Mandiant founder calls Chinese wiretap hack unsurprising
Telecommunications providers have always been an ideal espionage target for foreign adversaries, Kevin Mandia said in an interview.
An alleged Chinese government-backed infiltration into U.S. wiretap infrastructure is leaving at least one cybersecurity leader unsurprised, arguing that telecommunications technology has always been prime real estate for hackers since its inception.
The Wall Street Journal on Oct. 5 reported that a Chinese state-backed hacking collective dubbed Salt Typhoon penetrated the networks of AT&T, Verizon and Lumen, and for months was possibly inside systems that handle court-authorized wiretap requests.
Kevin Mandia, a top voice in the cybersecurity community who founded the eponymously named firm Mandiant, said in an interview with Nextgov/FCW that telecoms are a logical target for adversaries in an espionage operation.
“If you want to know what diplomats are thinking, it’s in their email, it’s in their texts. And that’s the kind of stuff that I think people have always targeted,” he said on the sidelines of Google’s Public Sector Summit in Washington, D.C., declining to provide specifics about any ongoing Mandiant investigations into the hacks.
“If you are a nation with a modern cyber capability, you’d put infrastructure companies on the list. And because espionage is all about who’s saying what to whom, I think that — working for 30 years in cybersecurity — I’ve always assumed the best and the brightest have always pounded on the doors of Verizon and AT&T,” he said.
The breach has now impacted 10 to 12 companies, the Washington Post reported Oct. 11, citing two people familiar with an ongoing U.S. investigation into the matter. Mandia did not directly confirm if that figure was accurate but noted that Salt Typhoon may have been covertly operating for a while: “It’s not like they sprung up yesterday and hacked three companies and they’re done, right?”
The wiretap break-ins, which may have compromised some of the most sensitive national security data on domestic surveillance targets, have raised questions about the security architecture of the backdoor installations enabled by the the Communications Assistance for Law Enforcement Act — or CALEA — which passed in 1994.
Mandia declined to say whether it was time to overhaul CALEA security standards but said cell providers will always be a “top five” target for espionage.
CALEA has been a reliable mainstay in the law enforcement community since its inception. The FBI in the 1990s demanded a legal framework mandating built-in access to phone networks, arguing the advent of digital communications was making old school wiretapping methods that relied on lug nuts defunct.
In the wake of the Sept. 11 terrorist attacks, the Federal Communications Commission in 2005 updated the law, determining that CALEA covers both interconnected voice over internet protocol service providers — which lets people make phone calls using an internet connection instead of a traditional phone line — and facilities-based broadband providers.
But under current standards, the FCC says that telecommunications carriers can develop their own solutions tailored to their networks, purchase solutions from their equipment manufacturers or rely on a third party to determine whether they are compliant with CALEA. Some cyber experts say it’s time for those standards to be overhauled, Nextgov/FCW reported last week.
Sen. Ron Wyden, D-Ore., asked the FCC and Justice Department last week to address what he called “outdated” regulatory standards for CALEA.
Mandia departed as head of his firm in May, taking an advisory role within Google’s public sector unit. The tech giant acquired the company in 2022, placing it under Google Cloud.
The company has become a top threat intelligence provider in the industry. Mandiant in 2013 became widely known for identifying a prolonged Chinese government hacking campaign that extended as far back as the mid-2000s. It dubbed the group APT1, one of the first times the now common Advanced Persistent Threat moniker was used in a cybersecurity context.