The long, complex road to securing U.S. telcos

Driving the news: A handful of U.S. government agencies broke their silence on the Salt Typhoon intrusions this week.

• FCC chair Jessica Rosenworcel proposed a new annual certification requirement Thursday for telecom companies to prove they have an up-to-date cybersecurity risk management plan.
• Senior Cybersecurity and Infrastructure Security Agency and FBI officials confirmed Tuesday that U.S. telcos are still struggling to keep the China-backed hackers out of their networks — and they have no timeline for when total eviction is possible.
• The White House confirmed Wednesday that at least eight U.S. telcos have been compromised so far. Salt Typhoon has targeted telcos in dozens of countries for upward of two years, officials added.

Between the lines: Legacy equipment and years of acquisitions have made it particularly difficult for telcos to patch every access point on their networks, Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told Axios.

• Many of the systems in question are nearly 50 years old — like landline systems — and they were "never meant for the type of sensitive data and reliance that we have on them right now," he said.
• During an acquisition, a company could also miss a server when taking stock of all its newly acquired equipment, Steinhauer said. Network engineers are often inundated with security alerts that are hard to prioritize, he added.

Plus, many carriers have the added challenge of potential physical tampering with their copper lines.

• And in the U.S., communications companies are required to provide a way for law enforcement to wiretap calls as needed — providing another entry point for adversaries.

The big picture: Telcos have long been a target for nation-state spies looking for coveted state secrets.

• Politicians rely on commercial telecom networks to talk to confidantes. Government workers use these networks to call their bosses. And reporters send messages to anonymous sources crossing many of the same phone lines.
• China has long used telecom networks to spy on governments in Southeast Asia and elsewhere around the world.

The intrigue: Many of the security problems telcos face require simple fixes, like implementing multifactor authentication or maintaining activity logs.

• Even CISA's recent guidance for securing networks focuses on the security basics.
• But to keep China out, telcos would have to make sure that every device — including their legacy physical equipment, online servers and employees' computers — is patched.

Zoom in: T-Mobile appears to have avoided the same fate as other U.S. telcos in part because it operates a fully wireless network with zero global presence, chief security officer Jeff Simon told Axios.

• This means T-Mobile doesn't have the same physical tampering threats, and Simon's team only has to worry about remotely monitoring cell sites.
• Simon added that T-Mobile's fully 5G network means the company is working with newer equipment that's easier to secure.
• So far, the company's only potential exposure to Salt Typhoon was through a wireline network it connects to for backhaul communications — but the company says it quickly detected and squashed the threat.

What they're saying: "The count of devices you have to manage and secure is large," Simon said of the broader telecom industry.

• "Having global presence, having the wireline networks, it just makes it even larger and more complex."
• "That's more device types to manage and update and patch."

Reality check: Most high-profile cyberattacks across industries come down to the basics: a server that didn't have multifactor authentication turned on or an employee who was tricked into sharing their password.

Yes, but: Even if a company invests all of its resources in cybersecurity, it may not be enough to fend off a sophisticated nation-state like China.

• These actors are skilled at covering their tracks: They could delete activity logs, pose as legitimate users, and route their traffic through compromised computers in the U.S. so they aren't detected.
• "You've got a persistent, motivated attacker with vast resources to poke and prod until they get in," Steinhauer said.