FCC Responds to telecoms attack dubbed ‘worst in our nation’s history’

The FCC has released a statement calling for urgent actions to strengthen U.S. communications systems against cyberattacks in light of recent foreign intrusions, with ‘state-sponsored cyber actors from the People’s Republic of China’’ directly named as a perpetrator.

In the statement, FCC Chairwoman Jessica Rosenworcel asserted that technological advancements being utilized by America’s adversaries necessitated the adaption and reinforcement of U.S. defenses.

Taking Action

To ensure the U.S. is brought up to speed to combat the ever-evolving threat landscape, Rosenworcel proposed specific action to ensure the protection of U.S. communications critical infrastructure.

The action includes a draft ruling requiring Telecommunications carriers to protect their networks under the Communications Assistance for Law Enforcement Act (CALEA). The proposal includes a requirement for service providers to submit annual certifications about their cybersecurity plans, which would take effect immediately if adopted. The Commission has also pledged to seek comments on broader cybersecurity requirements for various communications providers.

Advanced Cyberespionage Campaigns

In the statement, Rosenworcel highlighted Salt Typhoon as a key example of why implementing specific measures is crucial. Salt Typhoon, also known as GhostEmperor, FamousSparrow, King of World, or UNC2286, is a hacking group suspected to be operated by the Chinese government. This group achieved notoriety through undertaking advanced cyber espionage campaigns targeting critical infrastructure in North America and Southeast Asia.

Recently, Salt Typhoon has shifted its focus towards U.S. telecommunications networks. This switch coincided with the American election campaigns, and reportedly, then-presidential candidate Donald Trump and his vice presidential nominee JD Vance were targeted; the group successfully breached essential network infrastructure, including Cisco routers that manage significant portions of global internet traffic.

As a result of the attack, a large amount of data belonging to American citizens was stolen. Senator Mark Warner, chairman of the Senate Intelligence Committee, described this incident as the “worst telecom hack in our nation’s history — by far.”

Accountability Drives Action

Responses from Senior Cybersecurity Professionals to the statement have been somewhat mixed. The statement has drawn a welcoming response to its urgent tone while garnering some skepticism over how the measures outlined will be practically implemented.

Jason Soroko, Senior Fellow at at Sectigo, commented that ‘the proposal is likely to pass given bipartisan urgency; however, its impact depends on addressing compliance costs and enforcement. “If properly defined and audited, it could improve security; otherwise, it risks becoming a symbolic measure.”

“Accountability drives action, and sunlight is the best disinfectant,” commented Trey Ford, Chief Information Security Officer at Bugcrowd. “The FCC is creating a forcing function to prioritize risk management and cybersecurity, which will also drive modernization in a lot of useful ways. The FCC will appreciate the challenges that Corporate Directors and the SEC have been wrestling with – how inventory, score, and treat cyber risks – and the challenges in communicating what needs done, when, and how.”

Ford believes the highest calling in cybersecurity is creating safety around uncomfortable conversations – acknowledging and managing vulnerabilities. “Obviously, telecoms have a massive amount of infrastructure to maintain, and security hygiene requires a body of investment and maintenance to stay current. The FCC’s desire for oversight also underscores the importance of the work at CISA, especially their Secure by Design pledge.”

It All Hinges on Implementation

“While the framework is solid conceptually, its success will hinge on effective implementation, government-industry collaboration, and periodic updates to address emerging threats. I do not believe this will be successful if made into a regulatory requirement,” added Heath Renfrow, CISO and Co-founder ad Fenix24. “You can see other regulatory requirements that become compliance-based check the box type of audits. For example “Do you have a firewall?”, Do you use MFA? Do you have backups? Do you use a modern EDR solution?”

Renfrow says It becomes nothing more than yes and no questions and true foundational cybersecurity and IT controls are not and frankly cannot be evaluated from an outside audit. “The skill set is not there, and companies are not just going to let you poke around in their production systems.”