The Salt Typhoon breach, also known as the Telco breach, has sent Congress, the Senate, CISA, and the FBI scrambling. This cyberattack compromised sensitive telecommunications systems, including the federal wiretap system, communications of President-elect Trump and his staffers, and other high-ranking officials. It serves as a stark example of the consequences of regulatory inertia.

Despite a plethora of cybersecurity laws already in place, the lack of enforcement, coordination, and timely updates left critical systems vulnerable to exploitation. Companies operated without sufficient oversight and accountability. As a cybersecurity practitioner, I believe the U.S. urgently needs a comprehensive, centralized approach to cybersecurity. The Cybersecurity and Infrastructure Security Agency (CISA) should take the lead in safeguarding critical infrastructure, including the telecommunications sector—a mandate that the Federal Communications Commission (FCC) has struggled to enforce effectively.

Fragmented Cybersecurity Oversight

Currently, cybersecurity responsibilities are fragmented across various federal agencies, many of which lack the expertise to address modern cyber threats. For example, the Transportation Security Administration (TSA) oversees pipeline and train security, while the Department of Energy manages cybersecurity for energy infrastructure. This scattered approach dilutes accountability and effectiveness.

Cybersecurity Laws: Intentions vs. Reality

Communications Assistance for Law Enforcement Act (CALEA, 1994)

CALEA aimed to modernize law enforcement’s access to communications systems by requiring telecommunications providers to build lawful surveillance capabilities into their networks. However, this focus on surveillance introduced unintended security gaps, as the law did not prioritize defending these systems against external cyber threats. The FCC’s oversight of CALEA compliance has historically lacked mechanisms to enforce broader cybersecurity measures, leaving telcos vulnerable to sophisticated attacks.

Homeland Security Act (2002) and the Creation of DHS

This act established the Department of Homeland Security (DHS) to protect critical infrastructure from both physical and cyber threats. Within DHS, CISA was later created to focus specifically on cybersecurity. However, the act’s broad scope diluted its effectiveness in addressing sector-specific issues, including telecommunications, which often fell through the cracks despite their designation as critical infrastructure.

Federal Information Security Management Act (FISMA, 2002)

FISMA required federal agencies to develop security programs for their information systems, with oversight from the Office of Management and Budget (OMB). While impactful for government systems, its influence over private-sector infrastructure, including telcos, was limited. This gap remains unaddressed despite increasing public-private network dependencies.

Cybersecurity Act of 2012 (Failed Passage)

This proposed legislation would have mandated security standards for critical infrastructure, including telecommunications, but failed due to industry opposition. Concerns about regulatory burdens resulted in a missed opportunity to establish a comprehensive federal cybersecurity framework.

Cybersecurity Information Sharing Act (CISA, 2015)

This act facilitated public-private partnerships by encouraging threat intelligence sharing. However, participation was voluntary, and concerns about liability and privacy led to inconsistent involvement, leaving significant gaps in the threat intelligence landscape.

Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, 2022)

CIRCIA mandated that critical infrastructure entities report significant cyber incidents and ransom payments to CISA. While a step in the right direction, its enforcement mechanisms remain underdeveloped, and compliance within the telecommunications sector is inconsistent.

The FCC: A History of Missed Opportunities

The FCC has historically prioritized competition, innovation, and consumer protection over cybersecurity. While it has issued advisories and proposed voluntary frameworks, such as the Communications Sector Coordinating Council’s Cybersecurity Framework, these efforts lacked enforcement mechanisms.

For instance, the FCC’s 2016 initiative to strengthen telco security under the Open Internet Order was struck down in court, highlighting the challenges of enforcing cybersecurity standards. Without mandatory audits or penalties for noncompliance, many telcos failed to take proactive measures, setting the stage for breaches like Salt Typhoon.

Share

T-Mobile’s Breaches: A Case Study

T-Mobile’s history of data breaches illustrates the cost of inadequate cybersecurity measures:

1. 2021 Breach: Exposed personal information of 76.6 million individuals, including names, addresses, Social Security numbers, and driver’s license details.

2. 2022-2023 Breaches: Additional breaches compromised millions more, varying in attack methods and exposing sensitive customer data.

Regulatory Penalties:

• FCC Settlement (2024): A $31.5 million settlement, including a $15.75 million civil penalty and a commitment to invest in enhanced cybersecurity.

• CFIUS Fine (2024): A $60 million penalty for failing to prevent and report unauthorized access, marking the largest fine ever imposed by the Committee on Foreign Investment in the United States (CFIUS).

These incidents underscore the FCC’s failure to enforce robust cybersecurity standards effectively.

Salt Typhoon Breach: Lessons Learned

The Salt Typhoon breach exploited well-documented vulnerabilities, including weak encryption protocols, unpatched systems, and insufficient monitoring. Attackers gained persistent access to telecom networks, intercepting metadata, call logs, and unencrypted communications. This breach is among the most significant telecom hacks in U.S. history, posing severe national security risks by enabling foreign intelligence to monitor key individuals.

In response, agencies like the FBI and CISA have issued guidance emphasizing encrypted communications, phishing-resistant multifactor authentication, and enhanced network monitoring.

CISA: The Right Leader for Cybersecurity

CISA, created in 2018 under DHS, has proven its value as a central cybersecurity hub through initiatives like the National Cybersecurity and Communications Integration Center (NCCIC). Its partnerships with private industry position it uniquely to coordinate cross-sector efforts. To maximize its impact, Congress must:

• Expand CISA’s Authority: Require telcos to comply with CISA’s frameworks, enforceable through regular audits and penalties.

• Set Clear Standards: Establish baseline cybersecurity controls, such as the CIS Top 18 framework.

• Centralize Governance: Consolidate oversight responsibilities currently divided among FCC, FTC, and other agencies under CISA.

A Call to Action for Leadership

The incoming administration has an opportunity to prioritize cybersecurity as a national security imperative. By empowering CISA with clear directives, resources, and enforcement capabilities, it can address regulatory fragmentation and prevent breaches like Salt Typhoon. The incoming DHS Secretary, Kristi Noem, must champion these reforms to ensure resilience across critical infrastructure.

Conclusion

The Salt Typhoon breach exposes systemic failures in cybersecurity governance. With unified leadership and actionable reforms, CISA can spearhead a comprehensive strategy to protect the nation’s critical infrastructure. The cost of inaction is too high—the time to act is now.

Key Takeaways from CISA’s Advisory:

• Use Encrypted Messaging: Employ end-to-end encrypted applications like Signal or WhatsApp.

• Enable Strong Authentication: Implement phishing-resistant multifactor authentication to bolster account security.

Thank you all for your support this year. Merry Christmas and Happy Hanukkah!