US lawmakers seek answers on alleged Salt Typhoon breach of telecom giants

Lawmakers are demanding answers about earlier news reports that China's Salt Typhoon cyberspies breached US telecommunications companies Verizon, AT&T, and Lumen Technologies, and hacked their wiretapping systems. They also urge federal regulators to hold these companies accountable for their infosec practices - or lack thereof.

"I write to insist that your agencies finally act to secure US telephone and broadband companies' wiretapping systems from hackers," Senator Ron Wyden (D-OR) wrote in a Friday letter [PDF] to US Attorney General Merrick Garland and Federal Communications Commission Chair Jessica Rosenworcel.

A day prior, the US House Select Committee on China sent a letter to the CEOs of the three compromised broadband providers requesting a closed-door briefing about when the telecom giants discovered the Chinese spies on their networks, and what they are doing to better secure their systems.

This committee previously held a hearing on a different Beijing-backed espionage gang, Volt Typhoon, which compromised US critical infrastructure networks earlier this year.

"Taken together with these news reports regarding Salt Typhoon's apparent compromise of our nation's wiretap system, it is clear that we face a cyber-adversary the likes of which we have never confronted before, and we must urgently enhance our nation's approach to cybersecurity," Representatives John Moolenaar (R-MI), who chairs the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party, and Raja Krishnamoorthi (D-IL) said in the letter [PDF].

Verizon and AT&T declined to comment on the alleged hacks and the lawmakers' inquiries, while Lumen did not respond to The Register's inquiries.

The lawmakers' demands are in response to earlier reports that Salt Typhoon had breached US internet service providers' networks, and specifically targeted the networks that Verizon, AT&T, and Lumen use for court-ordered surveillance.

These federally mandated backdoors date back to a 1994 law, the Communications Assistance for Law Enforcement Act (CALEA), that required phone companies to install wiretapping technology in their networks. In 2006, the FCC expanded this backdoor mandate to cover broadband internet companies.

• Chinese cyberspies reportedly breached Verizon, AT&T, Lumen
• China's Salt Typhoon cyber spies are deep inside US ISPs
• Congress told how Chinese goons plan to incite 'societal chaos' in the US
• Chinese spies spent months inside aerospace engineering firm's network via legacy IT

Of course, the problem with government-ordered backdoors is that they can be found and abused by others, as cybersecurity experts have long argued and as Wyden pointed out in his letter.  

"There is, and has long been, broad consensus among cybersecurity experts that wiretapping capabilities undermine the security of communications technology and create an irresistible target for hackers and spies," the senator wrote. 

Following these recent Beijing-linked attacks, Wyden wants the FCC to update the CALEA regulations and mandate baseline infosec standards for carriers that are enforced by steep fines. He also called on the US Department of Justice to investigate whether the three companies that were reportedly hacked violated any federal laws.

"The outdated regulatory framework and DOJ's failed approach to combating cyberattacks by protecting negligent corporations must be addressed," Wyden wrote. "The security of our nation's communications infrastructure is paramount, and the government must act now to rectify these longstanding vulnerabilities." ®