Senate bill would require FCC to issue binding cyber rules for telecom firms

A bill introduced Tuesday would direct the Federal Communications Commission to require telecom providers to adhere to a list of must-have cybersecurity compliance rules, including minimum cyber requirements and annual system testing.

The legislation responds to a wide-reaching hack of numerous telecom providers and their wiretap systems by a Chinese cyberespionage collective, dubbed Salt Typhoon. The hackers are still embedded in some networks as forensic analysis continues.

The proposed Secure American Communications Act would require telecom companies to implement cybersecurity protocols designed by the FCC in collaboration with the Cybersecurity and Infrastructure Security Agency and the Director of National Intelligence, focusing on blocking unauthorized interceptions of communications data.

Carriers must also conduct annual vulnerability testing, take corrective actions where needed and document their findings and remediation efforts. Additionally, carriers would undergo annual independent audits to evaluate compliance with FCC cybersecurity rules, with auditors reporting any areas of noncompliance.

The measure also mandates providers submit annual documentation of their tests and audits, accompanied by a written compliance certification signed by their CEO and Chief Information Security Officer.

An FCC spokesperson did not immediately respond to a request for comment on the bill.

“The numerous high-profile attacks in the past, including the recent Salt Typhoon incident, highlight the critical need to address cyber and supply chain management. Recognizing this imperative, the industry and government need to work together," said Dave Stehlin, CEO of the Telecommunications Industry Association, which represents private sector entities across the telecommunications supply chain. "We are proud that the industry has taken proactive steps with the development of the information and communications technology (ICT)  industry’s first Supply Chain Security standard, SCS 9001.  This standard was crafted with valuable input from industry experts and U.S. and trusted allied governments, and we believe it will be an important tool in the toolbox to ensure the security of our ICT networks.”

FCC Chairwoman Jessica Rosenworcel last week shared a draft ruling with colleagues that, if adopted, would immediately require telecommunications firms to secure their networks against unauthorized access to systems that house wiretap requests from law enforcement.

She also floated a separate notice of proposed rulemaking to her peers that, if fully approved, would require communications providers file annual attestations to the agency about their security posture.

The United States wiretap environment is governed by the 1994 Communications Assistance for Law Enforcement Act, and requires telecom companies to engineer their system for “legal access” surveillance requests. Salt Typhoon moved through the systems of at least two victims before pivoting to their respective CALEA environments, a senior FBI official said last week.

Although the CALEA law required providers to protect their systems from unauthorized interceptions and gave the FCC regulatory power to enforce this, the agency has not fully utilized this authority over the years, Wyden’s office contends.

“It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cybersecurity rules,” Wyden said in a statement. “Telecom companies and federal regulators were asleep on the job and as a result, Americans’ calls, messages, and phone records have been accessed by foreign spies intent on undermining our national security.”

CALEA has become a reliable instrument in law enforcement’s surveillance toolkit, but hasn’t undergone a major update since the Federal Communications Commission last reviewed it in 2005. Wiretaps have evolved from the act of physically tapping analog phone lines to remotely intercepting digital communications across multiple channels that collate calls, texts and internet traffic.

Under current standards, the FCC lets carriers develop their own wiretap solutions tailored to their networks, purchase solutions from equipment manufacturers and rely on a third party to determine whether they are CALEA-compliant.

CALEA systems allow law enforcement to request wiretaps through secure log-in portals. Once greenlit by an overseer at a telecom company, an investigator can receive phone metadata on targets, including call detail records that map the time, duration and participants of calls, as well as geolocation data, enabling them to trace communication patterns and movements

A senior administration official last week said that voluntary cybersecurity guidance used by the private sector has proven inadequate for protecting the affected telecom networks, and that minimum cyber requirements would have helped prevent the Chinese cyberspies from getting inside.

So far, Salt Typhoon has ensnared around 80 providers in the U.S. and abroad, including AT&T, Verizon, Lumen and T-Mobile, although T-Mobile recently said it was able to keep Salt Typhoon out of its networks. 

The hacking collective has accessed communications of some 150 select, high-value targets, including people affiliated with President-elect Donald Trump, according to previous media reports. The senior administration official said that the campaign may have been ongoing for one to two years, and that eight or so of the victims were American telecom firms.

Amid the breaches, officials have suggested Americans and federal employees use encrypted messaging services. A phishing campaign that piggybacked on those encrypted messaging advisories has targeted lawmakers on Capitol Hill, Nextgov/FCW reported Friday.

Editor's note: This article has been updated to include comment from the TIA CEO.