from the the-call-is-coming-from-inside-the-house dept

Last year almost a dozen major U.S. ISPs were the victim of a massive, historic intrusion by Chinese hackers who managed to spy on public U.S. officials for more than a year. The “Salt Typhoon” hack was so severe, the intruders spent much of the last year rooting around the ISP networks even after discovery.

AT&T and Verizon, two of the compromised companies, apparently didn’t think it was worth informing subscribers any of this happened. Many of the attack vectors were based on simple things like telecom administrators failing to change default passwords on sensitive hardware entry points.

The hack, caused in part by our mindless deregulation and lax oversight of telecom monopolies, only saw a tiny fraction of the press and public attention reserved for our multi-year, mass hyperventilation about TikTok privacy and security. But on their way out the door, Biden FCC officials did try to implement some very basic cybersecurity safeguards, requiring that telecoms try to do a better job securing their networks and informing customers of breaches.

Enter the Trump FCC under Brendan Carr, which is now rescinding that entire effort because lobbyists at AT&T, Verizon, Comcast, and Charter told them to:

“The Federal Communications Commission will vote in November to repeal a ruling that requires telecom providers to secure their networks, acting on a request from the biggest lobby groups representing Internet providers.”

In a folksy Halloween blog post, Carr tries to pretend this somehow improves cybersecurity. According to Carr, ISPs pinky swore that everything is fine now, and frames obvious regulatory capture as the agency being more “agile”:

“Following extensive FCC engagement with carriers, the item announces the substantial steps that providers have taken to strengthen their cybersecurity defenses. In doing so, we will also reverse an eleventh hour CALEA declaratory ruling reached by the prior FCC—a decision that both exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats. So, we’re correcting course.”

Let me be clear about something: the Biden rules were the absolute baseline for oversight of telecom, basically requiring that ISPs do the absolute bare minimum when it comes to securing their networks, while being transparent with the public about when there’s been a major hack. This stuff was the bare minimum, and the U.S. is too corrupt to even do that.

This is part of Carr’s effort to destroy whatever was left of flimsy U.S. corporate oversight of regional telecom monopolies so he can ensure he has a cushy post-government job at a telecom-funded think tank or lobbying org. To that end, he’s been taking a hatchet to the very shaky FCC oversight standards that already helped result in the worst hack in U.S. telecom history.

This is, you might recall, the same guy who spent the last few years constantly on television insisting that TikTok was the greatest cybersecurity threat facing the country, proclaiming he’d be using nonexistent authority to take aim at the company (which, as we found out later, was really about offloading TikTok to Trump’s buddies and protecting Facebook from competition it couldn’t out-innovate).

The Trump administration has also gutted government cybersecurity programs (including a board investigating the Salt Typhoon hack), dismantled the Cyber Safety Review Board (CSRB) (responsible for investigating significant cybersecurity incidents), and fired oodles of folks doing essential work at the Cybersecurity and Infrastructure Security Agency (CISA).

Carr is also derailing FCC plans to impose some baseline cybersecurity standards on “smart” home devices based on some completely fabricated, xenophobic claims about one of the planned vendors (again, because telecoms simply don’t want any oversight whatsoever).

It’s yet another example of how Trump policy is indistinguishable from a foreign attack. In many ways it’s worse, given that at least with Russia, Iran, and China, you’re spared the kind of phony piety and sanctimony coming from inside your own house.

Filed Under: brendan carr, broadband, china, fcc, hacking, iran, privacy, russia, salt typhoon, security, telecom