_vska_Alamy_.jpg?disable=upscale&width=1200&height=630&fit=crop&w=696&resize=696,0&ssl=1 "The Effects of Salt Typhoon on the United States and Beyond")
_vska_Alamy_.jpg?disable=upscale&width=1200&height=630&fit=crop&w=1200&resize=1200,0&ssl=1&description=The+Effects+of+Salt+Typhoon+on+the+United+States+and+Beyond){kind=link}
Photo credit: www.darkreading.com
COMMENTARY
A recent discovery has revealed that the hacker group known as Salt Typhoon, with links to China, has infiltrated significant US telecommunications networks. This breach raises alarms about the security of American communications, putting potentially sensitive information at risk of interception by Chinese intelligence agencies.
In light of these developments, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory on December 4, 2024. They urged both individuals and businesses to implement end-to-end encryption for their communications to safeguard sensitive information against potential threats from China. While the implementation of such technologies is a necessary step for enhancing security, organizations, particularly in highly regulated sectors, must proceed cautiously to avoid noncompliance with existing regulations. It is essential for these businesses to assess both their security risks and adherence to regulatory frameworks as they integrate new security measures.
Background: Salt Typhoon
The Salt Typhoon group has taken advantage of outdated systems in the telecommunications sector, which lack contemporary cybersecurity protocols and date back several decades. Essential security features like multifactor authentication are notably absent in these systems. This extensive breach potentially affects a broad spectrum of communication channels, including traditional voice calls and SMS. However, US intelligence has indicated that communications via encrypted platforms such as Apple’s iMessage, Meta’s WhatsApp, and Signal were safeguarded from this exposure.
The Salt Typhoon incident represents one of the most advanced cyberattacks on US infrastructure to date, with evidence suggesting involvement from all major telecommunications providers. As the most active cyber adversary against the United States, China continues to pose significant risks, emphasized by the systemic vulnerabilities highlighted in this attack.
Security vs. Compliance: Adopting End-to-End Encryption Technologies
Cybersecurity officials in the US have recommended that entities adopt end-to-end encrypted communication applications, wherein only the intended sender and recipients can view the content. This encryption mechanism secures the data through cryptographic keys, ensuring that intercepted communications are rendered unreadable without these keys, which protects against unauthorized access from hackers, service providers, and other third parties.
Despite the advantages of end-to-end encryption in enhancing security, many of these applications do not cater to the compliance standards required by specific highly regulated industries.
In the financial sector, regulations such as SEC Rule 17a-4(b)(4) mandate that all communications related to business activities must be preserved for a minimum of three years. Furthermore, the Sarbanes-Oxley Act’s Section 802 requires thorough documentation retention for audits, including relevant communications.
Similarly, in healthcare, HIPAA mandates that technical measures be instituted to prevent unauthorized access to electronic protected health information (ePHI). The law’s Section 164.312(e) necessitates such safeguards, while Section 164.350(j) requires covered entities to maintain records of communications containing ePHI for at least six years. Many encrypted applications may hinder these necessary monitoring and auditing capabilities, complicating compliance.
Recommendations
The Salt Typhoon breach illustrates that unprotected communications by personnel across various sectors could be at risk of infiltration by foreign intelligence. Striking a balance between rigorous security measures and compliance becomes crucial in this context. Organizations should focus on three primary considerations.
Firstly, organizations ought to implement end-to-end encryption for all internal and external communications. There are various applications tailored for this function, but companies in regulated industries must factor in retention and audit requirements to ensure compliance. It’s vital to choose solutions that uphold approved encryption standards and allow for necessary audit and data preservation capabilities.
Secondly, establishing clear policies and procedures around the use of encrypted communications is essential. Features such as individualized message expiration settings can impede compliance with data retention laws, and organizations should disable such functions wherever feasible. Implementing archiving solutions and providing regular training on communication security and compliance for employees is also critical.
Lastly, reinforcing basic cybersecurity practices is vital. Strategies such as adopting multifactor authentication, utilizing password management tools, encrypting data in both transit and storage, and ensuring all hardware and software are up-to-date contribute significantly to improving an organization’s overall cybersecurity defenses.
Conclusion
The events surrounding Salt Typhoon highlight the critical need for organizations to swiftly update their security practices to counter emerging cyber threats. However, this transition must be managed in a way that addresses both security needs and regulatory responsibilities.
Source
www.darkreading.com