CISA Issues Mobile Cybersecurity Guidance in Response to China's Hacks of Telecom
Saying China-affiliated parties have compromised telecom networks, stolen customer call record data and accessed private communications of senior U.S. officials, the Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday issued mobile communications best practices guidance that it said mirrors advice it's giving federal agencies and Congress. "There is no single solution," but the guidance's content will enhance security, Jeff Greene, executive assistant director-cybersecurity, DHS' CISA, told press members.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
"Highly targeted individuals should assume" their mobile communications and internet services are at risk of interception or manipulation, CISA said. Accordingly, its top recommendation is using end-to-end encrypted communications only, such as Signal or other messaging apps that guarantee end-to-end encryption. The agency also urged use of fast identity online (FIDO) phishing-resistant authentication, such as Google Titan or Yubico hardware-based FIDO security keys, and a password manager, like the Apple Passwords app, Google Password Manager or LastPass. The guidance also contains iPhone-specific and Android-specific recommendations.
Make sure your smartphone is using the latest operating system, Greene said. Android and iOS can communicate via encryption, but only if they are running a more-recent OS, he added.
Avoid SMS-based multifactor authentication, CISA said. SMS texts aren't encrypted, and SMS MFA isn't phishing resistant.
While the guidance repeatedly references threats to "highly targeted individuals," CISA also is addressing everyone else. "Act now: Apply recommendations to protect your info from interception or manipulation," it posted on X. Greene told reporters, "We urge everyone, but in particular those highly targeted individuals, to review our guidance." He declined offering specifics about the number of senior officials targeted by the China-affiliated Salt Typhoon hacking group.
Asked whether Salt Typhoon remains an ongoing campaign, Greene said it's part of Chinese activity "that we need to prepare for and defend against for the long term."
CISA's recommendations follow guidance it and sister agencies in Canada, Australia and New Zealand issued earlier this month for hardening communications network infrastructure.
The Salt Typhoon attacks show the need for systemic change in how telecommunications providers approach cybersecurity, AI compliance consultant Pamela Isom blogged Wednesday at the American Security Project. She said the telecom industry and government must collaborate on a proactive approach that prioritizes threat intelligence, which will improve defenses before incidents occur. That would require proactive sharing of threat intelligence, she wrote. In addition, there must be encouragement of a two-way exchange between agencies and industry on actionable intelligence about emerging threats. For example, policymakers could create programs that incentivize such collaboration and real-time threat sharing. Telecom providers also should modernize aging infrastructure for better implementation of advanced security.
Cybersecurity consultant Daniel DeCloss wrote Wednesday that the FCC's draft declaratory ruling that telecom carriers secure their networks against cyberattack and a pending NPRM that would require providers annually certify that they have created and implemented a cybersecurity risk management plan (see 2412050044) are disappointing responses to Salt Typhoon. "The last thing these carriers need is another security compliance and management framework," he said, adding, a more useful approach would involve continuous reporting on known threat actors' efficacy.