The Cybersecurity and Infrastructure Security Agency (CISA) has agreed to make public a report from 2022 about US telecommunications networks' flawed security practices which relate to the Salt Typhoon attack. 

Bottom Line: Succumbing to Congressional pressure, CISA Director of Public Affairs, Marci McCarthy, has said the agency plans to release the report with proper clearance though no date has been given when it will be released.

US Senator Ron Wyden (D-OR), a senior member of the Senate Intelligence Committee, has pushed for the release of the report for months and placed the nomination of President Trump’s CISA nominee Sean Plankey in limbo. Senator Wyden intends to keep his hold in place until CISA releases the report accusing CISA of actively hiding information regarding telecom network insecurity. This past week, the full Senate, without any dissenting votes, passed legislation to require CISA to release the report within 30 days of being signed into law. The bill still needs House approval and then must be signed by President Trump before it takes effect.

While CISA allowed Senator Wyden to read the report in 2023, the full document has yet to be disclosed to the public which the Senator asserts is crucial. Wyden states that the report includes shocking details about national security threats to the country's phone system that require immediate action. In short, Wyden accuses CISA of a multi-year cover up of phone companies’ negligent cybersecurity enabling China's Salt Typhoon cyberspies to hack into telecom companies' networks for espionage. Senator Wyden alleges that had the report been made public when written in 2022, Congress would have had ample time to require mandatory cybersecurity standards for phone companies to prevent the Salt Typhoon hacks.

Background

In December 2024, the White House’s Deputy National Security Adviser for Cyber and Emerging Technology confirmed that foreign actors, sponsored by the People’s Republic of China, infiltrated at least nine U.S. communications companies. The attacks, allegedly conducted by China’s state-sponsored Salt Typhoon hacking group, compromised sensitive systems, and exposed vulnerabilities in critical telecommunications infrastructure.

All communications service providers across the U.S. are at risk to this threat, especially those located near a U.S. military facility. To combat this threat, it is important for communications service providers to adopt and implement cybersecurity best practices in alignment with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework 2.0 and/or the Cybersecurity and Infrastructure Security Agency’s (CISA) Cross-Sector Cybersecurity Performance Goals.

In response to the Salt Typhoon threat, in January of this year, the FCC adopted a Declaratory Ruling and a Notice of Proposed Rulemaking (NPRM) to affirm and increase the cybersecurity obligations of communications service providers. The Declaratory Ruling clarifies that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) creates legal obligation for telecommunications carriers to secure their networks against unlawful access and interception. Telecommunications carriers’ duties under section 105 of CALEA extend not only to the equipment in use in their networks, but also how they manage their networks. Carriers must work to prevent any unauthorized interception or access into their network (and maintain records thereof). At a minimum, this includes basic cybersecurity hygiene practices such as changing default passwords, adopting multifactor authentication and implement access controls.  Falling short of fulfilling this statutory obligation may include failing to patch known vulnerabilities or not employing best practices that are known to be necessary in response to identified exploits.

The NPRM, if adopted, would require providers to adopt and implement cybersecurity and supply chain risk management plans as well as certify compliance with these plans annually to the FCC. The proposed rules would apply to a wide array of providers including facilities-based providers, broadcast stations, television stations, cable systems, AM & FM commercial radio operators, TRS providers, satellite communications providers, and all international section 214 authorization holders.  Participants of the FCC’s Enhanced A-CAM Program and NTIA’s BEAD Program are already subject to this requirement.

Conclusion

As cyber incidents are increasing, and additional FCC regulation is inevitable, communications service providers should consider creating both a cybersecurity and supply chain risk management plan as well as a cybersecurity incident response plan.  Such plans should reflect industry best practices outlined in federal guidance documents as described above.  Carriers should also review their cybersecurity liability insurance policies to ensure sufficient coverage, and review and update vendor and partner contracts to ensure they include provisions for incident response, liability, and retention of information.