More than a year after national security officials revealed that Chinese hackers had systematically infiltrated U.S. telecommunications networks, the top Senate Democrat on the committee overseeing the industry is calling for hearings with executives from the nation’s biggest telecom companies.

In a public letter released Tuesday, Sen. Maria Cantwell, D-Wash., called for the CEOs of Verizon and AT&T to appear before Congress and explain how the hacking group known as Salt Typhoon breached their networks, as well as what steps they’ve taken to prevent another intrusion.

“For months, I have sought specific documentation from AT&T and Verizon that would purportedly corroborate their claims that their networks are now secure from this attack,” Cantwell wrote to Sen. Ted Cruz, R-Texas, who is the Chair of the Senate Commerce, Science and Transportation Committee. “Unfortunately, both AT&T and Verizon have chosen not to cooperate, which raises serious questions about the extent to which Americans who use these networks remain exposed to unacceptable risk.”

Salt Typhoon’s intrusion into telecom networks exposed major security weaknesses and put sensitive communications and data belonging to U.S. politicians and policymakers at risk. The federal government has done little since to hold the industry publicly accountable.

Congress has neither  proposed or passed meaningful legislation to address the issue.  While a handful of federal departments and agencies began public regulatory and oversight reviews, most of those efforts have been shut down or rolled back.

An investigation by the Cyber Safety Review Board at the Department of Homeland Security into the intrusions was abruptly stopped when the Trump administration eliminated the advisory body. One former member remarked recently that the failure to finish the investigation ranked among her biggest career regrets.

Weeks before President Joe Biden left office, his Federal Communications Commission issued emergency regulations aimed at holding telecom companies legally responsible – under federal wiretapping laws – for securing their communications. The rules would have also required carriers to file annual certifications with the FCC confirming they have cyber risk management plans in place. That certification would include addressing common security gaps, like lack of multifactor authentication, that are widely believed to have been exploited by Salt Typhoon.

While outgoing Chair Jessica Rosenworcel told CyberScoop the rules were badly needed to hold telecoms accountable for their cybersecurity, Brendan Carr— an FCC commissioner and Rosenworcel’s successor as chair—rescinded those rules, arguing they were unnecessary because the FCC and telecoms could work together voluntarily on cybersecurity. Another commissioner, Anna Gomez, told CyberScoop she had seen no evidence her agency had been meeting with telecoms on the issue.

At a hearing in December, Cruz endorsed the FCC’s elimination of the rules, arguing that improving the nation’s telecom cybersecurity “doesn’t come from imposing outdated checklists and top down regulations, it arises from a strong partnership between the private sector and government, working together to detect and deter attacks in real time.”

Cantwell, citing reporting from CyberScoop and other sources, argued that  “telecommunications providers have taken few protective actions thus far due to the costs involved” and said the committee “must hear directly from the CEOs of AT&T and Verizon so Americans have clarity and confidence about the security of their communications.”

According to Cantwell, she has already requested documentation from AT&T CEO John Stankey and then-Verizon CEO Hans Vestberg on how they’ve responded to the breaches. Both confirmed that Mandiant, Google Cloud’s incident response and threat-intelligence division wrote a report, one that Cantwell said “would presumably document the vulnerabilities identified and detail what corrective actions” telecoms took to improve their privacy and security.

She claimed after requesting the report from Mandiant, AT&T and Verizon “apparently intervened to block Mandiant from cooperating with my requests.”

AT&T and Verizon representatives did not immediately respond to a request for comment.

The post Cantwell claims telecoms blocked release of Salt Typhoon report  appeared first on CyberScoop.

When news broke approximately a year ago that Chinese hackers had systemically penetrated at least nine major U.S. communications networks, the level of alarm from policymakers was clear.  

At a hearing held Tuesday by the Senate Committee on Commerce, experts offered differing assessments of the threat. While intelligence officials have characterized the Salt Typhoon operation’s targeting of high-level U.S. politicians as falling within the bounds of traditional geopolitical espionage, other experts argued that the unprecedented scale of  China’s hacking activity in the U.S. telecom sector —  and the country’s pursuit of broader, long-term access — constitutes a more systemic attack on critical infrastructure that poses a serious threat to national security.

Jamil Jaffer, executive director of the National Security Institute at George Mason University, noted before the committee that “the reality is that our adversaries don’t know where our red lines are” when it comes to intrusions like Salt Typhoon, because the U.S. has failed to effectively communicate its boundaries to adversary nations in cyberspace.

“They don’t know what we would do if those red lines are crossed, and to the extent that we do enforce them…in the cyber or telecommunications domain, we do it in a way that other adversaries can’t see,” said Jaffer.

Jaffer also criticized the U.S. government for both not doing enough to stop the attack ahead of time and relying too heavily on regulation to strengthen telecommunications cybersecurity. Instead, he advocated for closer voluntary cooperation and more information sharing between government and industry.

Senate Commerce Committee Chair Sen. Ted Cruz, R-Texas, and telecommunications subcommittee chair Sen. Deb Fischer, R-Neb., both endorsed the FCC’s recent decisions to withdraw a pair of new regulations issued by the agency in the waning days of the Biden administration. The first would have interpreted a decades-old law to say that telecoms have a legal obligation to protect their communications from unauthorized foreign interception. The second would have required telecoms to submit annual verification of their cybersecurity plans to the FCC.

FCC Chair Brendan Carr called those rules rushed and ineffective. He also said they were unnecessary, citing extensive conversations between the FCC and industry that had already produced voluntary cybersecurity improvements across the sector.

