Mindlessly ‘Deregulating’ U.S. Telecom Contributed to The Worst Hack In U.S. History
from the when-the-check-comes-due dept
For the better part of thirty years telecom giants (and the consultants, think tanks, and lobbyists paid to defend them) have fought against every effort at coherent federal oversight. It didn’t matter whether it was modest privacy standards or basic pricing transparency, the argument that was if you stripped away coherent state and federal government oversight of telecom, free market magic would happen.
Not only is U.S. broadband uncompetitive, patchy, expensive, with bad customer service as a result, lax oversight and privacy/security standards has resulted in a steady parade of hacks and leaks, culminating recently in the worst hacking intrusions the U.S. has ever seen. Chinese hackers deeply infiltrated nine major U.S. ISPs to spy on high profile targets, and the government and U.S. telecoms are still trying to assess the damage months later. (Why, it’s almost as if corruption is a national security risk.)
Because the “Salt Typhoon” hackers were very careful about wiping logs it’s been difficult to assess the full scale of the intrusion or whether intruders are still in sensitive systems. Officials believe intruders could still be rooting around the networks of the nine compromised ISPs. They also state the hack was because telecoms “failed to implement rudimentary cybersecurity measures across their IT infrastructure.”
The U.S. reporting on the hack has been…interesting.
The story has seen a fraction of the press attention reserved for the TikTok moral panic. And very few news outlets are willing to draw a direct line between the telecom industry’s relentless “deregulatory” lobbying (read: corruption) and the intrusion, despite U.S. officials making it very clear in statements:
“When I talked with our U.K. colleagues and I asked, ‘do you believe your regulations would have prevented the Salt Typhoon attack?’, their comment to me was, ‘we would have found it faster. We would have contained it faster, [and] it wouldn’t have spread as widely and had the impact and been as undiscovered for as long,’ had those regulations been in place,” [White House Cybersecurity chief] Anne Neuberger said. “That’s a powerful message.”
The FCC is poised to hold meetings next month to address whether it should shore up its cybersecurity oversight of telecoms. But at the helm of those conversations will be new Trump FCC boss Brendan Carr, who has never stood up to major telecoms on any issue of importance, ever. And the looming Trump-court-backed defeat of net neutrality also curtails the FCC’s authority on cybersecurity.
Again, the U.S. Congress has repeatedly proven too corrupt to pass meaningful telecom reform. Regulators are routinely stocked with revolving door careerists too worried about their next career move to stand up to telecoms. And the corrupt U.S. Supreme Court just neutered what’s left of regulatory independence, ceding most reforms to a Congress too corrupt to act.
The Salt Typhoon hack comes after years and years of officials freaking out about the security risks of Chinese-made Huawei telecom hardware. Though when the worst hack in U.S. history finally arrived it was courtesy of lax domestic oversight, domestic deregulation, domestic corruption, domestic laziness, and outdated administrative passwords.
Filed Under: broadband, deregulation, fcc, privacy, salt typhoon, security, telecom
Comments on “Mindlessly ‘Deregulating’ U.S. Telecom Contributed to The Worst Hack In U.S. History”
It's not over
Because the “Salt Typhoon” hackers were very careful about wiping logs it’s been difficult to assess the full scale of the intrusion or whether intruders are still in sensitive systems. Officials believe intruders could still be rooting around the networks of the nine compromised ISPs.
They are: of course they are. There’s no way that attackers this sophisticated, this meticulous, this patient executed a hack like this without a long-term plan.
What every telecom should be doing right now is wiping their systems down to bare metal, rebuilding the operational environment, and then restoring the relevant data. And I’m willing to bet my next 365 lunches that none of them are doing any such thing (a) because they’re unprepared to do it and (b) because it’s tedious and expensive. They’re doing the minimum possible, even though they know it probably won’t work, because then they claim to have “taken prompt action”.
And of course the Trumplicking assholes about to take charge won’t make them do anything differently. So look forward to at least another 4 years of this.
Re:
To be fair, they’ll probably blame overly burdensome regulations for the next hack and claim we should cut taxes on billionaires to help even more! Ooh, I bet Musk could sort out the telecom industry just like he “fixed” Twitter!
Re: Re:
Not that he would actually be able to, but it’d be hilarious to see him buy up a major telecom company and just sink it.
Re:
One of the things you did not mention is “redesign the implementation”. But perhaps that is because it would be a year or more before the first results were seen, and perhaps ten times as long before the new implementation is in place.
The only component of the system that is easily correctable is the compromised human component (via education and stricter protocols).
Re: Re:
The “Pretty Good Phone Privacy” paper has already been implemented as a product, by its authors, and is apparently compatible with existing networks. That’s not to say it’d be easy to spread to everyone; just that large parts of the design are “done”, to some extent. (The general idea is to prevent monitoring and location-tracking of users at the cellular-network level—one can’t leak data that doesn’t exist—but it doesn’t necessarily protect call and message data yet.)
I don’t see how “deregulation” can realistically be blamed here. This hack has, so far, mostly been seen as affecting the U.S.; but other countries have been affected in the past, and there’s no reason to think even the highly-regulated ones are more secure. In fact, bad U.S. regulation—CALEA—was the cause of some past security failures. And phreakers were running wild over the U.S. network in the 1970s, when regulation was stronger.
UK telcos: We need to strengthen the regulation to prevent such a terrible attack in our country.
US telcos: Salt-what?
It's not just cybersecurity, but reliability in general
Of course this hack is alarming, and it’s incredibly frustrating to see essential infrastructure so lightly secured.
But even more basic fundamentals are in play like “wouldn’t it be great to have communications if the power is out” and “If some dude cuts a single cable with a backhoe, wouldn’t it be nice if that didn’t cut phone service to an area the size of Connecticut.”
The telecoms have worked very hard to slide out from under their heavily regulated status under POTS (plain old telephone service aka landlines) into “optional, luxury services” like cell phones and internet/data…. that are now doing the job of the POTS network. It’s all the same picture.
But did they get in through the Huawei hardware… or through the Cisco hardware?
Re:
More likely the latter than the former. Just sayin’.