The Cybersecurity and Infrastructure Security Agency is urging critical infrastructure owners and operators to plan for delivering essential services under emergency conditions – potentially for months at a time.

The federal government’s top cybersecurity agency warned that state-sponsored hackers, particularly two Chinese groups known as Salt Typhoon and Volt Typhoon, continue to threaten critical sectors like electricity, water, and internet. 

The agency is now working with the private sector to protect operational technology – the systems that control the heavy machinery and equipment that powers most critical infrastructure – from attacks that enter through business IT systems or third-party vendor products.

The initiative  — known as CI Fortify – will include CISA conducting targeted technical assessments of critical infrastructure entities and aims to create plans that “allow for safe operations for weeks to months while isolated” from IT networks and third-party tools, according to the agency’s website.

Nick Andersen, CISA’s acting director, told reporters that the goal is “service delivery [that] can still reach critical infrastructure after the asset owner has disconnected with IT and OT, disconnected from third party vendors and service provider connections and disconnected from third party telecommunications equipment.”

Over the past two years, wars in Ukraine, Gaza, Iran and elsewhere have seen water plants, power substations, data centers and other critical infrastructure targeted by kinetic or cyberattacks.

Andersen said the agency has already begun engaging with some companies to pilot the assessments and expects that work to ramp up considerably as CISA hires additional staff in the coming months.

He declined to name the entities involved in the pilot program, but said they will focus on organizations that support national security, defense, public health and safety and economic continuity. He added that CISA’s assessments will vary from sector to sector depending on their unique needs.

“Water isn’t necessarily designed to prioritize specific customer needs outside of recovery periods, while energy and transportation have more immediate tradeoffs for selecting one load or one set of cargo over another,” Andersen said as an example.

One pillar of CISA’s strategy is isolation: essentially turning off all third-party and business network connections to an OT network when facing an emergency or unknown vulnerability.

Organizations also need to develop an internal plan for what acceptable service levels look like under those conditions and reach understandings with their critical customers, like U.S. military installations and lifeline services.

The second pillar, recovery, involves best practices for organizations: backing up files, documenting systems and having manual backups for operations when normal computer systems are down.

In conversations with cybersecurity specialists who focus on critical infrastructure and operational technology, it is widely assumed that China is not the only nation to have broadly compromised Americans critical infrastructure. That hacking groups tied to other nations have almost surely noticed and exploited the same basic vulnerabilities and hygiene issues found by the Typhoons.

Agencies like the FBI and Federal Communications Commission have touted efforts to purge Chinese hackers and work voluntarily with telecoms to harden their network security. But U.S. national security officials and cybersecurity defenders have consistently said both Salt Typhoon and Volt Typhoon remain active threats to U.S. critical infrastructure.

The post CISA wants critical infrastructure to operate ‘weeks to months’ in isolation during conflict appeared first on CyberScoop.

The U.S. government shouldn’t rigidly stick to traditional designations about which agency takes the lead on engaging with critical infrastructure sectors, the acting director of the Cybersecurity and Infrastructure Security Agency said Tuesday.

Sector risk management agency designations have long governed which agency is at the forefront of government efforts to protect each of the 16 critical infrastructure sectors, with CISA responsible for eight of them.

“When we look at our sector risk management agency construct, that’s important for a lot of reasons, It’s less important to abide by that strictly and say ‘CISA is the Sector Risk Management Agency for telecommunications,’” CISA’s Nick Andersen said at an event hosted by Auburn University’s McCrary Institute.

Rather, when responding to cyber incidents or undertaking other engagements with the private sector, the question should be who has the best relationship with a certain sector.

“We may have some owner-operators within a certain critical infrastructure sector that maybe the person they’re best positioned to receive resources from is us, or maybe it’s [Department of] Energy, or maybe it’s EPA, or maybe it’s FBI or NSA, or so forth and so on,” he said. “We just have to be comfortable with taking off those blinders and saying, ‘I don’t necessarily need to be in charge all the time no matter who I am. I just need to make sure that this owner-operator has the best partner teed up to lead that engagement.’”

The goal is to avoid another “Guam situation,” where “everybody was racing to Guam the last couple of years like kids chasing a soccer ball,” Andersen said. Guam was the site of critical infrastructure attacks on U.S. military bases that Microsoft pinned on the Chinese hacking group Volt Typhoon in 2023.

An attack on the telecommunications sector from another “Typhoon” group, Salt Typhoon, prompted questions about whether CISA’s hands are too full with all of its sector risk management agency responsibilities. House Homeland Security Chairman Andrew Garbarino, R-N.Y., raised concerns last year about how CISA handled its sector risk management agency role for the telecommunications sector after the Salt Typhoon campaign was uncovered.

The post CISA official advises agencies not to get too hung up on who takes lead in critical infrastructure sectors appeared first on CyberScoop.

Two years ago, it was revealed that Chinese hackers had compromised at least ten U.S. telecoms, giving them broad access to phone data affecting nearly all Americans. Since then, public officials charged with responding to the campaign and bolstering the nation’s cyber defenses have reported a common problem.

Many of their constituents struggle to understand why the hacks – carried out by a group called Salt Typhoon – should rank among their top concerns, or how it impacts their day to day lives.

Some state and federal officials worry that this lack of interest is depriving policymakers the public pressure needed to build momentum for stronger action to improve the nation’s telecommunications cybersecurity.

Mike Geraghty, the CISO and director of the New Jersey Cybersecurity and Communications Cell, said New Jersey is the nation’s most densely populated state, with a high concentration of critical infrastructure and a major telecommunications footprint. For that reason, a campaign like Salt Typhoon should, in theory, be of strong interest to Garden State residents.

“However, if you talk to a person on the street in New Jersey, they’’ll say who cares that the Chinese are looking at – you know – what numbers I call?” he said Wednesday at the Billington State and Local Cybersecurity Summit. “It has a big role to play in my job, but trying to get people to understand what that means for New Jersey is really difficult.”

