Senator Ron Wyden of Oregon recently proposed legislation aimed at enhancing cybersecurity standards in the communications industry in response to a major breach orchestrated by China. The breach, carried out by the group known as Salt Typhoon, compromised the telecommunications networks of several major US telcos, including AT&T, Verizon, and T-Mobile. This cyber espionage campaign resulted in the theft of metadata from calls and text messages of American citizens, as well as unauthorized access to calls involving high-ranking government officials.
Wyden’s draft legislation, titled the “Secure American Communications Act,” seeks to address the vulnerabilities that allowed the Salt Typhoon attack to occur. The bill calls for the Federal Communications Commission (FCC) to issue new cybersecurity regulations for telcos and enforce existing standards to safeguard US phone networks. However, the effectiveness of these measures in preventing future cyber intrusions remains uncertain.
Critics of Wyden’s bill, such as former congressional candidate Madison Horn, argue that while efforts to bolster cybersecurity are important, many of the proposed measures already exist in some form. For instance, Title I, Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) mandates that carriers prevent unauthorized interception of communications. However, Wyden’s camp alleges that the FCC has not fully implemented this provision, leaving telcos vulnerable to cyber threats.
In response to Wyden’s proposal, FCC Chairwoman Jessica Rosenworcel has suggested additional cybersecurity regulations for communications service providers (CSPs). These regulations would require CSPs to submit annual reports confirming the implementation of cybersecurity risk management plans to mitigate future cyberattacks. Unlike Wyden’s bill, Rosenworcel’s proposal could be implemented immediately if adopted.
While Wyden’s legislation aims to fortify telco security through annual vulnerability testing and compliance assessments, critics like Madison Horn believe that the primary challenge lies in resource allocation and scalability. The vast US telecommunications network spans hundreds of thousands of miles of fiber-optic cables, presenting numerous potential vulnerabilities. Ensuring the rapid and effective implementation of existing cybersecurity frameworks at this scale is a formidable task.
Issues such as outdated legacy systems, inadequate funding for cybersecurity initiatives, and a shortage of cybersecurity professionals further complicate efforts to fortify US telco networks against cyber threats. Horn emphasizes that combating sophisticated adversaries like Salt Typhoon requires a swift and proactive approach, rather than merely enacting new policies.
In conclusion, Senator Wyden’s proposed legislation represents a step towards enhancing cybersecurity standards in the communications industry. However, the efficacy of these measures in mitigating future cyber threats remains uncertain. Addressing the complex challenges posed by cyber espionage campaigns like Salt Typhoon requires a multifaceted approach that encompasses both regulatory measures and strategic resource allocation.