Last chance! Support our fundraiser today and 
Trump Cybersecurity Policy Is Indistinguishable From A Foreign Attack
from the the-call-is-coming-from-inside-the-house dept
Last year almost a dozen major U.S. ISPs were the victim of a massive, historic intrusion by Chinese hackers who managed to spy on public U.S. officials for more than a year. The “Salt Typhoon” hack was so severe, the intruders spent much of the last year rooting around the ISP networks even after discovery.
AT&T and Verizon, two of the compromised companies, apparently didn’t think it was worth informing subscribers any of this happened. Many of the attack vectors were based on simple things like telecom administrators failing to change default passwords on sensitive hardware entry points.
The hack, caused in part by our mindless deregulation and lax oversight of telecom monopolies, only saw a tiny fraction of the press and public attention reserved for our multi-year, mass hyperventilation about TikTok privacy and security. But on their way out the door, Biden FCC officials did try to implement some very basic cybersecurity safeguards, requiring that telecoms try to do a better job securing their networks and informing customers of breaches.
Enter the Trump FCC under Brendan Carr, which is now rescinding that entire effort because lobbyists at AT&T, Verizon, Comcast, and Charter told them to:
“The Federal Communications Commission will vote in November to repeal a ruling that requires telecom providers to secure their networks, acting on a request from the biggest lobby groups representing Internet providers.”
In a folksy Halloween blog post, Carr tries to pretend this somehow improves cybersecurity. According to Carr, ISPs pinky swore that everything is fine now, and frames obvious regulatory capture as the agency being more “agile”:
“Following extensive FCC engagement with carriers, the item announces the substantial steps that providers have taken to strengthen their cybersecurity defenses. In doing so, we will also reverse an eleventh hour CALEA declaratory ruling reached by the prior FCC—a decision that both exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats. So, we’re correcting course.”
Let me be clear about something: the Biden rules were the absolute baseline for oversight of telecom, basically requiring that ISPs do the absolute bare minimum when it comes to securing their networks, while being transparent with the public about when there’s been a major hack. This stuff was the bare minimum, and the U.S. is too corrupt to even do that.
This is part of Carr’s effort to destroy whatever was left of flimsy U.S. corporate oversight of regional telecom monopolies so he can ensure he has a cushy post-government job at a telecom-funded think tank or lobbying org. To that end, he’s been taking a hatchet to the very shaky FCC oversight standards that already helped result in the worst hack in U.S. telecom history.
This is, you might recall, the same guy who spent the last few years constantly on television insisting that TikTok was the greatest cybersecurity threat facing the country, proclaiming he’d be using nonexistent authority to take aim at the company (which, as we found out later, was really about offloading TikTok to Trump’s buddies and protecting Facebook from competition it couldn’t out-innovate).
The Trump administration has also gutted government cybersecurity programs (including a board investigating the Salt Typhoon hack), dismantled the Cyber Safety Review Board (CSRB) (responsible for investigating significant cybersecurity incidents), and fired oodles of folks doing essential work at the Cybersecurity and Infrastructure Security Agency (CISA).
Carr is also derailing FCC plans to impose some baseline cybersecurity standards on “smart” home devices based on some completely fabricated, xenophobic claims about one of the planned vendors (again, because telecoms simply don’t want any oversight whatsoever).
It’s yet another example of how Trump policy is indistinguishable from a foreign attack. In many ways it’s worse, given that at least with Russia, Iran, and China, you’re spared the kind of phony piety and sanctimony coming from inside your own house.
Filed Under: brendan carr, broadband, china, fcc, hacking, iran, privacy, russia, salt typhoon, security, telecom
Comments on “Trump Cybersecurity Policy Is Indistinguishable From A Foreign Attack”
On the bright side...
There’s no possible way that anyone involved in this administration will have any dirt on them in their calls or text messages that a hacker from China, Russia, or other foreign adversary could use to blackmail them.
That’s what you get from a foreign asset.
What is foreign attack:
* It has been subtle.
* It gets ignored for years.
* The consequences are difficult to determine.
* There is someone to blame.
* Few things will be fixed.
* Nobody is proud of it.
* Companies stay silent.
Otherwise, it’s just another new cybersecurity policy.
Trump’s entire administration is indistinguishable from a foreign attack. I assume Putin has had a priapism since January.
Now, if we can only convince Trump to start working with them to make them great again, that should finish them off nicely.
“We have met the enemy, and he is us.” – Walt Kelly
trump rolls out the red carpet not just for putin
trump will be the walmart greeter at the door for any malicious state actor who wants to worm their way through America’s cyberinfrastructure.
It’s a race. Will trump turn America into a 3rd-world nation or will we become a nation of preppers beforehand?
“Carr is also derailing FCC plans to impose some baseline cybersecurity standards on “smart” home devices […]”
It’s possibly this is the worst part of this debacle, because it involves control of a large number of physical devices distributed across the country.
Moreover, it involves devices that were already compromised when they left the factory: I’ve studied the IOT for years and I can’t think of a single one that isn’t a security and privacy nightmare. And as we continue to discover, many of these devices have undocumented backdoors tied to some cloud operation somewhere, and those operations are clearly fraying around the edges – note the recent outages and breaches at Amazon, Microsoft, Oracle, etc.
So here’s where we find ourselves: shutting down the Salt Typhoon investigation guarantees that the breach will continue and will expand, and that there will be more of the same. Shutting down the CSRB takes out one of the groups that could be called on in the event of a major attack. Gutting the CISA removes expertise that would also be needed during an attack. And meanwhile, every day, more highly vulnerable IOT devices are being deployed, some of which are connected to dangerous things, some of which are dangerous things.
The level of effort and budget required for an adversary to inflict serious damage on the US is dropping every day. And there is no plan, no organization, nothing, to deal with a mass casualty event distributed across the country. All we’ve got is “deny the possibility” and “hope for the best”.
Re:
What’s the old saying? “The ‘S’ in ‘IoT’ stands for security”?
When the result is the same either way, 'motive' takes a back-seat
I suspect that the reason the regime is so dedicated to ensuring that US systems are as unsecured as possible is so that they can exploit them for money and/or power, but the fact that the actions would be no different were they being directed to act like this by a hostile foreign power renders that rather moot.
Whether they’re doing it for their own goals or at the behest of a foreign adversary the end result is the same, the US is weakened and significantly more open to being attacked and undermined by malicious actors.