It’s time to rethink how wiretaps work after Chinese hack, experts say

Cybersecurity experts say a recent Chinese intrusion into major U.S. broadband providers’ systems means that it’s time for regulators to rethink a cornerstone law that, for 30 years, has required communications firms to engineer their systems to allow for law enforcement agencies to intercept targets’ communications through wiretapping.

The Wall Street Journal last Friday reported that a Chinese state-backed hacking collective called Salt Typhoon penetrated the networks of AT&T, Verizon and Lumen, and for months was possibly inside systems that facilitate court-authorized wiretap requests.  

The break-ins, which may have compromised some of the most sensitive national security data on domestic surveillance targets, have raised questions about the security architecture of the backdoor installations enabled by the the Communications Assistance for Law Enforcement Act — or CALEA — which passed in 1994.

The Federal Communications Commission, which oversees the law, has requested a briefing from national security officials about the intrusion, according to a person familiar with the matter who spoke on the condition of anonymity to relay information about how the agency is handling the incident. An FCC spokesperson did not return a comment request.

The House Energy & Commerce Committee sent letters to the affected firms, asking them to provide more details about how the hack occurred, the committee’s press office said Friday.

CALEA has been a mainstay in the law enforcement community’s arsenal of surveillance tools. While many surveillance authorities focus on collecting, sorting and analyzing bulk communications that cross the internet backbone, court-approved wiretaps are more narrowly tailored to target specific individuals’ phone conversations in the United States.

Wiretapping had been practiced for decades prior to CALEA, but the FBI in the 1990s demanded a legal framework mandating built-in access to phone networks, arguing that the advent of digital communications was making traditional lug nut wiretapping defunct.

In the wake of the September 11 terrorist attacks, the FCC in 2005 updated the law, determining that CALEA covers both interconnected voice over internet protocol service providers — which let people make phone calls using an internet connection instead of a traditional phone line — and facilities-based broadband providers. But it kept much of the development and supervision of the wiretap backdoors in the hands of the private sector.

Under current standards, the FCC says that telecommunications carriers can develop their own solutions tailored to their networks, purchase solutions from their equipment manufacturers or rely on a third party to determine whether they are compliant with CALEA.

The break-in should push the U.S. to consider fresh standards for wiretap security protocols, said John Ackerly, a former White House official who managed the George W. Bush administration’s tech policy portfolio. 

“I don’t think it’s the question of giving government more access, but I think it’s a lot more clarity about what the standards are around the security and where there are back doors — those have to be really tight,” said Ackerly who now heads Virtru, a firm that offers data security services. “The vast majority of these requests are trying to keep us safe.”

A spokesperson for Sen. Mark Warner, D-Va., who chairs the Senate’s intelligence committee, did not return requests for comment. The Office of the Director of National Intelligence and the Cybersecurity and Infrastructure Security Agency also did not return requests for comment, while the National Security Agency declined to comment.

A different person familiar with Salt Typhoon described the collective as “exceptionally talented” with members who are very skilled and patient. The engineer, who spoke on the condition of anonymity to relay their knowledge about the infiltration, said that the targeted wiretap data is prime intelligence that any nation-state adversary would want access to.

CALEA lacks minimum cyber standards for telecom and internet firms that the law pertains to, which, in turn, opened it up to exposure from the hackers, said Crystal Morin, a former Air Force linguist and intelligence analyst, in an email.

“CISA initiated Secure by Design this year — but that is still a choice, not a requirement,” said Morin, now a cybersecurity strategist at Sysdig, a cloud and application security company. 

The cybersecurity agency’s secure-by-design initiatives encourage software makers to build baseline security features into their products by default.

“These critical infrastructure sectors that have a direct association with national security have no mandated cybersecurity requirements,” she said. “The Salt Typhoon actors and the Chinese government, through this breach, have been able to collect sensitive information, including data about U.S. persons or persons of interest to the U.S. government that U.S. state and federal agencies have tapped, likely for matters of national security, such as drug trafficking.”

But there are still views that any backdoor into phone conversations creates cybersecurity risks that should be entirely avoided.

“Law enforcement agencies act like there’s no information security risk to wiretapping infrastructure. Meanwhile, hostile nation-states systematically target and successfully exploit these systems, because why wouldn’t they?” Matthew Green, a cryptography specialist and professor at Johns Hopkins University, said in a post on X last week. 

How Congress is proceeding on CALEA is not entirely clear, though at least one panel on Capitol Hill is still awaiting a security briefing from CISA on the intrusions, according to another person familiar with the hack. 

“A compromise of networks associated with government surveillance would constitute both a serious threat to national security and a violation of Americans’ trust. If the government wants to get court orders to listen in on Americans’ calls and read their texts, it has an obligation to keep its surveillance system secure against foreign hacks,” Ron Wyden, D-Ore., a privacy-focused senator who sits on the high chamber’s intelligence committee, said in a statement to Nextgov/FCW.