FCC proposes updates to wiretap security standards following Chinese telecom hacks

The Federal Communications Commission’s top official shared a draft ruling with colleagues Thursday that, if adopted, would immediately require telecommunications firms to secure their networks against unauthorized access to systems that house wiretap requests from law enforcement, according to an agency news release.

FCC Chairwoman Jessica Rosenworcel also floated a separate notice of proposed rulemaking to her peers that, if approved, would require that communications providers submit annual attestations to the agency about their security posture.

The proposals respond to a wide-reaching hack of numerous telecom providers by a Chinese cyberespionage collective, dubbed Salt Typhoon. The hackers are still embedded in some networks as forensic analysis continues.

The wiretap environment — governed by the Communications Assistance for Law Enforcement Act that requires telecom companies to engineer their system for “legal access” surveillance requests — was accessed in the penetrations. Salt Typhoon pored through the systems of at least two victims before pivoting to their respective CALEA environments, a senior FBI official said earlier this week.

The official declined to categorize which systems governed by the Foreign Intelligence Surveillance Act, or FISA, were accessed by the hackers. CALEA requests include court orders for Title I of FISA, which allows the U.S. to electronically surveil foreign powers and their agents, including Americans acting as agents of a foreign nation.  

“While the commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the communications sector in the future,” Rosenworcel said in a statement.

The draft ruling would rework Section 105 of CALEA, which, in essence, says that telecom companies can only monitor calls or access call data with legal approval and must have an authorized employee actively oversee it. 

A senior administration official said Wednesday that the swaths of voluntary cybersecurity guidance used by the private sector has proved inadequate for protecting the affected telecom networks, and that minimum cyber requirements would have helped prevent the Chinese cyberspies from breaching the telecommunications systems.

So far, the cyberspies have ensnared around 80 providers in the U.S. and abroad, including AT&T, Verizon, Lumen and T-Mobile, although T-Mobile recently said they were able to kick Salt Typhoon out of its networks. 

The group has accessed communications of some 150 select, high-value targets, including people affiliated with President-elect Donald Trump, according to previous media reports. A senior administration official said this week that the campaign may have been ongoing for one to two years, and that eight or so of the victims were American telecom firms.

CALEA is a 30-year-old legal protocol that has become a mainstay in law enforcement’s surveillance toolkit, but hasn’t undergone a major update since the Federal Communications Commission last reviewed it in 2005. Wiretaps have evolved from the act of physically tapping analog phone lines to remotely intercepting digital communications across multiple channels that collate calls, texts and internet traffic.

CALEA systems allow law enforcement to request wiretaps through secure log-in portals. Once greenlit by an overseer at a telecom company, law enforcement can receive phone metadata on targets, including call detail records that map the time, duration and participants of calls, as well as geolocation data, enabling law enforcement to trace communication patterns and movements of targets.

Top federal officials held a classified briefing with senators on Wednesday about the espionage campaign. The brief included Rosenworcel, as well as Director of National Intelligence Avril Haines and Cybersecurity and Infrastructure Security Agency Director Jen Easterly. 

The CISA head told reporters after the briefing that a government review board will begin probing the incident tomorrow.

Under current standards, the FCC allows carriers to develop their own wiretap solutions tailored to their networks, purchase solutions from equipment manufacturers and rely on a third party to determine whether they are CALEA-compliant.

“These proposed measures have been made available to the five members of the commission. They may choose to vote on them at any moment,” the FCC said in a fact sheet released Thursday.

“A cyberattack in the communications sector can affect other sectors, including healthcare, manufacturing, energy, and transportation,” it also said. “Ensuring secure and reliable communications infrastructure builds confidence in the nation’s ability to protect critical systems and also helps protect everyday Americans from cyberattacks.”