Is Salt Typhoon a material threat to telecom?

In financial parlance, a "material" event is something that can have a substantial impact on a company's financial performance, stock price or overall business operations.

The word is often deployed in esoteric SEC filings to outline the various threats facing a public company: "The following important factors ... could affect future results and cause those results to differ materially from those expressed in the forward-looking statements," warns T-Mobile before outlining dozens of potential challenges ranging from "changes in the credit market conditions" to "sociopolitical volatility and polarization."

T-Mobile, along with other telecom companies including Verizon, AT&T and Comcast, lists cyber attacks among those threats.

"A cyber attack, information or security breach, or technology disruption or failure may negatively impact our ability to conduct our business or result in the misuse of confidential information, all of which could adversely affect our business, reputation and results of operations," Comcast warns.

So does the new Salt Typhoon hack rise to that "material" level of concern?

Chinese incursion

News first broke in October that Salt Typhoon – a group of Chinese hackers – was reportedly deep inside the networks of AT&T, Verizon and Lumen Technologies, among others. The hackers reportedly got real-time, unencrypted access to calls and text messages, as well as metadata about who the communications were sent to and from. It's not clear if the hackers still have that access.

Now, federal regulators are starting to sound the alarm.

"If feasible, limit exposure of management traffic to the Internet. Only allow management via a limited and enforced network path, ideally only directly from dedicated administrative workstations," was one of dozens of recommendations the Cybersecurity and Infrastructure Security Agency (CISA) issued to US telecom network engineers this week. 

The agency also specifically issued warnings about Cisco equipment.

Separately, the FCC's outgoing chairwoman this week proposed that telecom operators should "submit an annual certification to the FCC attesting that they have created, updated and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks."

Good luck with that

"Such directives will almost do nothing," wrote analyst Chetan Sharma on social media, in response to the FCC's new "certification" proposal.

To read the complete article, visit Light Reading.