Cantwell Criticizes Telecom Companies for Lax Security and FCC Chairman Carr for Letting Telecoms Off the Hook 

[VIDEO] 

WASHINGTON, D.C. – U.S. Senator Maria Cantwell (D-Wash.), Ranking Member of the Committee on Commerce, Science and Transportation, questioned a panel of telecommunications and cybersecurity experts on the continuing weaknesses and vulnerabilities in our communications networks exposed by the Salt Typhoon attack and the ongoing threats to Americans’ sensitive information and national security. To date, telecom companies infiltrated in the attack have failed to prove the Chinese hackers have been eradicated from their networks.

“The Chinese government's espionage operation deeply penetrated networks of at least nine U.S. telecom companies, including AT&T and Verizon,” said Sen. Cantwell. “They exploited the wiretapping system that our law enforcement agencies rely on under the Communications Assistance for Law Enforcement Act -- known as CALEA. These systems became an open door for Chinese intelligence. Salt Typhoon allowed the Chinese operation to track millions of Americans’ locations in real time, record phone calls at will and read our text messages.”

“So how did this happen?” she continued. “Senior national security officials said the breach occurred in large part because telecommunications companies failed to implement rudimentary – rudimentary! -- cybersecurity measures. Investigators found legacy equipment not updated in years, router vulnerabilities with patches available for seven years -- seven years! -- that were never applied, and hackers acquiring credentials through weak passwords.”

Deb Jordan, former Chief of the Public Safety and Homeland Security Bureau at the Federal Communications Commission, echoed Sen. Cantwell’s concerns that telecommunications companies have failed to employ even basic cybersecurity protections, even as threats become more sophisticated.

“You know, I would never let my iPhone go seven years without a patch update, right?,” responded Ms. Jordan. “Ordering a pizza sometimes requires two factor authentication. Why are our providers not implementing those basic hygiene [practices]? They should be held accountable, and they should be doing a structured plan, and they're being held to a verification regime that would give you the information that you asked for and didn't receive.”

Last month, Sen. Cantwell strongly objected to a November 20^th FCC vote, led by Chairman Brendan Carr, to roll back rules put in place after the Salt Typhoon hack to better protect U.S. data networks from future attacks. Rescinding the rule undermines the FCC’s ability to hold carriers accountable for protecting critical communications infrastructure, and the FCC is now relying on “collaboration” with carriers who failed to detect the hacks and who have not provided any evidence that they have removed the intruders from their networks.

In June, Sen. Cantwell wrote to the CEOs of AT&T and Verizon demanding documentation proving remediation of ongoing vulnerabilities in their networks but both companies have failed to provide any information. Experts agree that the attack has not been fully remediated from telecommunications networks, and the FCC’s ruling concedes that vulnerabilities “are still being exploited.”

Video of Sen. Cantwell’s full opening remarks and Q&A is here and a full transcript of her remarks and Q&A is here.

###