‘Whatever we did was not enough’: How Salt Typhoon slipped through the government’s blind spots – CyberScoop
The first time some of the largest telecom companies in the world heard of Salt Typhoon was in a Wall Street Journal article.
The story, which was published last September, blindsided company executives and industry insiders. As news of the attack on the country’s broadband networks broke, the scope and severity of the breach became clear. The top Democrat on the Senate Intelligence Committee dubbed it “the worst telecom hack in our nation’s history.” The breach, carried out by a Chinese government-linked hacking group, had resulted in a total of around 80 different firms compromised at last count, with the attackers in the networks for potentially years as it siphoned up data from more than 1 million people.
Telecom companies were upset to learn about the breach from the Journal story instead of the federal government. One telecom industry source called it “disconcerting” that large companies hadn’t heard about it first from government agencies, and major providers “felt like information wasn’t handled correctly.
“The engagement was not treated with the kind of respect it deserved,” the source told CyberScoop.
The perceived lack of attention is a microcosm of what critics told CyberScoop was just one of the government’s many failings in response to the Salt Typhoon breach. Sources told CyberScoop that the issues with the government’s response started long before knowledge of an incident ever occurred.
In conversations with CyberScoop, those sources — who were granted anonymity to speak more freely — touched on several concerning issues, including about how:
- Investigators had a “failure of imagination” in not better anticipating the breaches, multiple former U.S. government officials said.
- The Cybersecurity and Infrastructure Security Agency’s relationship with the telecommunications sector, one said, had “degraded,” with the agency perhaps spread too thin. That degradation might have been one cause of what many characterized as disjointed or inadequate communications between feds and the industry.
- Government warnings about vulnerabilities and risks prior to the discovery of the breaches were far too vague to be of use, one former U.S. official said.
- The government failed to use the levers of power it had at its disposal to force telecom companies to upgrade their security posture, one expert said.
When asked about these issues, current and former government officials rejected some of the complaints. A current CISA official told CyberScoop that the agency, along with the Federal Bureau of Investigation, mounted a coordinated campaign to notify companies and help them counter the attack, sometimes providing new information on an hourly basis. Even if there were shortcomings in the response, they contended, the relationship with industry had, if anything, improved over time.
The breached telecommunications companies share some of the blame for why things went wrong, especially because the attackers got into systems they ultimately own by exploiting basic vulnerabilities and taking advantage of slipshod security, sources said. Some officials also said that, prior to the attack, the government lacked the authority to order companies to take action; only after the incident were some new regulations proposed to give officials more power to compel industry compliance.
Yet multiple sources told CyberScoop that there were failings that helped Salt Typhoon ultimately carry out their plan.
”Arguably, clearly, whatever we did was not enough,” said a former senior U.S. cybersecurity official, who nonetheless pointed to significant government efforts.
Before the breach
Three former U.S. government officials told CyberScoop the federal government didn’t adequately anticipate and prepare for the possibility that an adversary like Salt Typhoon would attack telecommunication companies in such a massive way.
“As a nation, we’re really good at preparing for the last attack,” one official said, adding that “so much of our planning is about responding to what happened last as opposed to thinking through what might happen next.” Other examples, the source pointed out, include the Sept. 11, 2001 terrorist attacks and Russian meddling in the 2016 presidential election.
When asked about preparation for such attacks, a CISA official countered that the agency was responsible for one of the first known detections of the attack campaign.
Former CISA Director Jen Easterly said in January that threat hunters at her agency first detected Salt Typhoon activity on federal networks, and by combining that information with “industry tippers,” feds were able to then respond to the penetration of telecom networks.
“I think it bears noting that none of these victims detected this activity,” the official said. “It was unrelated to the targeting of the telecommunications sector, but it was the same threat actor, and based on the information gleaned through those proactive hunt efforts across the federal civilian executive branch, we were able to share information back into the U.S. government with partners.”
Jamil Jaffer, who served on the Cyber Safety Review Board before the Trump administration removed all its members, testified at a congressional hearing in April that the detection should have set off bigger alarm bells and stronger action from the federal government. He specifically mentioned to CyberScoop the government’s use of court-authorized powers in other cybersecurity incidents, including those used to take down a Chinese botnet exploiting U.S. routers.
