The Salt Typhoon hack into U.S. telecommunications networks has sparked a new push to secure mobile communications from cyber threats.
The Chinese government espionage campaign, uncovered last year, targeted the calls and text records of several hundred government and political figures. They also swept up the metadata – such as data, time stamps and phone numbers – of more than one million users, according to public reporting.
It’s been called the “worst telecom hack in our nation’s history” by Senate Intelligence Committee Ranking Member Mark Warner (D-Va.).
In response to the hack, the Cybersecurity and Infrastructure Security Agency released new “mobile communications best practice guidance” in December. CISA’s recommendations include only using end-to-end encryptions and enabling phishing-resistant authentication, along with several other tips.
The CISA guidance comes as U.S. officials have acknowledged the Peoples Republic of China hackers have proved difficult to evict from American telecom networks.
David Wiseman, vice president of secure communications at BlackBerry, argues that for the foreseeable future, agencies and the public should assume that U.S. telecom networks are compromised.
“You still need to use those networks as a transport and connection mechanism, but you need to protect your actual communications so they’re not compromised as they flow through those networks,” Wiseman said on Federal News Network
CISA’s call to use end-to-end encryption messaging applications is “the most straightforward” recommendation, Wiseman said, though it means individuals and enterprises may need to navigate using disparate applications.
“I think one of the areas that is going to be important over the next year or so is, how do you enable interconnectivity between encrypted applications,” Wiseman said.
CISA’s guidance also homes in on “identity” security practices. It urges individuals to shift away from using text message-based multifactor authentication, which can be spoofed. Instead, CISA says people should adopt phishing-resistant multifactor authentication.
“The identity topic is a lot more difficult, and for two reasons: one, a lot of times, if you talk about things like multifactor authentication for an actual government employee, an actual citizen, they don’t necessarily have control over how the system they’re using is doing that, and different techniques,” Wiseman said. “It kind of builds a confusion, and so it’s easy to make mistakes. Some of the things they talk about around hardware keys and things like that, not everyone’s up to understanding how to use that.”
CISA’s guidance also calls for setting telecommunications pins, regularly updating mobile software and using the latest hardware versions offered by device manufacturers.
Wiseman said agencies that want to enact those recommendations can use enterprise device management tools. But it can be more difficult to enforce those types of policies if an agency has a bring your own device (BYOD) policy.
“We have to find a new balance there,” Wiseman said.
Wiseman said many federal IT leaders he’s spoken to are using the CISA guidance as a baseline for mobile security.
“They see this first step – it’s something we need to do immediately to mitigate a clear and present danger,” Wiseman said. “But at the same time, they’re saying, ‘Hey, over the next year or so, I need to have that capability, but I still need to do a better job on protecting identities, knowing who’s on the network. I need to be able to still make sure I own and control my data so I can be compliant with different regulations.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