Congress hasn’t passed comprehensive privacy legislation in decades. Meanwhile, cyberattacks that expose sensitive data are widespread, and U.S. companies routinely collect and sell customers’ personal information. Some officials speculate that, taken together, these trends have left Americans numb to data theft and data-for-profit–so additional breaches feel like just another drop in the bucket.

Mischa Beckett, deputy chief information security officer and director of cyber threat intelligence at GDIT, said Salt Typhoon’s focus on telecom data can feel like an abstract threat to many Americans. By contrast, other Chinese hacking campaigns like Volt Typhoon suggest potential damage to water plants and electric grids that are easier to grasp.

“It’s maybe a little bit easier to write off a loss of data..and move on, as unfortunate but no big deal,” said Beckett. “I think that case is much harder to make when we’re talking about pre-positioning and critical infrastructure, things that touch all of our lives every day.”

Last year, a former intelligence official at the Office of the Director of National Intelligence told CyberScoop that a lack of outrage from the public following the Salt Typhoon attacks was dampening momentum for broader regulation or reforms to telecom cybersecurity.

“We can’t accept this level of espionage on our networks,” said Laura Galante who led the Cyber Threat Intelligence Integration Center under the Biden administration. “If you had 50 Chinese [Ministry of State Security] spies or contractors sitting inside a major [telecom company’s] building, they would be walked out and it would be a full-scale effort. That’s in broad strokes what has happened, but the access was digital.”

The post Officials worry Salt Typhoon apathy is killing momentum for tougher telecom security rules appeared first on CyberScoop.

The FBI found evidence that its networks had been targeted in a suspected cybersecurity incident, the bureau confirmed on Thursday, without sharing any further details.

“The FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond,” the agency said in a statement. “We have nothing additional to provide.”

CNN and CBS reported that the suspicious activity targeted a digital system the FBI uses to manage and conduct surveillance, including work related to foreign surveillance warrants, wiretaps and pen registers, which are used to trace phone and computer data like IP addresses and dialed phone numbers.

News broke in 2024 that the Chinese hacking group Salt Typhoon had exploited the U.S. wiretapping system under the Communications Assistance for Law Enforcement Act that law enforcement and intelligence agencies rely upon, but CNN reported that it wasn’t clear if there was a connection between the 2024 and recent suspected incidents.

It also wasn’t clear when the incident occurred, or who was responsible.

The FBI, like virtually every federal agency, is no stranger to being targeted or infiltrated by hackers.

In 2023, the FBI said it had isolated and contained a cyber intrusion in its New York Field Office. In 2021, hackers exploited a misconfigured FBI server to send hoax emails, although the bureau said its own systems weren’t affected.

Congress, former agents and others have raised concerns about the FBI’s cyber capabilities among budget cuts and the loss of personnel under the second Trump administration. Brett Leatherman, leader of the bureau’s cyber division, told CyberScoop recently that it has suffered no diminishment of its ability to respond to threats and incidents.

The post FBI targeted with ‘suspicious’ activity on its networks appeared first on CyberScoop.

A top FBI cyber official said Salt Typhoon, the Chinese cyber espionage group behind the widespread compromise of U.S. telecommunications infrastructure in 2024, continues to pose a broad threat to both America’s private and public sectors.

Michael Machtinger, deputy assistant director for cyber intelligence at the FBI, touted improved partnerships between the telecommunications industry and government in the wake of the campaign while speaking at CyberTalks, presented by CyberScoop, in Washington D.C. Thursday.

Companies who engaged with the FBI and federal agencies like CISA early after the campaign went public “have been without a doubt the most successful in mitigating the impact of the Salt Typhoon intrusions,” he claimed.

Last year, CyberScoop’s reporting found that the U.S. telecommunications sector was riddled with basic cybersecurity vulnerabilities and patchwork consolidated networks, and Salt Typhoon took advantage of these weaknesses to gain widespread, persistent access to major telecom networks.

Machtinger echoed a similar sentiment in describing lessons the FBI took away from the episode, saying that “despite all the advances in cybersecurity tools and strategies, it is still the most basic vulnerabilities that provide entry points.”

Cybersecurity leaders and network defenders have a responsibility to understand their own vulnerabilities and implement “fundamental” cybersecurity practices such as zero trust, least-privilege access, secure-by-design principles, end-to-end encryption and other protections.

Despite an increasingly complex threat and technology environment, phishing attacks or targeting vulnerable legacy systems are still the most common ways the FBI sees hacking groups gain access to their victims. While foreign intelligence agencies do use zero-day vulnerabilities and other sophisticated tools to compromise well-defended systems, “by and large this is not what we are seeing, and it is not what we saw in Salt Typhoon.”

“None of these concepts are new…and truthfully they’re not all that advanced, but they are increasingly essential as adversaries adapt their tactics and our attack surface becomes more widespread,” said Machtinger. “If we’re going to safeguard our personal and proprietary information, it is just as important for us to lock the doors inside the house as it is to lock the front door.”

But these lessons haven’t diminished the threat. Machtinger estimated that Salt Typhoon’s intrusions have impacted more than 80 countries, often following the same playbook of pairing broad access with “indiscriminate” targeting and collection.  

It is “important to recognize that the threat posed by Salt Typhoon actors and the rest of the PRC intelligence apparatus and enabling infrastructure is still very, very much ongoing,” Machtinger said.

The post FBI: Threats from Salt Typhoon are ‘still very much ongoing’ appeared first on CyberScoop.

More than a year after national security officials revealed that Chinese hackers had systematically infiltrated U.S. telecommunications networks, the top Senate Democrat on the committee overseeing the industry is calling for hearings with executives from the nation’s biggest telecom companies.