Jaffer said that if the government had been more aggressive about chasing down the Salt Typhoon threat in collaboration with the private sector, the use of similar authorities could have potentially played a valuable role.
“That is a massive, massive failure of the government to do its job, to share information with industry, to help industry protect itself and take accountability for the fact that we had that information and didn’t know what to do with it,” said Jaffer, the executive director of George Mason University’s National Security Institute. “If we leave the private sector alone to defend against these threats, we will fail every time.”
Department of Homeland Security Secretary Kristi Noem has been making a similar point in public appearances. “One of the most alarming things I heard as soon as I was nominated for this position was in a briefing from CISA that told me that they knew with Salt Typhoon that we had been hacked, but they also said they didn’t know how it happened or how to stop it in the future,” she told the House Homeland Security Committee last week.
One former U.S. official said that while CISA had issued warnings about vulnerabilities that the attackers would exploit, they were too vague and not targeted at the telecom sector.
Other sources worry that federal agencies have been distracted or uneven in their focus on critical infrastructure.
”In the critical infrastructure policy space, there are 16 sectors, and there’s always been this long-held belief that certain sectors are better [at cybersecurity] than others: financial services, energy, telecommunications,” one former official said. “And so I’m not saying they got a pass, but there were other sectors that we were more worried about: health care, education, let’s go down the list.”
Furthermore, the official said that CISA has significant responsibilities as the “sector risk management agency” (SRMA) for eight of the 16 critical infrastructure segments, running the risk of overextending the agency’s capabilities.
“They treat [telecom] like every other sector,” the official said, referring to the communications sector. “There is a lot of anger and frustration [in the telecom sector] — with the exception of what [CISA has] done on supply chain — for how the partnership has degraded over the last eight years.”
The House Homeland Security Committee is taking a closer look at CISA’s role as an SRMA as part of its Salt Typhoon probe.
”We have been in touch with the telecoms and we talked to CISA about this: We do want to make sure that CISA is strengthened and performing its role well as the SRMA of the communication sector,” a committee aide said. “We’re just trying to understand where any of those gaps might be so we can ensure that information sharing is strong, and that relationship is working.”
Not everyone agrees that CISA’s relationship with the telecom industry has degraded. Dave DeWalt, who sits on the National Security Telecommunications Advisory Committee (NSTAC) that provides industry recommendations to the executive branch, had a different take on government-telecommunications industry relations.
“I don’t see that at all,” said DeWalt, who is also the CEO of the venture capital firm NightDragon. “The integration with CISA over the last years has been pretty good. … In fact, if anything, it got better during the Biden years.”
The CISA official emphasized the agency’s ongoing efforts: “We are very focused on working with the telecommunications industry to understand, from their perspective…how could the relationship work better?”
Some observers believe that stronger government regulations could have improved security in the sector before Salt Typhoon struck. The Biden administration had been pushing for more regulation taking a sector-by-sector approach. The Federal Communications Commission launched some regulatory initiatives, with others only materializing after the breaches were discovered.
The former senior U.S. cyber official said those regulatory efforts were marginal upgrades within the telecom space. “It wasn’t really comprehensive, and it wasn’t focused at the network level in these large enterprises,” the official said.
Laura Galante, who served as director of the Cyber Threat Intelligence Integration Center (CTIIC) from 2022 until this year, said the government worked within the confines of the lack of stronger regulatory power.
“Over time, pre-Salt Typhoon, there were issuances of [advisories warning], ‘here are some commonly used products within telco architecture, your certain drivers and switches for example, that we see frequently compromised,’” she said. “Those advisories, in addition to the other smaller-circle intelligence-sharing work, have been the best efforts without an additional regulatory lever.”
Anne Neuberger, the former deputy national security adviser for cyber and emerging technology, told reporters in a December call that stronger regulations, like those in place in the United Kingdom, would have gone a long way toward limiting the attack’s scope.
“When I talked with our U.K. colleagues and I asked, ‘do you believe your regulations would have prevented the Salt Typhoon attack?’, their comment to me was, ‘we would have found it faster. We would have contained it faster, [and] it wouldn’t have spread as widely and had the impact and been as undiscovered for as long,’ had those regulations been in place,” Neuberger said.
