While much of the media obsessed about the future of a social media app, TikTok, inadequate attention was being given to the fact the the US Government is doing a poor job protecting the country’s critical infrastructure, such as its telecom companies, from Chinese spying. Outgoing FBI Director Wray decried the lack of public attention Chinese hacks have received and added, “…Chinese pre-positioning on American civilian infrastructure (is to)… be in a position to wreak havoc” whenever they choose. The pre-positioning is of destructive malware, capable of shutting down power grids.
The nine largest US telecoms companies were successfully penetrated by Chinese intelligence, which then collected enormous amounts of data, including telephone calls, texts, documents, and the identities of who was being wiretapped by the FBI (and who was not). Worse yet, the Chinese were in position to shut down the US communications networks. The telcoms companies did not notice the Chinese presence and this obliviousness went on for months.
For decades cybersecurity advocates demanded that the government force the telecoms companies to be more secure, but the industry resisted and lobbied the Federal Communications Commission (FCC) and Congress to prevent required security standards and outside audits. Incredibly, despite the mass penetration by Chinese intelligence, the telecom companies are still resisting regulation and their friends are still being complicit.
Regulation is not inherently evil. The Federal government regulates cyber security in the banking industry and has somewhat weaker cyber regulation in health care. It was not until after the Colonial pipeline was hacked that Homeland Security used its long existing authority to require cyber security standards in that sector. Yet, telcoms, which are as much a critical infrastructure as any, have avoided serious security standards, regulation, and third party audit after their penetration was revealed.
In the last week of the Biden Administration, the FCC finally promulgated a modest security regulation, but the Republican members of the Commission voted against it. They are likely to undo the new requirements when the the Republicans achieve a majority of the five member board in the coming weeks.
Congress could, however, legislate a mandate for cybersecurity in the US telecoms industry. There was bi-partisan Congressional support for acting against TikTok because of its potential to collect for the Chinese government data from our phones. The TikTok law passed with almost three quarters of both houses voting for it, but there is reluctance to act to prevent the much more massive intelligence collection that is going on in out telecoms networks.
Because Congress is highly unlikely to act to protect our critical infrastructure telecoms networks anytime soon, the Trump Administration should take action to send Beijing a message in the wake of their egregious attack on US telecoms. There are four steps immediately available.
First, Trump should order retaliatory hacking of Chinese critical infrastructure networks. Outgoing Biden Administration officials have hinted that in the last months of their term they recently allowed US cyber units to do something along these lines, but it was likely far smaller than the systematic Chinese pre-positioning of destructive payloads on US networks. The retaliation should be obvious to people in China.
Second, the new President should provide the Congress and the public with an unclassified damage assessment. The Cyber Review Board, which the Department of Homeland Security created to investigate major hacks the way the National Transportation Safety Board (NTSB) probes air crashes, was investigating the Chinese hack until the Board was disbanded by the new President. Trump should reverse that action, demand that the investigation be completed and should then disclose how certain we can be both that Chinese intelligence is no longer on the telcom networks and that they can not get back in.
Third, because the telcom companies sold their services to the US Government and likely said they were secure, the Attorney General should consider prosecuting them under the False Claims Act. (The outgoing Deputy Attorney General said she would address cybersecurity by using this law, but did not.) Telcoms companies could then be forced to take security seriously by Consent Decrees arising out of the Justice Department action.
Fourth, the new President who clearly likes issuing Executive Orders, should issue one invoking his existing legal authority (FCC Act Sec 706) to promulgate emergency rules on telecoms security when the nation is threatened with foreign military action or a state of public peril or disaster or other national emergency exists. The placement of destructive payloads inside our critical infrastructure by the Chinese military is a clear threat of the use of force by a foreign military.
Or we could continue just to obsess about the risks of TikTok, while Chinese intelligence laces our infrastructure with software listening devices and pre-positioned destructive payloads.
Richard Clarke served for thirty years in national security roles in the US government, including ten years in the White House under three presidents. He is the CEO of Good Harbor Security Risk Management. (richardaclarke.net)