In a public letter released Tuesday, Sen. Maria Cantwell, D-Wash., called for the CEOs of Verizon and AT&T to appear before Congress and explain how the hacking group known as Salt Typhoon breached their networks, as well as what steps they’ve taken to prevent another intrusion.

“For months, I have sought specific documentation from AT&T and Verizon that would purportedly corroborate their claims that their networks are now secure from this attack,” Cantwell wrote to Sen. Ted Cruz, R-Texas, who is the Chair of the Senate Commerce, Science and Transportation Committee. “Unfortunately, both AT&T and Verizon have chosen not to cooperate, which raises serious questions about the extent to which Americans who use these networks remain exposed to unacceptable risk.”

Salt Typhoon’s intrusion into telecom networks exposed major security weaknesses and put sensitive communications and data belonging to U.S. politicians and policymakers at risk. The federal government has done little since to hold the industry publicly accountable.

Congress has neither  proposed or passed meaningful legislation to address the issue.  While a handful of federal departments and agencies began public regulatory and oversight reviews, most of those efforts have been shut down or rolled back.

An investigation by the Cyber Safety Review Board at the Department of Homeland Security into the intrusions was abruptly stopped when the Trump administration eliminated the advisory body. One former member remarked recently that the failure to finish the investigation ranked among her biggest career regrets.

Weeks before President Joe Biden left office, his Federal Communications Commission issued emergency regulations aimed at holding telecom companies legally responsible – under federal wiretapping laws – for securing their communications. The rules would have also required carriers to file annual certifications with the FCC confirming they have cyber risk management plans in place. That certification would include addressing common security gaps, like lack of multifactor authentication, that are widely believed to have been exploited by Salt Typhoon.

While outgoing Chair Jessica Rosenworcel told CyberScoop the rules were badly needed to hold telecoms accountable for their cybersecurity, Brendan Carr— an FCC commissioner and Rosenworcel’s successor as chair—rescinded those rules, arguing they were unnecessary because the FCC and telecoms could work together voluntarily on cybersecurity. Another commissioner, Anna Gomez, told CyberScoop she had seen no evidence her agency had been meeting with telecoms on the issue.

At a hearing in December, Cruz endorsed the FCC’s elimination of the rules, arguing that improving the nation’s telecom cybersecurity “doesn’t come from imposing outdated checklists and top down regulations, it arises from a strong partnership between the private sector and government, working together to detect and deter attacks in real time.”

Cantwell, citing reporting from CyberScoop and other sources, argued that  “telecommunications providers have taken few protective actions thus far due to the costs involved” and said the committee “must hear directly from the CEOs of AT&T and Verizon so Americans have clarity and confidence about the security of their communications.”

According to Cantwell, she has already requested documentation from AT&T CEO John Stankey and then-Verizon CEO Hans Vestberg on how they’ve responded to the breaches. Both confirmed that Mandiant, Google Cloud’s incident response and threat-intelligence division wrote a report, one that Cantwell said “would presumably document the vulnerabilities identified and detail what corrective actions” telecoms took to improve their privacy and security.

She claimed after requesting the report from Mandiant, AT&T and Verizon “apparently intervened to block Mandiant from cooperating with my requests.”

AT&T and Verizon representatives did not immediately respond to a request for comment.

The post Cantwell claims telecoms blocked release of Salt Typhoon report  appeared first on CyberScoop.

With a little more than a month left before a foundational cyber threat information sharing law expires for a second time, Congress might have to do another short-term extension as negotiations on a longer deal aren’t yet bearing fruit, a key lawmaker said Tuesday.

House Homeland Security Chairman Andrew Garbarino, R-N.Y., said the problem with a long-term extension of the Cybersecurity Information Sharing Act of 2015, which provides legal protections to companies to share cyber threat data with the federal government and other companies, is that there are three different views about how to approach it.

The Trump administration and some in the Senate want a clean, 10-year reauthorization of the law, which Congress extended last month until Jan. 30 as part of the legislation that ended the government shutdown, after the information sharing law lapsed in October. But a reauthorization without any changes could run into House opposition, Garbarino said.

“I don’t know if I can get that passed in the House, with concerns from the Freedom Caucus,” he said at an event hosted by Auburn University’s McCrary Institute. The Freedom Caucus has had criticism of the Cybersecurity and Infrastructure Security Agency that is integral to implementing the 2015 law.

Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul, R-Ky., also has a version of the bill that focuses largely on language he said is needed to defend free speech. And Garbarino’s version takes yet another approach to tweaking the law.

“Unfortunately, I don’t think we’re close enough with the discussions on the Senate to get it to figure out which bill will pass and what will get done,” Garbarino said. That leaves another extension tied to any funding bill that replaces the legislation currently funding the government, which also runs through Jan. 30.

Garbarino said his committee also is working on other issues, like deconflicting federal cybersecurity regulations, the cyber workforce and responding to the Chinese hacking group Salt Typhoon breaching telecommunications networks.

A report on “regulatory harmonization” has been underway at the committee, he said. But that doesn’t mean he wants to roll all the rules back. Asked about the Federal Communications Commission voting to get rid of Biden administration-era rules put into place in response to the Salt Typhoon breach, Garbarino said, “I’m not sure I would’ve voted to get rid of some of the protections or the rules, but it wasn’t my vote.”

The committee has been probing the government’s response to Salt Typhoon, and recently sent another set of questions in the past two or three months after not getting satisfactory answers the first time, Garbarino said.

“We are working closely with the China Select Committee as to what legislatively we could move if there’s something,” he said. “We’re not there yet.” 

Rep. Sheri Biggs, R-S.C., has picked up the baton on cyber workforce legislation sponsored by Garbarino’s predecessor as chairman, and Garbarino said he expects there to be some changes to the bill.

And two House Homeland subcommittees are holding a hearing Wednesday on artificial intelligence and cybersecurity.

“I’ll tell you right now, with our adversaries, the way they’re going to use AI, we can’t defend with human intervention alone,” Garbarino said. “AI is going to have to be part of our cyber defense.”

