency had been meeting with telecoms on the issue.

At a hearing in December, Cruz endorsed the FCC’s elimination of the rules, arguing that improving the nation’s telecom cybersecurity “doesn’t come from imposing outdated checklists and top down regulations, it arises from a strong partnership between the private sector and government, working together to detect and deter attacks in real time.”

Cantwell, citing reporting from CyberScoop and other sources, argued that  “telecommunications providers have taken few protective actions thus far due to the costs involved” and said the committee “must hear directly from the CEOs of AT&T and Verizon so Americans have clarity and confidence about the security of their communications.”

According to Cantwell, she has already requested documentation from AT&T CEO John Stankey and then-Verizon CEO Hans Vestberg on how they’ve responded to the breaches. Both confirmed that Mandiant, Google Cloud’s incident response and threat-intelligence division wrote a report, one that Cantwell said “would presumably document the vulnerabilities identified and detail what corrective actions” telecoms took to improve their privacy and security.

She claimed after requesting the report from Mandiant, AT&T and Verizon “apparently intervened to block Mandiant from cooperating with my requests.”

AT&T and Verizon representatives did not immediately respond to a request for comment.

The post Cantwell claims telecoms blocked release of Salt Typhoon report  appeared first on CyberScoop.

When news broke approximately a year ago that Chinese hackers had systemically penetrated at least nine major U.S. communications networks, the level of alarm from policymakers was clear.  

At a hearing held Tuesday by the Senate Committee on Commerce, experts offered differing assessments of the threat. While intelligence officials have characterized the Salt Typhoon operation’s targeting of high-level U.S. politicians as falling within the bounds of traditional geopolitical espionage, other experts argued that the unprecedented scale of  China’s hacking activity in the U.S. telecom sector —  and the country’s pursuit of broader, long-term access — constitutes a more systemic attack on critical infrastructure that poses a serious threat to national security.

Jamil Jaffer, executive director of the National Security Institute at George Mason University, noted before the committee that “the reality is that our adversaries don’t know where our red lines are” when it comes to intrusions like Salt Typhoon, because the U.S. has failed to effectively communicate its boundaries to adversary nations in cyberspace.

“They don’t know what we would do if those red lines are crossed, and to the extent that we do enforce them…in the cyber or telecommunications domain, we do it in a way that other adversaries can’t see,” said Jaffer.

Jaffer also criticized the U.S. government for both not doing enough to stop the attack ahead of time and relying too heavily on regulation to strengthen telecommunications cybersecurity. Instead, he advocated for closer voluntary cooperation and more information sharing between government and industry.

Senate Commerce Committee Chair Sen. Ted Cruz, R-Texas, and telecommunications subcommittee chair Sen. Deb Fischer, R-Neb., both endorsed the FCC’s recent decisions to withdraw a pair of new regulations issued by the agency in the waning days of the Biden administration. The first would have interpreted a decades-old law to say that telecoms have a legal obligation to protect their communications from unauthorized foreign interception. The second would have required telecoms to submit annual verification of their cybersecurity plans to the FCC.

FCC Chair Brendan Carr called those rules rushed and ineffective. He also said they were unnecessary, citing extensive conversations between the FCC and industry that had already produced voluntary cybersecurity improvements across the sector.

Cruz expressed support for the FCC’s decision, saying the rules would have forced telecoms to “chase the false security of compliance checklists instead of engaging in real-world threats” and divert resources from “the necessary partnerships and response capabilities that actually stop intrusions.”

“This [problem] needs foresight and agility, and it doesn’t come from imposing outdated checklists and top down regulations, it arises from a strong partnership between the private sector and government, working together to detect and deter attacks in real time,” said Cruz.

But that view was directly contradicted by a former FCC official at the hearing.

Debra Jordan, former chief of the commission’s Public Safety and Homeland Security Bureau, told lawmakers that the rules put out in January were an attempt by the FCC to “lean forward” and leverage flexible cyber standards rather than “sit back and wait for the next attack to happen.”

While Carr, Cruz and Fischer all cited increased cooperation with industry as sufficient, Jordan noted that the FCC does not cite any process by which providers are actually held accountable to meet specific commitments.

“From my experience as bureau chief, I’m not convinced that providers will take sufficient and sustained actions in the wake of Volt and Salt Typhoon without a strong verification regime,” she said.

Later, Sen. Maria Cantwell, D-Mass., noted that both AT&T and Verizon declined her request earlier this year for additional documentation detailing their response to the Salt Typhoon breach.

“Hardly a transparent effort,” Cantwell said. “I believe the American people deserve to know whether China is still in our telecom networks.”

Other FCC commissioners have also questioned the extent of the agency’s engagement with industry over Salt Typhoon. Last month, FCC Commissioner Anna Gomez told CyberScoop that she has not witnessed any robust discussions with telecom companies over the past year, adding that only evidence she had of such conversations came from Carr’s statements.

She also lamented that the FCC’s withdrawal of telecom cybersecurity regulations would eliminate “the only meaningful regulatory response to Salt Typhoon that I’ve seen.

Carr, Cruz and Fischer all touted existing laws and regulations requiring the removal and replacement of telecommunications equipment from Chinese companies like Huawei and ZTE as evidence the government has taken significant action to address the threat.

But Chinese telecommunications equipment does not appear to have played any role in Salt Typhoon’s intrusions, according to public officials who have said the hackers mostly relied on the poor state of cybersecurity across the telecom industry. Cantwell pointed out that the hackers gained access to telecom networks through basic weaknesses like unpatched vulnerabilities that have been public for years, weak passwords and lack of multifactor authentication.

Sen. Ben Ray Luján, D-N.M., was deeply critical of the FCC’s regulatory removal. He noted that the Senate Commerce Committee held a hearing on Salt Typhoon’s intrusions last year and has done almost nothing since to secure telecom networks, while the FCC was trading away its regulatory power for pinky promises from industry.

“The FCC stripped these protections away, replacing them with voluntary pledges and handshakes with companies whose networks have already proven themselves vulnerable to data breaches,” he said. “To put it plainly, these companies are basically leaving their front doors unlocked after a data break in, and the FCC has decided to take their word when they promise they’ve installed deadbolts and security cameras.”

Gomez, Jordan, Luján and Jaffer all described Salt Typhoon as an active threat to U.S. telecommunications networks and critical infrastructure, and expressed concern over how the vulnerabilities exploited by the group could be leveraged to disrupt or intercept vital U.S. emergency communications.

“We can see that it’s not just the major carriers,” said Lujan. “I’m also concerned that schools, hospitals, libraries, police departments and emergency responders are all exposed and do not have the resources to defend themselves against foreign adversaries.”

The post The Congressional remedy for Salt Typhoon? More information sharing with industry appeared first on CyberScoop.