More than a year after national security officials revealed that Chinese hackers had systematically infiltrated U.S. telecommunications networks, the top Senate Democrat on the committee overseeing the industry is calling for hearings with executives from the nation’s biggest telecom companies.

In a public letter released Tuesday, Sen. Maria Cantwell, D-Wash., called for the CEOs of Verizon and AT&T to appear before Congress and explain how the hacking group known as Salt Typhoon breached their networks, as well as what steps they’ve taken to prevent another intrusion.

“For months, I have sought specific documentation from AT&T and Verizon that would purportedly corroborate their claims that their networks are now secure from this attack,” Cantwell wrote to Sen. Ted Cruz, R-Texas, who is the Chair of the Senate Commerce, Science and Transportation Committee. “Unfortunately, both AT&T and Verizon have chosen not to cooperate, which raises serious questions about the extent to which Americans who use these networks remain exposed to unacceptable risk.”

Salt Typhoon’s intrusion into telecom networks exposed major security weaknesses and put sensitive communications and data belonging to U.S. politicians and policymakers at risk. The federal government has done little since to hold the industry publicly accountable.

Congress has neither  proposed or passed meaningful legislation to address the issue.  While a handful of federal departments and agencies began public regulatory and oversight reviews, most of those efforts have been shut down or rolled back.

An investigation by the Cyber Safety Review Board at the Department of Homeland Security into the intrusions was abruptly stopped when the Trump administration eliminated the advisory body. One former member remarked recently that the failure to finish the investigation ranked among her biggest career regrets.

Weeks before President Joe Biden left office, his Federal Communications Commission issued emergency regulations aimed at holding telecom companies legally responsible – under federal wiretapping laws – for securing their communications. The rules would have also required carriers to file annual certifications with the FCC confirming they have cyber risk management plans in place. That certification would include addressing common security gaps, like lack of multifactor authentication, that are widely believed to have been exploited by Salt Typhoon.

While outgoing Chair Jessica Rosenworcel told CyberScoop the rules were badly needed to hold telecoms accountable for their cybersecurity, Brendan Carr— an FCC commissioner and Rosenworcel’s successor as chair—rescinded those rules, arguing they were unnecessary because the FCC and telecoms could work together voluntarily on cybersecurity. Another commissioner, Anna Gomez, told CyberScoop she had seen no evidence her agency had been meeting with telecoms on the issue.

At a hearing in December, Cruz endorsed the FCC’s elimination of the rules, arguing that improving the nation’s telecom cybersecurity “doesn’t come from imposing outdated checklists and top down regulations, it arises from a strong partnership between the private sector and government, working together to detect and deter attacks in real time.”

Cantwell, citing reporting from CyberScoop and other sources, argued that  “telecommunications providers have taken few protective actions thus far due to the costs involved” and said the committee “must hear directly from the CEOs of AT&T and Verizon so Americans have clarity and confidence about the security of their communications.”

According to Cantwell, she has already requested documentation from AT&T CEO John Stankey and then-Verizon CEO Hans Vestberg on how they’ve responded to the breaches. Both confirmed that Mandiant, Google Cloud’s incident response and threat-intelligence division wrote a report, one that Cantwell said “would presumably document the vulnerabilities identified and detail what corrective actions” telecoms took to improve their privacy and security.

She claimed after requesting the report from Mandiant, AT&T and Verizon “apparently intervened to block Mandiant from cooperating with my requests.”

AT&T and Verizon representatives did not immediately respond to a request for comment.

The post Cantwell claims telecoms blocked release of Salt Typhoon report  appeared first on CyberScoop.

A House Republican introduced legislation Tuesday aimed at deterring cyberattacks against the United States at a time when the Trump administration is prioritizing the punishment of malicious hackers.

Rep. August Pfluger, R-Texas, revived legislation he first sponsored in 2022, the Cyber Deterrence and Response Act. The legislation would direct the executive branch to formally designate foreign parties behind major cyberattacks against the United States as a “critical cyber threat actor” who would be subject to sanctions.  It also would establish a framework for attributing who’s behind cyber attacks, including contributions from cyber agencies and threat intelligence companies.

“As cyberattacks in the United States grow more sophisticated and widespread, we must ensure the Trump administration and all future administrations have a strong framework to hold bad actors accountable and safeguard our national security,” Pfluger said in a news release. “Protecting America’s critical infrastructure from malicious cyberattacks is essential, and this bill does exactly that.”

The legislation is the latest reflection of congressional dismay that began growing last year in response to the Salt Typhoon cyberespionage campaign that infiltrated telecommunications networks, and the sense that the United States wasn’t doing enough to make hackers pay for their behavior.

At a hearing Tuesday, Senate Commerce Chairman Ted Cruz, R-Tex., said the United States needs to do a better job of working “together to detect and deter attacks in real time.”

The Trump administration has said deterrence is one of the first pillars of its forthcoming cyber strategy.

The definition of “critical cyber threat actor” under Pfluger’s bill applies to hackers who disrupt the availability of computer networks, compromise computers that provide services in critical infrastructure, steal significant personal data or trade secrets, destabilize the financial or energy sectors or undermine the election process.

The president could waive sanctions against those designees if it explains its reasoning to Congress in writing, a common clause of sanctions legislation.

Pfluger’s measure is updated in some ways from its 2022 incarnation, such as by giving the Office of the National Cyber Director the leading role in designating critical cyber actors.

The legislation draws on bills that former Rep. Ted Yoho, R-Fla, introduced in past years. That legislation won House approval in 2018, but never advanced further.

The post Legislation would designate ‘critical cyber threat actors,’ direct sanctions against them appeared first on CyberScoop.