The post Key lawmaker says Congress likely to kick can down road on cyber information sharing law appeared first on CyberScoop.

When news broke approximately a year ago that Chinese hackers had systemically penetrated at least nine major U.S. communications networks, the level of alarm from policymakers was clear.  

At a hearing held Tuesday by the Senate Committee on Commerce, experts offered differing assessments of the threat. While intelligence officials have characterized the Salt Typhoon operation’s targeting of high-level U.S. politicians as falling within the bounds of traditional geopolitical espionage, other experts argued that the unprecedented scale of  China’s hacking activity in the U.S. telecom sector —  and the country’s pursuit of broader, long-term access — constitutes a more systemic attack on critical infrastructure that poses a serious threat to national security.

Jamil Jaffer, executive director of the National Security Institute at George Mason University, noted before the committee that “the reality is that our adversaries don’t know where our red lines are” when it comes to intrusions like Salt Typhoon, because the U.S. has failed to effectively communicate its boundaries to adversary nations in cyberspace.

“They don’t know what we would do if those red lines are crossed, and to the extent that we do enforce them…in the cyber or telecommunications domain, we do it in a way that other adversaries can’t see,” said Jaffer.

Jaffer also criticized the U.S. government for both not doing enough to stop the attack ahead of time and relying too heavily on regulation to strengthen telecommunications cybersecurity. Instead, he advocated for closer voluntary cooperation and more information sharing between government and industry.

Senate Commerce Committee Chair Sen. Ted Cruz, R-Texas, and telecommunications subcommittee chair Sen. Deb Fischer, R-Neb., both endorsed the FCC’s recent decisions to withdraw a pair of new regulations issued by the agency in the waning days of the Biden administration. The first would have interpreted a decades-old law to say that telecoms have a legal obligation to protect their communications from unauthorized foreign interception. The second would have required telecoms to submit annual verification of their cybersecurity plans to the FCC.

FCC Chair Brendan Carr called those rules rushed and ineffective. He also said they were unnecessary, citing extensive conversations between the FCC and industry that had already produced voluntary cybersecurity improvements across the sector.

Cruz expressed support for the FCC’s decision, saying the rules would have forced telecoms to “chase the false security of compliance checklists instead of engaging in real-world threats” and divert resources from “the necessary partnerships and response capabilities that actually stop intrusions.”

“This [problem] needs foresight and agility, and it doesn’t come from imposing outdated checklists and top down regulations, it arises from a strong partnership between the private sector and government, working together to detect and deter attacks in real time,” said Cruz.

But that view was directly contradicted by a former FCC official at the hearing.

Debra Jordan, former chief of the commission’s Public Safety and Homeland Security Bureau, told lawmakers that the rules put out in January were an attempt by the FCC to “lean forward” and leverage flexible cyber standards rather than “sit back and wait for the next attack to happen.”

While Carr, Cruz and Fischer all cited increased cooperation with industry as sufficient, Jordan noted that the FCC does not cite any process by which providers are actually held accountable to meet specific commitments.

“From my experience as bureau chief, I’m not convinced that providers will take sufficient and sustained actions in the wake of Volt and Salt Typhoon without a strong verification regime,” she said.

Later, Sen. Maria Cantwell, D-Mass., noted that both AT&T and Verizon declined her request earlier this year for additional documentation detailing their response to the Salt Typhoon breach.

“Hardly a transparent effort,” Cantwell said. “I believe the American people deserve to know whether China is still in our telecom networks.”

Other FCC commissioners have also questioned the extent of the agency’s engagement with industry over Salt Typhoon. Last month, FCC Commissioner Anna Gomez told CyberScoop that she has not witnessed any robust discussions with telecom companies over the past year, adding that only evidence she had of such conversations came from Carr’s statements.

She also lamented that the FCC’s withdrawal of telecom cybersecurity regulations would eliminate “the only meaningful regulatory response to Salt Typhoon that I’ve seen.

Carr, Cruz and Fischer all touted existing laws and regulations requiring the removal and replacement of telecommunications equipment from Chinese companies like Huawei and ZTE as evidence the government has taken significant action to address the threat.

But Chinese telecommunications equipment does not appear to have played any role in Salt Typhoon’s intrusions, according to public officials who have said the hackers mostly relied on the poor state of cybersecurity across the telecom industry. Cantwell pointed out that the hackers gained access to telecom networks through basic weaknesses like unpatched vulnerabilities that have been public for years, weak passwords and lack of multifactor authentication.

Sen. Ben Ray Luján, D-N.M., was deeply critical of the FCC’s regulatory removal. He noted that the Senate Commerce Committee held a hearing on Salt Typhoon’s intrusions last year and has done almost nothing since to secure telecom networks, while the FCC was trading away its regulatory power for pinky promises from industry.

“The FCC stripped these protections away, replacing them with voluntary pledges and handshakes with companies whose networks have already proven themselves vulnerable to data breaches,” he said. “To put it plainly, these companies are basically leaving their front doors unlocked after a data break in, and the FCC has decided to take their word when they promise they’ve installed deadbolts and security cameras.”

Gomez, Jordan, Luján and Jaffer all described Salt Typhoon as an active threat to U.S. telecommunications networks and critical infrastructure, and expressed concern over how the vulnerabilities exploited by the group could be leveraged to disrupt or intercept vital U.S. emergency communications.

“We can see that it’s not just the major carriers,” said Lujan. “I’m also concerned that schools, hospitals, libraries, police departments and emergency responders are all exposed and do not have the resources to defend themselves against foreign adversaries.”

The post The Congressional remedy for Salt Typhoon? More information sharing with industry appeared first on CyberScoop.

A House Republican introduced legislation Tuesday aimed at deterring cyberattacks against the United States at a time when the Trump administration is prioritizing the punishment of malicious hackers.

