U.S. Senator Maria Cantwell, the Ranking Member of the Senate Committee on Commerce, Science and Transportation, questioned telecommunications and cybersecurity experts about ongoing weaknesses in U.S. communications networks following the Salt Typhoon cyberattack. The attack exposed significant vulnerabilities and allowed Chinese hackers to access sensitive information from at least nine major telecom companies, including AT&T and Verizon.
Senator Cantwell stated, "The Chinese government's espionage operation deeply penetrated networks of at least nine U.S. telecom companies, including AT&T and Verizon. They exploited the wiretapping system that our law enforcement agencies rely on under the Communications Assistance for Law Enforcement Act -- known as CALEA. These systems became an open door for Chinese intelligence. Salt Typhoon allowed the Chinese operation to track millions of Americans’ locations in real time, record phone calls at will and read our text messages."
She continued by questioning how such a breach could occur: "So how did this happen? Senior national security officials said the breach occurred in large part because telecommunications companies failed to implement rudimentary – rudimentary! -- cybersecurity measures. Investigators found legacy equipment not updated in years, router vulnerabilities with patches available for seven years -- seven years! -- that were never applied, and hackers acquiring credentials through weak passwords."
Deb Jordan, former Chief of the Public Safety and Homeland Security Bureau at the Federal Communications Commission (FCC), supported Senator Cantwell’s concerns regarding inadequate cybersecurity measures among telecom providers. Jordan remarked, "You know, I would never let my iPhone go seven years without a patch update, right? Ordering a pizza sometimes requires two factor authentication. Why are our providers not implementing those basic hygiene [practices]? They should be held accountable, and they should be doing a structured plan, and they're being held to a verification regime that would give you the information that you asked for and didn't receive."
Last month, Senator Cantwell opposed an FCC vote led by Chairman Brendan Carr that rolled back rules introduced after the Salt Typhoon hack intended to strengthen protections for U.S. data networks against future attacks. According to Cantwell’s office, rescinding these rules limits the FCC’s ability to hold carriers responsible for securing critical communications infrastructure.
In June, Senator Cantwell requested documentation from AT&T and Verizon CEOs proving that they had addressed network vulnerabilities identified during investigations into Salt Typhoon; neither company has provided evidence of remediation efforts so far.
Experts maintain that some vulnerabilities remain unresolved within telecommunications networks. The FCC has acknowledged in its recent ruling that these security gaps "are still being exploited."
A video of Senator Cantwell’s full opening remarks and Q&A is available here and a transcript can be accessed here.
