FCC leaders skirt call for wiretap security reform, hope to ‘go deeper’ on telecom breach briefings

Jessica Rosenworcel (L), Chairwoman of the Federal Communications Commission (FCC), and FCC Commissioner Brendan Carr arrive to testify during a House Energy and Commerce Committee Subcommittee hearing on March 31, 2022. Both Rosenworcel and Carr skirted the question of whether the FCC would take up CALEA reform in the face of the recent Salt Typhoon hack.

Jessica Rosenworcel (L), Chairwoman of the Federal Communications Commission (FCC), and FCC Commissioner Brendan Carr arrive to testify during a House Energy and Commerce Committee Subcommittee hearing on March 31, 2022. Both Rosenworcel and Carr skirted the question of whether the FCC would take up CALEA reform in the face of the recent Salt Typhoon hack. Kevin Dietsch/Getty Images

Lawmakers have called on the agency to take up a rulemaking to rethink wiretapping laws amid the hacks that have ensnared several telecom companies, but top FCC officials have not signaled any forthcoming action yet.

An unprecedented Chinese intrusion into U.S. telecommunications firms and the infrastructure that facilitates legal access requests has grabbed the attention of several lawmakers who have asked the Federal Communications Commission to launch a formal proceeding to reform the key law that governs wiretapping procedures. But the agency doesn’t appear poised to proceed just yet.

The breaches carried out by the operatives, dubbed Salt Typhoon, were first reported in October, and have called into question the security frameworks governed by the Communications Assistance for Law Enforcement Act. CALEA requires carriers to engineer their systems to allow for law enforcement authorities and the FBI to wiretap them for surveillance purposes.

“The FCC has the legal authority — right now it has the power — to set and enforce security standards,” Sen. Richard Blumenthal, D-Conn., said in a Wednesday hearing on Chinese cyber threats. Previously, Sen. Ron Wyden, D-Ore., wrote a letter to agency chief Jessica Rosenworcel asking the commission to update CALEA law to mandate baseline cybersecurity standards.

“It’s an area where we are coordinating with many other authorities across government. Our coordination is close and ongoing,” Rosenworcel told reporters at a Thursday news conference following the commission’s November open meeting. She declined to provide a timeline on whether a CALEA proceeding will launch before she plans to step down in January.

Under current rules, the FCC says that telecommunications providers can develop their own wiretap solutions tailored to their networks, purchase solutions from their equipment manufacturers or rely on a third party to determine whether they are CALEA-compliant.

The hackers have reportedly ensnared the systems of AT&T, Verizon, Lumen and most recently T-Mobile. The cyberspies have targeted people affiliated with president-elect Donald Trump, among several other officials, and have accessed audio and other sensitive communications.

“I’ve gotten some briefings on Salt Typhoon. And there’s additional multi-layers of briefings on this, and I hope to be continuing to go deeper and deeper on that,” incoming FCC Chairman Brendan Carr told reporters Thursday on the sidelines of the open meeting.

“I don’t have a thought on that one at this point,” he said when asked about potential CALEA reform, adding that he plans to view the inquiries from Capitol Hill. “I’ll continue to get more in-depth briefings. I think I’ve had a pretty good level [of understanding], but I think there’s more that I need to dig down on there.”

Representatives from the U.S. intelligence community recently briefed congressional committees about the hack, according to a Capitol Hill aide familiar with the matter.

Earlier this month, the Department of Homeland Security’s chief information officer issued internal guidance to agency staff reminding employees to only use DHS-assigned devices for official business, according to email text obtained by Nextgov/FCW. The email did not specifically mention the Salt Typhoon hackers.

It remains unclear whether other surveillance systems, such as those governed by the Foreign Intelligence Surveillance Act, were penetrated in the hacks. Data from those FISA systems could provide Beijing with insights into U.S. overseas intelligence targets.

“If you want to know what diplomats are thinking, it’s in their email, it’s in their texts. And that’s the kind of stuff that I think people have always targeted,” Kevin Mandia, who founded the eponymously named threat intelligence firm Mandiant, told Nextgov/FCW in October.

The infiltrations are “really concerning,” former NSA director Gen. Paul Nakasone said in a recent interview. “The scope and the scale of allegedly being in American telecommunications companies — that’s a different ballgame,” he said. “I think the follow on question now is, okay, what are we doing about it?”