Rep. August Pfluger, R-Texas, revived legislation he first sponsored in 2022, the Cyber Deterrence and Response Act. The legislation would direct the executive branch to formally designate foreign parties behind major cyberattacks against the United States as a “critical cyber threat actor” who would be subject to sanctions.  It also would establish a framework for attributing who’s behind cyber attacks, including contributions from cyber agencies and threat intelligence companies.

“As cyberattacks in the United States grow more sophisticated and widespread, we must ensure the Trump administration and all future administrations have a strong framework to hold bad actors accountable and safeguard our national security,” Pfluger said in a news release. “Protecting America’s critical infrastructure from malicious cyberattacks is essential, and this bill does exactly that.”

The legislation is the latest reflection of congressional dismay that began growing last year in response to the Salt Typhoon cyberespionage campaign that infiltrated telecommunications networks, and the sense that the United States wasn’t doing enough to make hackers pay for their behavior.

At a hearing Tuesday, Senate Commerce Chairman Ted Cruz, R-Tex., said the United States needs to do a better job of working “together to detect and deter attacks in real time.”

The Trump administration has said deterrence is one of the first pillars of its forthcoming cyber strategy.

The definition of “critical cyber threat actor” under Pfluger’s bill applies to hackers who disrupt the availability of computer networks, compromise computers that provide services in critical infrastructure, steal significant personal data or trade secrets, destabilize the financial or energy sectors or undermine the election process.

The president could waive sanctions against those designees if it explains its reasoning to Congress in writing, a common clause of sanctions legislation.

Pfluger’s measure is updated in some ways from its 2022 incarnation, such as by giving the Office of the National Cyber Director the leading role in designating critical cyber actors.

The legislation draws on bills that former Rep. Ted Yoho, R-Fla, introduced in past years. That legislation won House approval in 2018, but never advanced further.

The post Legislation would designate ‘critical cyber threat actors,’ direct sanctions against them appeared first on CyberScoop.

The final season of “Stranger Things” is upon us, and 1980s nostalgia is at an all-time high. The clunky control panels at Hawkins Lab help set the stage for the show. The unfortunate reality is that similar legacy systems still exist in operational technology (OT) environments today. Just as Hawkins Lab spawned a monstrous compendium from the “Upside Down,” a variety of threats have burst forth from vulnerable devices.

Nation-state threats, such as Volt Typhoon, have established persistent access across critical infrastructure, including telecommunications providers. Most of these threats exploit common vulnerabilities and exposures (CVEs) in networking devices; no zero-day exploits are required.

Nostalgia for “the good old days” ignores how much progress has been made since then. From the Purdue Enterprise Reference Architecture (PERA) model of the 1990s to more timely guidance from the Cybersecurity and Infrastructure Security Agency (CISA), organizations have a script they can follow for critical infrastructure protection. Hopefully, this story has a happy ending.

All it takes is one open port

The Department of Defense (DoD) has increasingly been focused on bringing OT security up to par with IT security, noting the challenges legacy systems create with vulnerabilities, data integration and standards.

The challenge in securing critical infrastructure is multifaceted. Critical infrastructure environments tend to be complex and dispersed, including IT and OT networks across multiple physical locations. Digital transformation initiatives, such as industrial IoT and cloud computing, are often at odds with legacy systems, which were never intended to be connected to the internet or able to support modern cybersecurity controls.

One of the biggest reasons that organizations struggle with the cybersecurity of legacy systems is because OT environments tend to prioritize productivity. Even when patches are available for industrial systems, the patch management process is meticulous and methodical to ensure production is not interrupted.

However, many industrial control systems (ICS), SCADA systems and programmable logic controllers (PLCs) have been around for decades. These are systems that were expensive investments and cannot be easily replaced. Patches for many of these systems are no longer available. For example, even as IT environments are focused on Windows 10 migration today, there are still OT environments running Windows XP, which has not been patched in more than a decade.

Many legacy systems were never intended to be connected to the internet. However, digital transformation initiatives and IT/OT convergence have forced connectivity into these devices, leaving them exposed to attack. Consequently, legacy protocols like Modbus and DNP3, which lack encryption or authentication, become open avenues for lateral movement.

The empire strikes back

There are more advanced persistent threats (APTs) than there are sequels to Hollywood blockbusters. Just like most sequels, many of these threats return bigger and badder than their predecessors. For example, two of the most notorious APTs of the past few years are Volt Typhoon and Salt Typhoon.

Both Volt Typhoon and Salt Typhoon exploit CVEs in networking appliances to gain initial access. Once these threats establish initial access, they leverage living off the land (LOTL) techniques, such as using RDP and VPN access, to evade detection and modify access control lists to establish persistence. 

In the case of Volt Typhoon, CISA advises organizations to prioritize patching critical vulnerabilities known to be exploited by the threat actor group and to plan for “end of life” technology, which is the epitome of legacy systems. In the case of Salt Typhoon, CISA advises organizations to continuously monitor for indicators of compromise (IOCs), such as suspicious changes to configurations.

These threats underscore the importance of having visibility into both the state of devices, such as their vulnerabilities, as well as network traffic, such as behavioral anomalies. Furthermore, organizations should be monitoring not just for IOCs, but for early warning signs, which are indicators of attack (IOAs).

Back to the future

Pop culture references to time travel tend to create a bit of a paradox, but organizations can review models and frameworks from the past and present to better understand how to secure legacy technology in OT environments.

In the 1990s, PERA, or the “Purdue Model,” was developed to explain how data flows across industrial systems. Just as threats evolve, so do these models. IEC 62443 is a common security framework (CSF) that builds upon the Purdue Model, providing a variety of best practices for protecting IT and OT networks in critical infrastructure environments. 

Two of the biggest takeaways from the Purdue Model and IEC 62443 are an in-depth patch management process that validates the reliability of updates to critical systems and the importance of network segmentation and network isolation for critical systems that may not otherwise be able to be patched or protected.