A former government official told CyberScoop that even that type of regulatory system may not have been enough.
”For people who are strongly in favor of regulation, they will use this, they will look at this and say, ‘if there were stronger mandates, it could have made the difference,” said the former senior U.S. cybersecurity official. “I don’t know if that’s the case, because regulations are not synonymous with improved security. … Even companies in highly regulated sectors do suffer compromises.”
After the breach
Once The Wall Street Journal broke the news about the breaches, a telecommunications industry furor erupted, multiple officials from both government and industry said.
“I heard from the companies as well [after the WSJ article],” the CISA official said.“That is not what we want. It was unclear where that information was coming from, candidly, and it was moving extraordinarily fast,” the CISA official said. “So I think we were, in that case, certainly apologetic to the companies that they were hearing from The Wall Street Journal. With that said, some of the information that was in certain publications was inaccurate, and the government does have a responsibility to do due diligence before making a victim notification.”
A former official said ”what continued to be stunning was the rollout of companies that had been affected that didn’t know.”
The telecommunications industry source that spoke to CyberScoop said that companies were frustrated to only find out about the attacks when they did, rather than being warned by the government. As these companies rushed to respond, the source described officials from several government agencies suddenly getting involved and “behaved like ‘puppies piling on.’”
“Everybody needs to talk to everybody, and … these were people who didn’t have a damn thing to do with anything, and didn’t know anything about what they’re talking about,” they said.
Companies spent “a lot of time with distracting phone calls, which were taking away time from individuals that were trying to respond, recover, mitigate, root out” the attackers, the source said. “We would find ourselves having the conversation with major entities and then we’d be yelled at because we didn’t have the same conversation with a different entity.”
The CISA official said there was a concerted effort to coordinate victim notifications.
”That is something that was top of mind for leaders across the cybersecurity community at the beginning of this campaign,” they said. “Does that mean we did it perfectly? No, but we were committed to as best as we can … de-conflicting within the U.S. government in reducing the burden, really on these … victims, as they were focused on their own response efforts.”
The FBI led the victim notification effort while CISA handled some of the notifications because they had ongoing relationships with certain companies. By late September, the government was notifying victims every single day and holding frequent senior leadership meetings — sometimes as often as every hour. While the FBI focused on victim notification, the Office of the Director of National Intelligence took charge of impact analysis and assessment, and CISA concentrated on mitigation efforts and tracking the attackers.
The FBI did not respond to questions or a request for an interview for this story.
The CISA official said the agency was also sharing “hunting guidance,” helping companies determine whether they were victims; “hardening” advice to make it tougher for the attackers to strike; and helping “highly targeted individuals” or “VIPs,” including high-level officials across government.
But there was “fair criticism” about the information sharing between government and industry, the official said.
With the response in full swing, another probe of the attacks, by the Cyber Safety Review Board, was announced. But it endured delays and then barely got started before the Trump administration stripped the board of its members, halting the investigation.
“Had we been able to pursue our investigation more aggressively during the prior administration and if the Board had not been terminated before the current one, I certainly would have advocated to look closely at what the government knew when and what the government did or didn’t do about that information,” Jaffer told CyberScoop.
The House Homeland Security Committee’s probe will also look into the caliber of information sharing.
”The information that was shared with us and others was not timely,” Rep. Andrew Garbarino, R-N.Y., who chairs the panel’s cybersecurity subcommittee, told CyberScoop. “I don’t know how quickly they shared information with their private sector partners. I think we can always do that better.” When it comes to the U.S. government, he said, “we’re very good at taking information but not sharing it.”
Overall, the CISA official felt the agency did a “really good job of sharing information” as the severity of the incident unfolded.
“Had we not had that information, who knows whether this campaign would have been detected by today or whether it would still be ongoing,” the official said. “Does that mean we have figured out the perfect recipe for identifying risk thresholds for a sector that is largely unregulated, with extraordinarily large Fortune 10 companies and then others who you’ve never heard of that are deeply connected and underpin the trust relationships in those sectors? No.”
Derek B. Johnson contributed reporting for this story.
The post ‘Whatever we did was not enough’: How Salt Typhoon slipped through the government’s blind spots appeared first on CyberScoop.
–
Read More – CyberScoop