China Backdoored U.S. Telecom Backdoors

In the wake of reports that Chinese state-backed attackers backdoored the legally mandated backdoors in U.S. telecommunications systems, Sen. Ron Wyden has sent a letter to the chair of the FCC and the attorney general imploring them “finally act to secure U.S. telephone and broadband companies’ wiretapping systems from hackers.”

The letter from Wyden–who is one of the few members of Congress with true cybersecurity knowledge and understanding of the threat landscape–takes both the Department of Justice and the FCC to task for not requiring telecom companies and broadband providers to enact specific defensive security measures to lock down the wiretapping systems on their networks. Those surveillance systems are required under the Communications Assistance for Law Enforcement Act (CALEA), which was initially designed for phone networks but was later extended to broadband providers in 2006. At the time, cybersecurity warned lawmakers that the wiretap systems would be an attractive target for attackers, which of course has turned out to be the case. 

In the years since CALEA was extended, the FCC has not updated the regulations for covered providers and Wyden urged the agency to remedy that quickly.

“At a minimum, these updated regulations should establish baseline cybersecurity standards for telecommunications carriers, enforced by steep fines; require independent, annual third-party cybersecurity audits; require board-level cybersecurity expertise; and require senior executives annually sign certifications of compliance with the cybersecurity standards,” the letter says.

Wyden’s letter was prompted by media reports that state-sponsored attackers from China known as Salt Typhoon have had long-term, undetected access to wiretap systems. It’s not known how long the group had access or what information it was able to glean during that time, but experts say this intrusion should come as no surprise. 

“In 2024, with growing numbers of sophisticated state-sponsored hacking groups operating, it’s almost inevitable that these types of damaging breaches occur. The system of special law enforcement access that was set up for the “good guys” isn’t making us safer; it’s a dangerous security flaw,” Cindy Cohn of the EFF said.

As far as the DoJ is concerned, Wyden said the agency should hold companies accountable for sub-standard cybersecurity programs and prioritize that over trying to prosecute state-backed attackers who are probably not going to show up for their court dates in the U.S. He also urged Attorney General Merrick Garland to give up on the idea of backdoors in commercial products.

“Second, DOJ must stop pushing for policies that harm Americans’ privacy and security by championing surveillance backdoors in other communications technologies, like encrypted messaging apps. There is, and has long been, broad consensus among cybersecurity experts that wiretapping capabilities undermine the security of communications technology and create an irresistible target for hackers and spies. Even so, law enforcement officials, including your predecessor, as well as the current and former FBI Directors, have denied this reality, spread disinformation about non-existent secure backdoors, and sought to pressure companies to weaken the security of their products,” the letter says.

Wyden (D-Ore.) has been pushing for stronger cybersecurity policies and legislation for many years and has been a consistent opponent of law enforcement backdoors or key escrow systems in any form.