More recently, in 2025, CISA published “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators.” According to CISA, threat actors exploit vulnerabilities, misconfigured protocols, insecure remote access points, weak authentication mechanisms and insufficient network segmentation to compromise critical infrastructure.

CISA advises organizations to develop asset inventories and taxonomies for their classification. In other words, visibility and context into the state of these devices.

Hindsight is 20/20

The problem with rose-tinted glasses is that you don’t notice red flags. Organizations should not let nostalgia for the past blind them to the reality they face today. 

It is unrealistic to expect organizations to replace monolithic legacy systems that are central to their operations, but they do need to understand them.

The post ‘Stranger Things’ emerge when OT security is stuck in the past appeared first on CyberScoop.

The Federal Communications Commission is set to vote Thursday on whether to rescind a set of last-minute Biden administration regulations following a massive Chinese compromise of U.S. telecommunications infrastructure last year.

Chair Brendan Carr has called the rule ineffective and unlawful, and with the likely support of newly confirmed commissioner Olivia Trusty, there is a majority position to reverse the rules.

Now in an interview, the lone dissenting voice on the panel, Commissioner Anna Gomez, told CyberScoop that rescinding the rules would let telecoms off the hook for the cybersecurity lapses that enabled the breaches. 

She also noted it would eliminate one of the only substantive actions the FCC has taken in response to Salt Typhoon, a Chinese state-led cyberespionage campaign that broadly compromised the phones and data of high-level U.S. officials, including then-presidential candidate Donald Trump and vice presidential candidate JD Vance.

“What we know is that we had this major hack and the commission is probably the best positioned agency to ensure we don’t have something like this happen again,” Gomez said. “And we adopted the [rules] because we needed immediate action and we sought to create accountability, establish clear cybersecurity obligations and put in place an enforceable framework to harden the networks before the next breach.”

U.S. officials have given mixed signals as to whether Salt Typhoon remains an active and ongoing operation. Earlier this year an FBI official told CyberScoop that the bureau believes the group had been “contained,” but others have said that is unlikely given the documented technical expertise and persistence of the group and latent vulnerabilities in telecom infrastructure.

When asked if she viewed the incursions by Salt Typhoon as an active or ongoing campaign, Gomez said “this was not a one-off event.”

“These attempts are ongoing and so the need for a forceful response has not diminished,” she said.

In January, under then-chair Jessica Rosenworcel, the FCC passed a declaratory judgement stating that telecom providers have a legal obligation under the Communications Assistance for Law Enforcement Act to protect their communications and networks from being intercepted by unauthorized providers.

The agency also kicked off a proposed regulation that would have forced telecom providers to annually certify their cyber risk management plans with the FCC.

Carr indicated in an Oct. 30 fact sheet that the agency would vote to withdraw both the declaratory statement and proposed rule, providing a range of rationales.

The Biden-era rules were “rushed” out the door days before Biden and Rosenworcel left office. Carr believes there is nothing in CALEA that gives the FCC authority to regulate specific cybersecurity practices. He also called the rules “ineffective” and redundant in the face of engagement with telecoms over the past year to help harden their networks.

Gomez said it’s not clear how Carr could determine the rules were ineffective ten months after they were issued and that the commission is effectively saying it doesn’t need to wield its regulatory powers because it can rely on relationships with service providers to push for non-mandatory and industry-led cyber improvements.

“My question is ‘How many service providers have really implemented these measures?’” said Gomez. “We have one industry association coming in and saying that some providers have agreed to this. We don’t have numbers. I’m not entirely sure how many there are and we don’t know who the weakest link is going to be in a hack. I think that collaboration is very important, but it’s also important to have a regulatory backstop.”

When asked about the substance of the FCC’s engagement with the telecom industry over the past year, Gomez said it’s important to acknowledge that the agency can’t be an effective regulator without engaging in good faith with industry, but noted that she has not witnessed the kind of robust back and forth Carr described.

“As far as I know, the only evidence I had that there was any such engagement is from [Carr’s statement] saying that it happened,” she said.

Asked how much time the commission had dedicated to the Salt Typhoon incursions this year, Gomez suggested it hasn’t been a top priority.

“I would have trouble really being able to tell you that,” she said. “We haven’t seen a single proposal from [the Trump] administration. What the FCC did in January is so far the only meaningful regulatory response to Salt Typhoon that I have seen.”

In his justification, Carr has pointed to work the commission has done this year setting up a Council on National Security Council to coordinate with other federal agencies and efforts to prevent Chinese entities from owning telecom equipment testing labs in the US and investigating whether Chinese equipment providers are skirting federal restrictions to sell in the United States.

The commission has “adopted targeted rules to address the greatest cybersecurity risks to critical communications infrastructure without imposing inflexible and ambiguous requirements,” Carr wrote.

But nearly all available evidence over the past year indicates that Salt Typhoon hackers primarily exploited U.S. and Western technology and equipment to compromise U.S. telecom networks. In multiple interviews with U.S. officials, including intelligence and cybersecurity officials, none have claimed that Chinese equipment or foreign ownership of labs contributed to the breaches.

The post Why Anna Gomez believes the FCC is letting telecoms off easy after Salt Typhoon appeared first on CyberScoop.

The Trump administration’s top cyber officials have emphasized the urgent need to take aggressive action to deter increasingly brazen foreign cyberattacks. Trump himself, however, has repeatedly brushed aside the notion that foreign cyber activity is anything even really noteworthy.

When Trump’s team talks about foreign hacking, be it China’s alleged massive cyberespionage campaign against telecommunications companies or its efforts to take root in U.S. critical infrastructure, they insist the actions can’t be tolerated and must be deterred.

“We need to find some way to communicate that this is not acceptable,” Alexei Bulezel, senior director for cybersecurity at the National Security Council, said in May when asked about the groups thought to be behind those campaigns, Salt Typhoon and Volt Typhoon.

