America’s Telecoms Need a Clean Install and a Full Reboot

12.18.24 - 5 min read

An image of people walking in Washington DC

On December 4, a bipartisan group of U.S. Senators gathered for a classified briefing to address the worst attack on telecommunications networks in American history. The hack, known as Salt Typhoon, allowed China to listen in on calls of elected officials like President-Elect Donald Trump and Senate Majority Leader Chuck Schumer, compromise our federal wiretap system, and access the call records and texts of almost any American.

The same day, U.S. Senators also about failures of the Department of Defense to secure its telecom communications and urged meaningful change to its current telecom contracts. At the same time, senior law enforcement officials told Americans to , implicitly conceding that our phone networks are not safe for anyone.

The news is shocking but not surprising, as we’ve been watching this train crash in slow motion for some time now. Breaches of telecom providers have become . Last year, the U.S. Navy contracted my company, Cape, to deploy our network on Guam to combat Volt Typhoon, a Chinese hack of telecommunications infrastructure that was a clear precursor to Salt Typhoon.

So if we knew for years that China’s hackers saw our telecom networks as easy pickings, why wasn’t more done to stop them?

The answer is that telecoms have no incentive to change, as the big three (AT&T, Verizon, and T-Mobile) constitute a classic oligopoly that stifles competition and innovation. There is an enormous barrier to entry to the telecommunications market, because building a carrier from scratch is impossibly expensive. Purchasing enough spectrum from the government to cover the entire country requires scale that very few companies have achieved, and as new spectrum is made available, bidding on it only makes sense for those few companies who have already amassed enormous collections.

Major telecoms have essentially become holding companies for spectrum. They outsource infrastructure and software development to a small cartel of vendors who provide things like software to automate response to FISA warrants (one of the vulnerabilities exploited by Salt Typhoon). The resulting patchwork network provides adversaries with a huge attack surface, riddled with decrepit, poorly-guarded entry points. I’ve personally seen egregious cybersecurity practices in telecom networks as we build Cape, such as vendors with deep access storing passwords in plaintext or running severely outdated, unpatched software.

The steady drumbeat of major telecom breaches leading up to and including Salt Typhoon has not dented the carriers’ bottom line, or their share price. The only solutions to this problem involve enormous effort by the telecoms, or making space for new entrants. following Wednesday’s Salt Typhoon briefing, “It’s not like getting a new phone, it’s the structure that these cell phone systems have been built on.”

So is this problem unsolvable? Not at all. Salt Typhoon is a wakeup call that coincides with a rising awareness that we have the ability to fight back with one of our greatest assets–the American innovation ecosystem.

First, we need more competition. Legislators have called on the Department of Defense, one of the biggest wireless customers in the nation, to end or renegotiate multibillion-dollar contracts with the major carriers in order to spur adoption of better cyber defenses, as well as to pilot more secure communication technology. Policymakers can also encourage greater competition by protecting network access for Mobile Virtual Network Operators (MVNOs), which can lease physical infrastructure from the major carriers while focusing on the software that governs sensitive subscriber data and authentication.

Second, telecoms need to adopt modern cybersecurity practices–the kind that are already commonplace in cloud-native software companies, which benefit from scalable, timely, and automated updates. This means retiring legacy tech, instead of separately maintaining and protecting a hodgepodge of aging and vulnerable infrastructure. This will require an enormous overhaul of the large, legacy incumbents if they are to make progress.

Third, we need to rethink the central design ethos of telecoms, which thus far has centered around interoperability. Our phones trust the network, and networks trust each other. This is what allowed Salt Typhoon to spread and embed itself, by targeting weak legacy infrastructure, infiltrating core systems, and networks, making it incredibly difficult to dislodge. For decades, telecom cybersecurity has focused on ensuring people can’t exploit this architecture to make calls for free on the network, prioritizing profit over privacy. They should instead adopt minimal trust frameworks by assuming that attackers are already in the network, and design with defense-in-depth from the start. That can include minimizing data collection and retention, so that there’s less for hackers to steal, rethinking authentication approaches, and designing technical solutions to stubborn legacy problems like exploitation of the signaling systems that connect networks.

Telecom networks are known as “cyber high ground” for sophisticated attackers–they’re strategically important because they yield privileged visibility of nearly everyone, as Salt Typhoon has shown. At the same time, this critical infrastructure has been poorly defended, thanks to a stifling lack of competition. It’s time to modernize this aging, critical sector by promoting competition and opening the door to software-first innovation.

Share it

Want to be first? Join our mailing list and stay up to date on all things Cape.

SIGN UP TODAY
Your email will be used to send you updates from Cape. It will never be associated with your account or shared with anyone else.
All provided information is protected by our Privacy Policy.
This site is secured by reCAPTCHA, which is subject to Google's Privacy Policy and Terms of Service.