In a bold move to address glaring vulnerabilities in the nation's telecommunications networks, U.S. Senator Ron Wyden of Oregon unveiled the "Secure American Communications Act," a legislative push aimed at mitigating the damage caused by recent breaches orchestrated by Chinese state-sponsored hackers. Known as "Salt Typhoon," these attackers infiltrated major American telecom providers earlier this year, raising alarms about the resilience of critical infrastructure.
Mandatory Cybersecurity for Telecoms
The proposed bill would empower the Federal Communications Commission (FCC) to establish and enforce robust cybersecurity regulations for telecom providers. Since 1994, existing legislation has called for telecom companies to secure their networks against breaches, but Wyden’s proposal emphasizes enforceable rules rather than voluntary compliance.
Under the "Secure American Communications Act," telecom companies will face new requirements to:
Conduct Annual Security Tests: Providers must identify vulnerabilities within their systems and implement fixes.
Engage Independent Auditors: Annual compliance audits with FCC cybersecurity standards will be mandatory, including thorough documentation of any deficiencies and remedial actions.
Enhance Reporting: Carriers must maintain records of all findings and corrective measures, ensuring accountability and transparency.
Senator Wyden did not mince words when announcing the legislation. “It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cybersecurity rules,” Wyden said. “Telecom companies and federal regulators were asleep on the job, and as a result, Americans' calls, messages, and phone records have been accessed by foreign spies intent on undermining our national security.” He added, “Congress needs to step up and pass mandatory security rules to finally secure our telecom system against an infestation of hackers and spies.”
FCC Promises Swift Action
FCC Chairwoman Jessica Rosenworcel echoed the urgency of Wyden’s sentiments, announcing on Thursday that the FCC would act "urgently" to compel telecom carriers to implement stricter security measures. The chairwoman’s remarks reinforce a growing consensus among federal agencies about the need to fortify the nation's communications infrastructure against sophisticated cyber threats.
The Salt Typhoon Breaches
The impetus for Wyden’s bill stems from a chilling sequence of breaches disclosed by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI in late October. Salt Typhoon, also known as Earth Estries and Ghost Emperor, infiltrated the networks of prominent telecom providers, including T-Mobile, AT&T, Verizon, and Lumen Technologies. The group’s operations spanned “months or longer,” siphoning off vast quantities of internet traffic and exposing sensitive information.
Last week, President Biden’s Deputy National Security Adviser Anne Neuberger confirmed the breaches had affected eight U.S. telecoms and carriers in numerous other countries. Neuberger sought to reassure the public, stating, “At this time, we don’t believe any classified communications have been compromised.” However, a senior CISA official tempered this optimism, admitting that they “couldn't say with certainty that the adversary has been evicted.”
Industry Experts Weigh In
Renuka Nadkarni, Chief Product Officer at Aryaka, stressed the systemic challenges faced by telecoms and enterprises reliant on their infrastructure. “Events like Salt Typhoon underscore how enterprises and users remain susceptible to breaches due to dependencies on external infrastructure,” Nadkarni explained. She emphasized that the proliferation of cloud-based services and fragmented security solutions creates expansive attack surfaces, making breaches inevitable.
Nadkarni recommended a multi-pronged approach to bolster defenses, including adopting zero-trust architectures, enhancing visibility through continuous monitoring, and prioritizing AI-driven threat detection. “Operational simplicity remains key for organizations to detect Salt Typhoon activity,” she added, underscoring the importance of streamlined processes and clear security roles.
Moving Forward
With cybersecurity increasingly framed as a national security imperative, the "Secure American Communications Act" seeks to address systemic gaps that have left U.S. telecoms vulnerable. While the legislative path forward may encounter resistance from the industry, the stark realities exposed by the Salt Typhoon breaches may galvanize bipartisan support for Wyden’s proposal.
As federal agencies and telecom providers scramble to contain the fallout, the broader question remains: Will this be the wake-up call needed to transform how America secures its communications infrastructure, or merely another fleeting attempt to patch systemic vulnerabilities? Time, and congressional action, will tell.