More recently, last month, National Cyber Director Sean Cairncross cast a wider net about foreign adversaries who want to “do us harm,” saying, “To date I don’t think the United States has done a tremendous job of sending the signal, in particular to China, that their behavior in this space is unacceptable.”

Trump, by contrast, has framed all that differently, to the point of dismissiveness.

Asked in June about Chinese hacking of U.S. telecoms, theft of intellectual property and more, Trump answered, “You don’t think we do that to them? We do. We do a lot of things. … That’s the way the world works. It’s a nasty world.”

Asked in August about whether he would discuss alleged Russian hacking of U.S. courts with Vladimir Putin, Trump replied, “I guess I could, are you surprised? … They hack in, that’s what they do. They’re good at it, we’re good at it, we’re actually better at it.”

The gulf between what Trump says about cyber compared to what his top deputies say provokes a variety of reactions from cyber experts and former officials. It sends mixed signals to adversaries, some say, while others say it might just reflect facts of life about today’s cyber environment or a president who doesn’t behave or think conventionally.

At the same time, Trump’s casual messaging about cyber may reflect a broader trend of nations increasingly treating cyber operations as a routine instrument of power.

A need for consistency?

A lack of consistency between the president and his personnel muddles a clear message to adversaries, and downplaying cyberattacks is unwise, said Christopher Painter, who served as the top State Department cyber official under President Obama.

“Either cyber and cyberattacks are a priority or they’re not, and it’s [a] problem if you communicate they’re not serious by saying, ‘Oh, we don’t care now,” said Painter, now a nonresident senior adviser at the Center for Strategic and International Studies. Cyberattacks are serious, he said, and “We need to say it, and we need to be consistent about it, and we need to make sure we take it seriously. So I am concerned that it undermines the narrative that I think we need.”

Trump downplayed foreign cyber activity during his first term, too, both publicly and privately, in the latter case shunting away an adviser while the president tried to watch a golf tournament by saying “You and your cyber … are going to get me in a war — with all your cyber s—t.” According to Painter, Trump often links the issue to Russian interference in the 2016 presidential election, a subject he resents because he believes it undermines the legitimacy of his presidency.

But Painter also noted Trump wasn’t the first to downplay any kind of foreign cyber activity, with former Director of National Intelligence James Clapper remarking about the 2015 Office of Personnel Management hack, “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”

Clapper also drew a line between the OPM breach, which he said was “passive intelligence collection activity” and a full-fledged cyberattack. There’s a long-lasting debate over whether cyberespionage constitutes a cyberattack.

Trump officials, too, have emphasized they’re more worried about the activity of Volt Typhoon, with its potential for disruption, than that of Salt Typhoon, which is more espionage-focused.

Some analysts acknowledge that Trump has a point when he dismisses cyberespionage as a fact of modern life rather than something that requires retaliation. “My own experience says that it’s extremely difficult, if not impossible, to deter espionage,” said Michael Daniel, who held the White House’s top cyber position under Obama and is now president of the Cyber Threat Alliance.

Any threat in an attempt to deter cyberespionage has to be credible to be effective, said Erica Lonergan, an assistant professor at Columbia University’s School of International and Public Affairs. And there are a few things working against the United States making credible threats.

“We do it, because we all do it, and everyone knows we do it,” she said. Next, the potential consequence has to be more harmful than the value of cyberespionage, which is extremely useful to have. “We’re not going to go to war over cyberespionage. No matter how many times a member of Congress calls it an act of war or not, we didn’t go to war over the spy balloon.”

Yet other analysts read Trump’s comments on foreign cyber activity differently. He might have an aggressive reaction to a more clearly damaging attack than the incidents he’s downplayed, said James Siebens, a fellow with Stimson Center’s Strategic Foresight Hub.

“If we were talking about a genuinely destructive cyberattack that cost people’s lives, I would imagine that there would be a fairly forceful response,” said Siebens, who recently co-authored a study on cyber deterrence. “My view is that President Trump was doing something that he often does, which is to state plainly things that make people uncomfortable, but are nonetheless observable and rooted in an important truth.”

Richard Harknett, director of the Center for Cyber Strategy and Policy at the University of Cincinnati, took Trump’s recent remarks as a comment more on the potency of U.S. capabilities compared to its adversaries.

“It wasn’t sort of a complacency, it was more confidence,” said Harknett, who served as the first scholar-in-residence at United States Cyber Command and National Security Agency beginning in 2016. Of course, he said, “The president tends to speak in confident terms regardless.”

Daniel said that some  contradictions between Trump and his cyber team are to be expected. Different officials are bound to have differences of opinion, including in the Trump administration, which has hardly been a “paragon of consistency” in its messaging to the world, he said. Daniel added that deterrence is a challenge for every administration; throughout history, the United States has often threatened not to tolerate certain actions, but then failed to respond when those actions occurred. 

Several experts said they were willing to give the administration time to iron out any potential contradictions. Harknett said it’s hard to read too much into public comments alone right now. More important, Harknett and others said, will be what the administration says in a forthcoming cyber strategy.

A global trend?

Trump is not the only world leader in recent months to speak about his nation’s cyber activity in a more casual manner. At the beginning of this month, Chinese President Xi Jinping and South Korean President Lee Jae Myung joked about the security of a cell phone gift that Xi gave his counterpart, which ended in Xi quipping, “You can check if there’s a backdoor.”

It was “weird for Xi, especially because the Chinese are loath to ever admit they do anything,” Painter said, even if he was joking.

The openness about cyber doesn’t end there, extending to a number of cases where nations that historically haven’t pointed the finger at other countries over alleged cyberattacks are more willing to do so by releasing technical analyses.

“We’re starting to see more non-Western countries, and notably China, making attributions back now,” said Allison Pytlak, director of the Cyber Program at the Stimson Center think tank and the co-author of the deterrence report with Siebens. Singapore recently made its first cyber attribution as well.

