Interviews

How China’s ‘Salt Typhoon’ Hackers Broke Into US Telecoms

Recent Features

Interviews | Security | East Asia

How China’s ‘Salt Typhoon’ Hackers Broke Into US Telecoms

Insights from Jonathan Pelson.

How China’s ‘Salt Typhoon’ Hackers Broke Into US Telecoms
Credit: Illustration by Catherine Putz.

The Diplomat author Mercy Kuo regularly engages subject-matter experts, policy practitioners, and strategic thinkers across the globe for their diverse insights into U.S. Asia policy. This conversation with Jonathan Pelson – advisor on technology competition with China and national security, and author of “Wireless Wars: China’s Dangerous Domination of 5G and How We’re Fighting Back” (2021) – is the 438th in “The Trans-Pacific View Insight Series.” 

Explain how Chinese hacking group Salt Typhoon compromised Verizon, AT&T, and Lumen Technologies cyber systems.

If anyone is wondering how a hack of our telecommunications carriers can affect their lives, consider this: new intelligence suggests that China targeted the phones of candidates Trump and Vance, and the campaign staff of Vice President Harris. The national security implications should be obvious.

This is an unusual case, due to the role played by CALEA (the Communications Assistance for Law Enforcement Act) and its successor federal laws. Imagine if the federal government told every home and business in the country that they could secure their premises as well as they wanted – deadbolts, video surveillance, alarms, etc. – but needed to create a single bypass option that let the government enter unnoticed. That is the case in communications today. For all the security deployed by our service providers and their customers, the federal government is allowed, with a court order, to access the communications of any person or company in the country. And the system is deliberately designed to keep the subject of that surveillance from knowing they’ve been breached. 

We’ve created a master key that opens all our country’s networks. I’m reminded of the phrase, “Never forge a sword so powerful you wouldn’t give it to your worst enemy.” China now has that sword.

Also worrisome is that the standards for how carriers maintain the integrity of this “back door” are not where they should be, making breaches more likely.

Examine the level of damage resulting from the penetration.

I adhere to the “one cockroach” theory. If you turn on the lights and see a cockroach run under the fridge, that doesn’t mean your apartment has just one cockroach. 

There’s now evidence that the Salt Typhoon hack extends past those three companies to other America service providers, and to companies in other parts of the world, including Southeast Asia. But AT&T and Verizon make up a huge majority of the connectivity in the country, and Lumen is the leader in broadband provision. 

On the domestic front, China may have been able to access information on proprietary technology from American companies, a practice that has been going on for years, and this may be just another more successful version of that.

But the bigger concern is that China may have been able to gather data on who is being monitored or investigated for criminal activity or espionage; under FISA (Foreign Intelligence Surveillance Act) the U.S. government carries out extensive monitoring of the communications of known or suspected spies. If China got access to this program, it would represent an enormous breach for the U.S. counterintelligence community. China would know who was being monitored, what had been learned, and (perhaps more importantly) who was still operating without the knowledge of the U.S. intelligence and law enforcement communities. 

Lastly, there is the new awareness that our networks may be thoroughly infiltrated by an adversary. I argued in “Wireless Wars” that the real danger of a network compromise isn’t just that communications get shut down, but the services that rely on them do: factory operations, delivery of medical care, generation and transmission of electricity, everything that civilization needs to function. 

If you don’t like Google or Facebook controlling our communications, you won’t like the Chinese Communist Party doing it. 

Identify the vulnerabilities that Salt Typhoon targeted in U.S. broadband networks.

There are two areas of vulnerability; one is the typical issue with devices or software. There are reports that part of the program included attacks on Cisco servers. This wouldn’t be surprising, given the central role Cisco plays in enabling the internet, and China has long focused on breaching Cisco’s intellectual property and cracking their security protocols. 

But the unique situation here involves this “back door” that all communications companies are obligated by the federal government to include in their networks. The rationale is understandable; law enforcement and intelligence agencies want to be able to access private communications if they suspect a crime is being committed. The existence of such a concentration of activity under a single technical and legal program creates a huge opportunity for failure on a massive scale. The government tends to pursue “fail safe” systems that are critical but extremely well secured. The problem is, when that security is breached, you can have catastrophic consequences. 

Analyze the effectiveness of the Communications Assistance for Law Enforcement Act.

From an intelligence and law enforcement point of view, the law has been very effective. What agency wouldn’t want guaranteed access to the private communications of every suspect? 

But the CALEA law (and the related FISA) doesn’t just require carriers to make their communications available, it also requires carriers to ensure the privacy and security of the intercepts; that is, they must make sure that the intercepted conversations, emails and other communications are held securely by the carrier. 

It’s fine to make this demand, but the carriers have never been perfect in securing their own networks, especially against state actors. The very creation of these back doors makes their jobs much harder and makes the costs of failure even greater. If a bad actor can obtain access to the back doors that are mandated, they have everything.

Assess how U.S. government agencies and telecoms can prevent future cybersecurity lapses. 

There are a few areas that need to be remedied. One key is to move away from “fail safe” and focus on “safe fail” systems. Networks must be designed so that when the inevitable breach occurs the damage isn’t catastrophic.

Of course, private carriers and equipment makers need to up their game. Security has always taken a back seat to revenues and profits, which makes sense for companies that are driven to earn returns for their shareholders, but the laws need to define higher standards and compel compliance with stronger security practices. For example, let’s see “encryption by default” become the model.

Lastly, we need to recognize that no defenses can protect against all state actors. A strong argument can be made that the federal government needs to end its demands that carriers leave their networks open to legal intercept. Some companies, like Apple, value customer security over government access. This may frustrate government agencies, who point out that there is also a degree of anti-competitive market power that can go with such practices, but it also protects the country against the risk of a complete shutdown of all networked services. Closing that back door would be a steep price to pay in terms of counterintel, and it increases the risk of anti-competitive practices, but it may be necessary.