Cantwell claims telecoms blocked release of Salt Typhoon report 

More than a year after national security officials revealed that Chinese hackers had systematically infiltrated U.S. telecommunications networks, the top Senate Democrat on the committee overseeing the industry is calling for hearings with executives from the nation’s biggest telecom companies.

In a public letter released Tuesday, Sen. Maria Cantwell, D-Wash., called for the CEOs of Verizon and AT&T to appear before Congress and explain how the hacking group known as Salt Typhoon breached their networks, as well as what steps they’ve taken to prevent another intrusion.

“For months, I have sought specific documentation from AT&T and Verizon that would purportedly corroborate their claims that their networks are now secure from this attack,” Cantwell wrote to Sen. Ted Cruz, R-Texas, who is the Chair of the Senate Commerce, Science and Transportation Committee. “Unfortunately, both AT&T and Verizon have chosen not to cooperate, which raises serious questions about the extent to which Americans who use these networks remain exposed to unacceptable risk.”

Salt Typhoon’s intrusion into telecom networks exposed major security weaknesses and put sensitive communications and data belonging to U.S. politicians and policymakers at risk. The federal government has done little since to hold the industry publicly accountable.

Congress has neither  proposed or passed meaningful legislation to address the issue.  While a handful of federal departments and agencies began public regulatory and oversight reviews, most of those efforts have been shut down or rolled back.

An investigation by the Cyber Safety Review Board at the Department of Homeland Security into the intrusions was abruptly stopped when the Trump administration eliminated the advisory body. One former member remarked recently that the failure to finish the investigation ranked among her biggest career regrets.

Weeks before President Joe Biden left office, his Federal Communications Commission issued emergency regulations aimed at holding telecom companies legally responsible – under federal wiretapping laws – for securing their communications. The rules would have also required carriers to file annual certifications with the FCC confirming they have cyber risk management plans in place. That certification would include addressing common security gaps, like lack of multifactor authentication, that are widely believed to have been exploited by Salt Typhoon.

While outgoing Chair Jessica Rosenworcel told CyberScoop the rules were badly needed to hold telecoms accountable for their cybersecurity, Brendan Carr— an FCC commissioner and Rosenworcel’s successor as chair—rescinded those rules, arguing they were unnecessary because the FCC and telecoms could work together voluntarily on cybersecurity. Another commissioner, Anna Gomez, told CyberScoop she had seen no evidence her agency had been meeting with telecoms on the issue.

At a hearing in December, Cruz endorsed the FCC’s elimination of the rules, arguing that improving the nation’s telecom cybersecurity “doesn’t come from imposing outdated checklists and top down regulations, it arises from a strong partnership between the private sector and government, working together to detect and deter attacks in real time.”

Cantwell, citing reporting from CyberScoop and other sources, argued that  “telecommunications providers have taken few protective actions thus far due to the costs involved” and said the committee “must hear directly from the CEOs of AT&T and Verizon so Americans have clarity and confidence about the security of their communications.”

According to Cantwell, she has already requested documentation from AT&T CEO John Stankey and then-Verizon CEO Hans Vestberg on how they’ve responded to the breaches. Both confirmed that Mandiant, Google Cloud’s incident response and threat-intelligence division wrote a report, one that Cantwell said “would presumably document the vulnerabilities identified and detail what corrective actions” telecoms took to improve their privacy and security.

She claimed after requesting the report from Mandiant, AT&T and Verizon “apparently intervened to block Mandiant from cooperating with my requests.”

AT&T and Verizon representatives did not immediately respond to a request for comment.