Trump officials have been touting offensive operations, which used to be a topic of very little public discussion. And other nations have been growing more open about cyber operations, from Japan’s recent active cyber defense legislation to Australia establishing its own Cyber Command last year.

‘There is more openness about cyber in general, the strategic level, in terms of leaders being willing to talk about cyberespionage, cyber offense,” Lonergan said. “No one talked about cyber offense in the U.S. government for years.”

That openness could turn out to be a good thing, Pytlak said. It could “spark debate” in the public about the very nature of cyber, about the differences between the harm espionage causes and the kind of national security threat other kinds of activity poses.

The post While White House demands deterrence, Trump shrugs appeared first on CyberScoop.

At this very moment, nation-state actors and opportunistic criminals are looking for any way to target Americans and undermine our national security. 

Their battlefield of choice is cyberspace.

Cybersecurity is the preeminent challenge of our time, and threats to our networks impact far more than just our data––they impact the resilience of our communities, the continuity of our economy, and the security of our homeland. 

Widespread cyber intrusions by Salt Typhoon and Volt Typhoon continue to demonstrate the Chinese Communist Party’s unrelenting quest to steal intellectual property, surveil government officials, and pre-position themselves in our nation’s critical infrastructure to disrupt our way of life at a time of their choosing. Russia, Iran, and North Korea are also probing for vulnerabilities to exploit in our networks.

Any cyberattack can cascade across the essential services that Americans rely on every day—from our airports and hospitals to water treatment facilities, internet providers, and financial systems. Making America cyber strong is not a challenge for one agency or one sector. It is a whole-of-society mission.

As chairman of the House Committee on Homeland Security, I will work with the Trump administration to ensure our nation’s risk advisor, the Cybersecurity and Infrastructure Security Agency (CISA), succeeds in its core mission of protecting federal civilian networks and the critical infrastructure that supports our daily lives. 

The private sector owns or operates most of this infrastructure, and it is no surprise that cyberattacks against these services rose more than 30 percent from 2023 to 2024. Addressing these heightened threats requires more than reactive measures. It demands a proactive cybersecurity posture built on continuous collaboration between the government and industry. 

The Trump administration and Congress must ensure the private sector has a true seat at the table as we chart a course for long-term cyber resilience. Priorities should include preserving strong information sharing, reducing the duplicative and conflicting government compliance standards on businesses, bolstering the cyber workforce, supporting our state, local, tribal, and territorial government entities, and safely harnessing emerging technologies to enhance the capabilities of our cyber defenders. 

These solutions require urgency, but as Cybersecurity Awareness Month comes to a close, the government shutdown has also allowed for important cybersecurity tools to lapse. This lapse is undermining the important public-private sector relationship that underpins our collective defense. 

For the last decade, the Cybersecurity Information Sharing Act of 2015 provided an essential foundation for this partnership. The law enables industry to have honest and sensitive conversations with the federal government, and each other, about the threats facing our networks. This framework also protects the privacy and civil liberties of American citizens when cyber threat information is shared. There has been a tangible impact from these authorities: without this law, we would not know about threat actors, such as Salt Typhoon, compromising our privately-owned critical infrastructure systems. Senate Democrats must pass the House Republican clean continuing resolution to reopen the government and extend this critical authority. Then we must find a longer-term solution to preserve this cybersecurity tool while ensuring it remains relevant to the threat landscape.  

As America’s cyber professionals face heightened threats, they also face increased federal compliance standards. According to testimony before the House Committee on Homeland Security, which I now chair, “bank Chief Information Security Officers now spend 30-50 percent of their time on compliance and examiner management. The cyber teams they oversee spend as much as 70 percent of their time on those same functions.” 

Our cyber regulatory regime should incentivize meaningful security improvements and facilitate actionable information sharing. It cannot be designed in a way that drains resources or slows the ability of companies to respond to fast-moving threats. This year, the average cost of a data breach in the United States reached $10 million, roughly double that of the global average. The exorbitant cost is, in part, due to U.S. cyber regulatory costs.

Congress, in partnership with CISA and the National Cyber Director, must help harmonize duplicative and vague cybersecurity regulations across the federal government so cyber professionals spend less time on paperwork and more time doing what they do best: defending our networks.

Keeping our cyber defenders focused on our networks is vital, especially considering we already face a gap of 500,000 skilled professionals in our current workforce. Closing this gap and building a pipeline of highly skilled professionals across both public and private sectors is essential to meeting the nation’s security needs.

Where that gap persists, artificial intelligence (AI) can serve as a force multiplier for our cyber defenders. We have already seen how AI can significantly enhance threat hunting, response times, and pattern recognition in our networks. But adversaries, like China, are also investing heavily in AI to enhance their own offensive cyber operations, including attempts to compromise or weaponize AI models. That reality makes it crucial that security and safety considerations are built into every stage of AI’s development, deployment, and use.

At the same time, the federal government must avoid reactive and scattershot regulation as our nation’s AI innovators work to win the global AI race. It is important for Congress, the Department of Homeland Security, interagency partners, and the private sector to work together to ensure that we don’t fall behind our adversaries in AI innovation while safeguarding our national security and civil liberties.

Accomplishing any of these goals will depend on mutual trust and collective effort. With a new administration dedicated to restoring accountability in government, we must seize this opportunity to help rebuild Americans’ confidence in the federal cybersecurity and resilience mission.

Cybersecurity remains vital for the safety, security, and prosperity of the American people. We must decide the future of our national cyber defense before our adversaries decide it for us. 

Rep. Andrew Garbarino has represented New York’s Second Congressional District in Congress since 2021. He serves as chairman of the House Homeland Security Committee, and also serves on the House Ethics and House Financial Services Committees.

The post Government and industry must work together to secure America’s cyber future appeared first on CyberScoop.