back to article After China's Salt Typhoon, the reconstruction starts now

When a typhoon devastates a land, it takes a while to understand the scale of the destruction. Disaster relief kicks in, communications rebuilt, and news flows out. Salt Typhoon is no different. The news is still fragmentary and incoherent, but each new revelation from official sources builds the picture. This wasn't a freak …

  1. Pascal Monett Silver badge

    Now that is what I call an indictment

    Impressive article, and I wholeheartedly support the message.

    There's only one problem I can see : telcos have been surfing on money for decades and, as long as the money keeps rolling in, they have no reason to change their habits. Containment ? They've contained the media hoopla around the issue, problem solved.

    Also, food for thought : what says that China doesn't have interested parties on the Boards of the various telcos ? China is notorious for putting its fingers in every pie it can find. I would actually be surprised if China had absolutely zero influence inside the communication companies of The West.

    1. UnknownUnknown

      Re: Now that is what I call an indictment

      It’s Misconduct in a Public (critical infrastructure) Office and shows up the complete bullshit and yes vast cost (when you are saying people did noting because it costs, yet troughed $2bn Federal money for ripping out all of the Huawei and ZTE kit - which was cheaper and worked better).

      https://www.lightreading.com/security/here-s-how-the-us-government-plans-to-destroy-huawei-s-equipment

  2. SVD_NL Silver badge

    Verizon...

    So i checked the Verizon website, including "important announcements", briefly googled about security breaches, even directly querying salt typhoon, and you know what came up? Fuck all.

    They've effectively buried this issue, and they're perfectly happy to have it neatly tucked away under the rug. The government needs to step in big time, this is a national security issue and should be heavily regulated. Anything affecting the bottom line is not going to happen by itself.

    As a side note, in the Netherlands we are lucky. KPN (The largest mobile network operator and ISP) has created it's own cybersecurity policy which is publicly available and is very comprehensive. It's very much possible to be both secure and profitable. I actually think in the long run it's impossible to remain a profitable telco if you're not secure, PR can save them in this case, but if the threat actors press the big red button and bring everything down, they're done for.

    1. Doctor Syntax Silver badge

      Re: Verizon...

      Anybody can create a cybersecurity policy and make it publicly available. There's a huge gap between that and something effective being done.

      1. SVD_NL Silver badge

        Re: Verizon...

        Correct, i should've specified they do actually adhere to it themselves, and confirm compliance using both internal and third-party audits.

        If i recall correctly, their internal policy is any new tool (both internal and customer/partner)-facing needs at least 70 or 80% compliance, and needs to reach 90+% compliance within a year. Any non-compliance needs to be mitigated as much as possible and frequently revisited. These are internal policies, i was told these by one of their senior engineers, and i could be mistaken on the exact percentages.

        1. Irongut Silver badge

          Re: Verizon...

          Oooo audits. No-one has ever faked an audit.

          1. Filippo Silver badge

            Re: Verizon...

            Sure, but the natural conclusion of that line of thinking is to give up and do nothing.

        2. Brad Ackerman
          Boffin

          Re: Verizon...

          Are those percentages weighted somehow? I care a lot more about one internet-exposed domain controller than I do about a thousand servers a month behind on a patch for a vulnerability that is unexploitable as configured, but the metrics dashboard may view things differently.

    2. simonlb Silver badge

      Re: Verizon...

      "The government needs to step in big time, this is a national security issue and should be heavily regulated."

      Unfortunately, proper regulation is anathema to late stage capitalism as it stifles innovation makes it harder to milk those juicy profits for our shareholders and pay the execs big bonuses irrespective of how badly the company is being run.

      1. CowHorseFrog Silver badge

        Re: Verizon...

        The government needs to make the word responsibility actual have a meaning in terms of executive responsibility. Criminal responsibility needs to become implied when executive decisions cause death, damange and so on, those executives need to be personally responsible just like any member of the public. Hiding behind the company for responsibility should no longer be a legal possibility.

    3. -tim

      Re: Verizon...

      I looks like the KPN policy authors drank the cool aid too. They require everything to be connected to the security apparatus. That level of trust and security back end network is how these telecos are getting cracked wide open. Everyone in the company seems to trust the CISO's network.

      How about core router controls being air gapped? Too bad most routers leak things between the traffic they are switching and the control plane. All the major vendors are now pushing a cloud based single point for configurations. Get in that and the network is yours. The same is true for the "best practice" of a single central logging server. We used to clip an ethernet pair to create talk only cables for logging. Now everyone seems to just trust the firewalls.

      What I would like to see is a central system that provides simple instructions that can be followed by someone who can read one and type into a truly air gapped system. Sure it takes longer but it means someone is looking at real config changes.

  3. Headley_Grange Silver badge

    "An industry unable to learn something in 40 years has no legitimacy. And there’s no sign it is learning now."

    They've learned the important lessons well. They've learned that, given a choice, most people buy the cheapest thing they can find and mostly won't pay extra for security or safety. If one of the Telcos had gone the extra mile then it would have been out of business today cos it would have been more expensive. Improvement won't happen until it's made a legal requirement, with criminal sanctions for directors who don't make sure it's done properly, so everyone has to do it and there's no business survival advantage to not doing it.

