Old equipment and years of mergers and acquisitions are likely impeding the ability of telecommunications providers to toss Beijing out of their networks.

Why it matters: Until telecom networks fully secure their networks, China will keep finding ways to come back in, officials have warned.

Driving the news: A handful of U.S. government agencies broke their silence on the Salt Typhoon intrusions this week.

• FCC chair Jessica Rosenworcel proposed a new annual certification requirement yesterday for telecom companies to prove they have an up-to-date cybersecurity risk management plan.
• Senior Cybersecurity and Infrastructure Security Agency and FBI officials confirmed Tuesday that U.S. telcos are still struggling to keep the China-backed hackers out of their networks — and they have no timeline for when total eviction is possible.
• The White House confirmed Wednesday that at least eight U.S. telcos have been compromised so far. Salt Typhoon has targeted telcos in dozens of countries for upward of two years, officials added.

Between the lines: Legacy equipment and years of acquisitions have made it particularly difficult for telcos to patch every access point on their networks, Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told Axios.

• Many of the systems in question are nearly 50 years old — like landline systems — and they were "never meant for the type of sensitive data and reliance that we have on them right now," he said.
• During an acquisition, a company could also miss a server when taking stock of all its newly acquired equipment, Steinhauer said. Network engineers are often inundated with security alerts that are hard to prioritize, he added.

Plus, many carriers have the added challenge of potential physical tampering with their copper lines.

• And in the U.S., communications companies are required to provide a way for law enforcement to wiretap calls as needed — providing another entry point for adversaries.

The big picture: Telcos have long been a target for nation-state spies looking for coveted state secrets.

• Politicians rely on commercial telecom networks to talk to confidantes. Government workers use these networks to call their bosses. And reporters send messages to anonymous sources crossing many of the same phone lines.
• China has long used telecom networks to spy on governments in Southeast Asia and elsewhere around the world.

The intrigue: Many of the security problems telcos face require simple fixes, like implementing multifactor authentication or maintaining activity logs.

• Even CISA's recent guidance for securing networks focuses on the security basics.
• But to keep China out, telcos would have to make sure that every device — including their legacy physical equipment, online servers and employees' computers — is patched.

Zoom in: T-Mobile appears to have avoided the same fate as other U.S. telcos in part because it operates a fully wireless network with zero global presence, chief security officer Jeff Simon told Axios.

• This means T-Mobile doesn't have the same physical tampering threats, and Simon's team only has to worry about remotely monitoring cell sites.
• Simon added that T-Mobile's fully 5G network means the company is working with newer equipment that's easier to secure.
• So far, the company's only potential exposure to Salt Typhoon was through a wireline network it connects to for backhaul communications — but the company says it quickly detected and squashed the threat.

What they're saying: "The count of devices you have to manage and secure is large," Simon said of the broader telecom industry.

• "Having global presence, having the wireline networks, it just makes it even larger and more complex."
• "That's more device types to manage and update and patch."

Reality check: Most high-profile cyberattacks across industries come down to the basics: a server that didn't have multifactor authentication turned on or an employee who was tricked into sharing their password.

Yes, but: Even if a company invests all of its resources in cybersecurity, it may not be enough to fend off a sophisticated nation-state like China.

• These actors are skilled at covering their tracks: They could delete activity logs, pose as legitimate users, and route their traffic through compromised computers in the U.S. so they aren't detected.
• "You've got a persistent, motivated attacker with vast resources to poke and prod until they get in," Steinhauer said.

Retired Army Gen. Paul Nakasone, the former head of the NSA and U.S. Cyber Command, is joining the board of WitnessAI.

Why it matters: This is the second AI company board that Nakasone has joined since leaving his government role in February. In June, he also joined OpenAI's board.

The big picture: Nakasone says artificial intelligence is the "most disruptive technology" of the future, and he wants to use his expertise in fending off hackers and leading large organizations to help entrepreneurs navigate this emerging landscape.

Zoom in: WitnessAI builds security tools that help companies control what data feeds their generative AI tools and meet any security, data privacy and compliance requirements. The tools are designed to be model agnostic.

• WitnessAI was incubated at Ballistic Ventures — the cybersecurity-focused venture capital firm founded by a handful of high-profile industry names — and emerged from stealth this year with a $27.5 million Series A round.
• Nakasone joined Ballistic as a strategic adviser this summer.

Between the lines: WitnessAI is far from the only company that's working on solutions to help companies keep generative AI models from spilling confidential corporate information to employees.

• But Nakasone says the leadership and approach of the company stood out to him.
• "I saw a young company and really good leadership under [CEO] Rick [Caccia]," he said. "WitnessAI is really ensuring the safety and security of being able to use a disruptive technology."

What we're watching: Nakasone hinted that this likely won't be the last company board he joins as AI advancements continue.

@ D.C.

🗓️ The Cyber Safety Review Board is expected to have its first meeting today to investigate the Salt Typhoon breaches. (The Record)

🖥️ President-elect Trump has named investor and Elon Musk ally David Sacks as his new AI and crypto czar. (Axios)

👀 Trump's advisers are renewing their push to pardon Edward Snowden, after a failed attempt during his first administration. (Washington Post)

@ Industry

🪖 OpenAI is partnering with defense contractor Anduril to "develop and responsibly deploy" AI solutions for national security missions. (Axios)

📲 iVerify has already identified seven victims of commercial spyware after releasing its new detection tool in May. (Wired)

@ Hackers and hacks

🏥 A ransomware gang is, once again, targeting hospitals in the U.K.'s National Health Service network. (TechCrunch)

🚔 U.K. law enforcement has uncovered a multibillion-dollar money-laundering operation that worked with ransomware gangs and drug traffickers in more than 30 countries. (Financial Times)

🇷🇴 Romania's top court has annulled its presidential election results following reports of Russian interference via cyberattacks and social media manipulation. (CNN)

🫠 Shoutout to everyone who also experienced the one-hour tsunami warning on the West Coast yesterday.