Cruz expressed support for the FCC’s decision, saying the rules would have forced telecoms to “chase the false security of compliance checklists instead of engaging in real-world threats” and divert resources from “the necessary partnerships and response capabilities that actually stop intrusions.”

“This [problem] needs foresight and agility, and it doesn’t come from imposing outdated checklists and top down regulations, it arises from a strong partnership between the private sector and government, working together to detect and deter attacks in real time,” said Cruz.

But that view was directly contradicted by a former FCC official at the hearing.

Debra Jordan, former chief of the commission’s Public Safety and Homeland Security Bureau, told lawmakers that the rules put out in January were an attempt by the FCC to “lean forward” and leverage flexible cyber standards rather than “sit back and wait for the next attack to happen.”

While Carr, Cruz and Fischer all cited increased cooperation with industry as sufficient, Jordan noted that the FCC does not cite any process by which providers are actually held accountable to meet specific commitments.

“From my experience as bureau chief, I’m not convinced that providers will take sufficient and sustained actions in the wake of Volt and Salt Typhoon without a strong verification regime,” she said.

Later, Sen. Maria Cantwell, D-Mass., noted that both AT&T and Verizon declined her request earlier this year for additional documentation detailing their response to the Salt Typhoon breach.

“Hardly a transparent effort,” Cantwell said. “I believe the American people deserve to know whether China is still in our telecom networks.”

Other FCC commissioners have also questioned the extent of the agency’s engagement with industry over Salt Typhoon. Last month, FCC Commissioner Anna Gomez told CyberScoop that she has not witnessed any robust discussions with telecom companies over the past year, adding that only evidence she had of such conversations came from Carr’s statements.

She also lamented that the FCC’s withdrawal of telecom cybersecurity regulations would eliminate “the only meaningful regulatory response to Salt Typhoon that I’ve seen.

Carr, Cruz and Fischer all touted existing laws and regulations requiring the removal and replacement of telecommunications equipment from Chinese companies like Huawei and ZTE as evidence the government has taken significant action to address the threat.

But Chinese telecommunications equipment does not appear to have played any role in Salt Typhoon’s intrusions, according to public officials who have said the hackers mostly relied on the poor state of cybersecurity across the telecom industry. Cantwell pointed out that the hackers gained access to telecom networks through basic weaknesses like unpatched vulnerabilities that have been public for years, weak passwords and lack of multifactor authentication.

Sen. Ben Ray Luján, D-N.M., was deeply critical of the FCC’s regulatory removal. He noted that the Senate Commerce Committee held a hearing on Salt Typhoon’s intrusions last year and has done almost nothing since to secure telecom networks, while the FCC was trading away its regulatory power for pinky promises from industry.

“The FCC stripped these protections away, replacing them with voluntary pledges and handshakes with companies whose networks have already proven themselves vulnerable to data breaches,” he said. “To put it plainly, these companies are basically leaving their front doors unlocked after a data break in, and the FCC has decided to take their word when they promise they’ve installed deadbolts and security cameras.”

Gomez, Jordan, Luján and Jaffer all described Salt Typhoon as an active threat to U.S. telecommunications networks and critical infrastructure, and expressed concern over how the vulnerabilities exploited by the group could be leveraged to disrupt or intercept vital U.S. emergency communications.

“We can see that it’s not just the major carriers,” said Lujan. “I’m also concerned that schools, hospitals, libraries, police departments and emergency responders are all exposed and do not have the resources to defend themselves against foreign adversaries.”

The post The Congressional remedy for Salt Typhoon? More information sharing with industry appeared first on CyberScoop.

A House Republican introduced legislation Tuesday aimed at deterring cyberattacks against the United States at a time when the Trump administration is prioritizing the punishment of malicious hackers.

Rep. August Pfluger, R-Texas, revived legislation he first sponsored in 2022, the Cyber Deterrence and Response Act. The legislation would direct the executive branch to formally designate foreign parties behind major cyberattacks against the United States as a “critical cyber threat actor” who would be subject to sanctions.  It also would establish a framework for attributing who’s behind cyber attacks, including contributions from cyber agencies and threat intelligence companies.

“As cyberattacks in the United States grow more sophisticated and widespread, we must ensure the Trump administration and all future administrations have a strong framework to hold bad actors accountable and safeguard our national security,” Pfluger said in a news release. “Protecting America’s critical infrastructure from malicious cyberattacks is essential, and this bill does exactly that.”

The legislation is the latest reflection of congressional dismay that began growing last year in response to the Salt Typhoon cyberespionage campaign that infiltrated telecommunications networks, and the sense that the United States wasn’t doing enough to make hackers pay for their behavior.

At a hearing Tuesday, Senate Commerce Chairman Ted Cruz, R-Tex., said the United States needs to do a better job of working “together to detect and deter attacks in real time.”

The Trump administration has said deterrence is one of the first pillars of its forthcoming cyber strategy.

The definition of “critical cyber threat actor” under Pfluger’s bill applies to hackers who disrupt the availability of computer networks, compromise computers that provide services in critical infrastructure, steal significant personal data or trade secrets, destabilize the financial or energy sectors or undermine the election process.

The president could waive sanctions against those designees if it explains its reasoning to Congress in writing, a common clause of sanctions legislation.

Pfluger’s measure is updated in some ways from its 2022 incarnation, such as by giving the Office of the National Cyber Director the leading role in designating critical cyber actors.

The legislation draws on bills that former Rep. Ted Yoho, R-Fla, introduced in past years. That legislation won House approval in 2018, but never advanced further.

The post Legislation would designate ‘critical cyber threat actors,’ direct sanctions against them appeared first on CyberScoop.