Around August 2024, the media began reporting on a troubling hack. The Chinese backed hacking group, Salt Typhoon, had gained persistence in two major Internet Service Provider (ISP) networks in the United States. Later, reporting indicated that the group also had gained access to at least eight telecommunications firms, and that the extent of the breach had gone beyond the United States.
You don’t have to be a particularly savvy cybersecurity expert to be troubled by this news. It sounds alarming. You mean the same networks that I use to send my Grandma a Christmas cat video is being spied on by shadowy overseas hackers? As of the time of this writing, it seems as if these hackers still have access to these networks.
What allowed this to happen and how major telecommunications companies should respond is a major issue, and a bit out of the scope of what I want to talk about in this blog. The reality is that you are reading this right now on the public Internet. It’s probably not even close to the only thing you will interact with today. We’re all here. We’re not going anywhere. We aren’t going to stop using the Internet because we are worried about someone spying on us. We rely on it too much to just stop using it out of fear.
Today, I’m going to talk about a few takeaways from this. My goal here is to empower you to make good decisions in a world of technology that is full of unknowns.
Vulnerabilities ALWAYS exist
Did you recently have a penetration test? Did they find vulnerabilities and if so, did you address them? Seems good, right? You cleaned up the problems.
Well, things are better than they were before your test. A bunch of issues were found and now it’s harder for an unethical hacker to steal your information or attack your systems. But a false sense of security, even after an effective test, is a bad thing. I don’t want anyone to be constantly on edge, because that’s not helpful, but taking things for granted when it comes to “feeling” secure can lead to some bad outcomes.
We perform many assessments every year, and many of those assessments are looking at the same target for perhaps the 2nd or 3rd time. Assessments never really stop. Do you think Verizon or AT&T didn’t do penetration tests? I don’t know what they have done exactly, but I’m sure they have done these kinds of assessments, likely both with internal teams and 3rd party service providers (like ISE). But when a state sponsored actor decides to invest the time and effort and resources into cracking into something, they will find the vulnerabilities eventually. It’s just a matter of time. Resourceful actors can do it. And these actors can often invest more time in attacks than you can in assessment. Think of it this way: You have a great custom home security system at your home to prevent being robbed that is best in class, and then one day a SWAT team shows up to break in. Suddenly your security profile doesn’t seem so great.
We also learn things over time. Something that is generally seen as secure now may very well be insecure tomorrow as new vulnerabilities are discovered while techniques are developed that change the way we look at hacking. In science and medicine, our knowledge is constantly evolving, which informs how we approach assessment and our decision-making process.
The goal of penetration tests and security controls is to try to have a good security posture so that we can withstand plausible attacks that we have the resources to blunt. But you can’t stop everything, which means in addition to assessment and vulnerability management, we also need to be prepared to respond to security incidents.
It’s about having an overall security discipline, much like Lebron James has a basketball discipline of staying in shape, practicing, and evolving. He spends millions of his own money on training and health regiments that are highly specialized and intense. He adds new skills to his game, even after all of this time, which lets him approach every situation in a unique way. He uses his experience to outthink his adversaries, making professional basketball players look silly as he tricks them into making one wrong move. That’s how he managed to stay successful for 20+ years in the NBA.
Be the Lebron of security. He’s not perfect, but if someone told you that your organization was the Lebron James of security, you would probably feel pretty good about that.
Threats are surrounding us everywhere, all the time…and that’s OK
There’s a case to be made that, depending on who you are, this hack is meaningless. Maybe that attitude is surprising to you. The instinctual reaction to news like this is to think that nothing is safe if bad people are on the same network you are using. But is that true?
When you step back and consider what’s happening, you must think about things like scale as well as overall best practices. First, if we were in a crowded party, and everyone was having their little group conversations, what would we be doing? We certainly wouldn’t be talking about sensitive information, like revealing our passwords, or talking about secret projects, or violating terms of NDAs we signed. It’s a public place, so we know blabbing openly about these sensitive subjects is a bad idea.
The Internet is like one big global party in a sense, and the way we compensate for this reality is by obscuring secrets, particularly by using encryption. If a member of Salt Typhoon is on the network we are using to communicate, but the traffic on that network is unreadable because the encryption key is something they don’t have, then it doesn’t really make a difference that they are spying on you. It’s like reading mud.
Long before the Salt Typhoon hack occurred, we had established practices and controls to deal with the reality of secrets being shared over the public Internet. People and organizations with mature attitudes about cybersecurity established policies to ensure that information is communicated in the proper way, including the use of encryption and other tools to provide a standard of privacy. To look at it another way, if you were not using these controls before to help ensure privacy over the public Internet with sensitive information, you were already exposing yourself.
So, while it’s not ideal that these networks could be hacked, the actions for most people haven’t changed much. The bad actors always existed on the public Internet. One thing I have advised my clients on for years is that if you aren’t sending something through a private, encrypted channel, don’t even consider it a secret. Just assume it’s out there.
You don’t know what you don’t know
When did Salt Typhoon actually get into these networks? To what extent did they achieve persistence? How much of a presence do they still have? What information did they get access to? What exactly were the goals in the first place? Unfortunately, there is just not definitive, clear information on these and many other questions.
That’s a lot of uncertainty to deal with. Imagine not knowing if your house was infested with termites, or if you have a leaky pipe under your floor, or if someone is sitting in their car across the street spying on your house with binoculars. Well guess what? You don’t know if any of those things are happening now, and if enough people read this blog, chances are one of you is experiencing one of these problems and you don’t know it yet.
This should humble you. You should never be too confident about security. You should always question whether you are doing the right thing. Just because something worked before, doesn’t mean it will work in the future. Just because it seems like you aren’t being attacked it doesn’t necessarily mean someone hasn’t exploited a vulnerability and is waiting for the right time to take advantage of your assets. Always review your plans and don’t be afraid to make a change.
The Salt Typhoon telecom hack is very interesting from a historic and technical perspective. This is something we haven’t seen up until now and it brings many challenges to consider for anyone who is responsible for protecting the valuable assets of a household or business. But for most people, it doesn’t change the calculations that go into an approach to managing cybersecurity risks. The ways in which your data could be exposed from Salt Typhoon already existed before this attack was known about.
Moving forward, we need to remind ourselves that to protect ourselves from bad threat actors, we should adopt an adversarial mindset that assumes we are being attacked, our tools are imperfect, and that uncertainty is inherent to the process. A disciplined approach that keeps these principles in mind will lead to better outcomes, and that’s why we do all this security stuff in the first place!
Thanks for taking the time to read this. If you would like to figure out more about how ISE helps our customers manage the challenges of evolving cybersecurity threats, don’t hesitate to reach out. I’d love to talk with you more about it!
