Government officials and security professionals are only starting to understand the full scope of a wide-ranging cybersecurity breach conducted by Salt Typhoon, a hacking team based out of China. The Salt Typhoon operation is reported to have breached and penetrated well within the cybersecurity protections maintained by a series of major telecommunications providers. Furthermore, it is likely that sensitive data maintained by these companies pertaining to U.S. citizens was disclosed.
The Salt Typhoon breach raises several questions. The investigation, for example, is made more difficult by the hackers opting to attack multiple supply chain vectors, requiring multiple investigations to ascertain the full scale of the breach. The sensitive data maintained by telecommunications providers in the U.S. may also be entitled to its own protections under U.S. law, further complicating the investigation.
Yet perhaps most salient is the ability of hackers to so deeply infiltrate the cybersecurity systems maintained by U.S. companies, which highlights the necessity of strong encryption. Recent years have seen a raft of proposals to weaken encryption, including the UK’s Online Safety Bill (OSB), EU CSAM legislation, and the EARN-IT Act in the US. Luckily, lawmakers are now taking notice of the risks inherent in such proposals.
According to Politico, Sen. Ron Wyden (D-OR), a longtime supporter of strong encryption, said in response to the breach: “If the government wants to get court orders to listen in on Americans’ calls and read their texts, it has an obligation to keep its surveillance system secure against foreign hacks.” He continued: “These reports, if accurate, raise further questions about government assertions that it can be trusted with expanded surveillance authorities that include weakening of Americans’ encryption.”
SIIA agrees with Senator Wyden: policies that encourage, not weaken, strong encryption are foundational in a world where the cyber capabilities of bad actors are putting consumer data at risk. As the Salt Typhoon hack reminds us, it is naïve to expect that weakened encryption protections for U.S. citizens’ data will not be exploited by bad actors.