Salt Typhoon, a Chinese cyber-espionage group, allegedly infiltrated at least eight US telecommunications firms, stealing large volumes of call record metadata. During an interview with The Guardian, a senior US official stated the hackers accessed data that reveals the “who, what, when, and where” of phone calls.
Although companies like T-Mobile and Lumen reported no evidence of customer data being compromised, other cases involved the theft of audio intercepts and call logs, providing detailed insights into Americans’ private lives and activities.
The FCC proposal requires companies to submit annual certifications detailing their cybersecurity plans. The proposal will reduce vulnerabilities in telecom infrastructure and better prepare networks to prevent and respond to sophisticated cyberattacks.
The official also confirmed President Joe Biden had been briefed multiple times on Salt Typhoon’s ongoing activities, and the administration has prioritized tackling these cybercriminals.
The Salt Typhoon cyber campaign is the latest in a series of high-profile incidents involving Chinese cyber actors targeting critical American infrastructure. US officials allege China has increasingly tried to gather intelligence and disrupt national systems, including telecommunications and utilities.
In past incidents, hackers used phishing, compromised vendor software, and network vulnerabilities to gain access. Salt Typhoon’s success in targeting telecom systems raises questions about the adequacy of existing defenses and has reignited debate over US cybersecurity.
Read also: HHS Cyber Threat Intelligence announces major threat actors in 2024
Furthermore, the FCC proposal suggests the following measures:
FCC Chairwoman Jessica Rosenworcel stated, “The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security.”
“As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses. While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future,” Rosenworcel added.
Call metadata does not include call content but can be incredibly revealing when analyzed, as it shows who a person contacts regularly, providing insights into professional or personal networks. It also tracks movements through location data and hints at the importance or frequency of interactions based on call durations.
Combined, this information can create an in-depth picture of an individual’s life, making it a prime target for espionage.
Related: Is email metadata a risk to HIPAA compliance in email communications?
As cyber-espionage campaigns like Salt Typhoon grow more sophisticated, their ability to compromise metadata at such a massive scale threatens privacy and national security.
The FCC’s proposed cybersecurity certification is a step toward enhancing defenses and promoting vigilance among telecom providers.
Annual cybersecurity certifications for telecom providers could strengthen defenses against such attacks. With sensitive data at risk, stakeholders must collaborate to address vulnerabilities and protect the nation’s critical infrastructure.
Metadata provides a detailed view of someone’s life, which can be exploited for espionage, surveillance, or fraud when accessed by malicious actors.
HIPAA applies when telecommunications data contains protected health information (PHI), like when calls are related to healthcare services.
No, they must have specific measures to handle PHI securely, including entering into business associate agreements with covered entities. To better protect sensitive data, HIPAA compliant email solutions, like Paubox, offer encrypted, secure communication that prevents data exposure and upholds federal regulations.
Learn more: HIPAA Compliant Email: The Definitive Guide