    1. Will Godfrey Silver badge
      Coat

      On the face of it that seems a reasonable assumption, but as time goes on, it's going to get increasingly expensive to not take on proper security practices.

      coat -> because I want out of this nightmare.

      1. Missing Semicolon Silver badge

        Expensive?

        How much has this really cost the Telcos themselves? Obviously the mug punters suffer as their data is exfiltrated, but the telco?

        When TalkTalk got hacked, there was exactly no consequence. The big US telcos will continue as before, with much "lesson-learning" and such, until the news cycle moves on.

        1. Anonymous Coward
          Anonymous Coward

          Re: Expensive?

          "When TalkTalk got hacked, there was exactly no consequence. "

          There was - but it actually reinforces your point. The direct and indirect costs of the attack were reckoned in the £60m range, and the company said it lost 100,000 customers as a result of the breach and the company's shit handling of that. Those incremental customer losses would have been worth what, £36m a year, assuming £30 a month gross margin and an impact that I'll guess as two years flat*. So that gives me around £130m impact on TT. But as you say, tough on customers, no change and no consequence for the board.

          * Thus avoiding the complexities of working out customer attrition post hack versus base case, margin and NPV of lost customers, and reputational damage effects on future customer acquisition.

  4. xeroks

    Start the year with a bang.

    Great article Rupert.

    <looks askance at my entire home & work networking>

    1. Apocalypso - a cheery end to the world

      Re: Start the year with a bang.

      > <looks askance at my entire home & work networking>

      Yes, now I've recently gone to FTTP it's easy to stick a firewall between my internal network and the ISP.

      Blocking inbound is trivial.

      Blocking outbound is going to be interesting: either things break silently or I run in monitoring mode for a month then go through the 20,000* odd outbounds and just whitelist the lot rather than try and work out whether they are valid or not. :-(

      [*] Number pulled out of my Automatic Random Sequence Engenerator but probably not far off.

  5. Doctor Syntax Silver badge

    "when the UK's British Telecom's Prestel text message service was attacked."

    Doing something about it took about another decade with Project Argent, if memory serves. It was a box ticking exercise.

    I got involved and the reviewer of my report turned out to have a background in security. Physical security. It was a farce. One of the questions, presumably a bit of arse covering from higher up asked the reporter to confirm that the applications had no undocumented functionality or words along those lines. I think it was probably intended to deal with the situation where some departed dev. left a little time-bomb to require payment to keep it going*. I refused to tick that box. When this was challenged I suggested they ask BT procurement to say whether they thought Microsoft would provide that assurance. The requirement was dropped when procurement replied.

    Systems in use got a desultory review as a consequence. Departments had to appoint a security officer. It was about the time I left - the whole project was the sort of thing that got dumped on someone who was leaving - but came back on contract to cover, as someone with no particular security background, for the appointee, also with no particular security background, to return from sick leave to take up the post.

    The major weakness was obvious. We could review out own code. We could have consultants come and review out own code if manglement felt we weren't up to it. Our own code could be reviewed to the Nth degree. Everything else - OSes, RDBMSes, whatever had to be taken on trust.

    AFAICS the only difference between then and now is that the situation is far worse in terms of supply chain vulnerability. Outsourcing has made it worse. Growth in system complexity has made it worse. Network connectivity has made it worse. Why, for example, do organisations have to buy in a file transfer package which, from reports, simply seems to just wrap up FTP, something any admin ought to be able to do, and at the same time provide its own extended attack surface?

    * There was something close in an accounts package that would make payment demands to any user as licence renewal came up.

    1. ShortLegs

      "when the UK's British Telecom's Prestel text message service was attacked."

      Doing something about it took about another decade with Project Argent, if memory serves. It was a box ticking exercise.

      I got involved and the reviewer of my report turned out to have a background in security. Physical security. It was a farce...I suggested they ask BT procurement to say whether they thought Microsoft would provide that assurance. The requirement was dropped when procurement replied.

      So the US Teleco's were using a UID of 2222222222 and pwd of 123 ? (thats the account and pwd of the Prestel account that Robert logged in as.

      I assume from rest of comment that Project Argent was securing something else, as Prestel was not running on Microsoft in 1984...

  6. Irongut Silver badge

    > Ask a Cisco router, snug in its rack in North Virginia but reporting back to Beijing.

    How about we ask all those Cisco routers, snug in racks outside the USA, that are reporting back to Langley?

    Maybe if they didn't contain a back door for FBI & CIA use then Beijing would find them harder to hack.

  7. Number6

    In a similar vein, one of the largest potential vulnerabilities for all users are ad brokers. You're clicking on a web page, which includes a load of JavaScript from a third party. Neither you nor the owner of the website you're viewing has any idea what's in that code, and there have been a few instances where someone has successfully attacked the ad broker, so that JavaScript contains malware. The only way you're going to improve that is to put all of that server side, so that static images are what gets delivered to the end user. That would also potentially defeat most ad blockers, because if done correctly, it would be near-impossible to distinguish between an ad and a wanted image.

    There's a lot of other JavaScript that gets loaded from third-party sites too, which means that even if everything was fine when the web page was written, if someone compromises that site the day after you've released your web page on the masses, it's going to affect a lot of people. Sadly, the only way to reduce this risk is to take your own copy of the common code and source it from your own servers, so that even if the central library gets compromised afterwards, you still have a pristine copy (assuming you're not blindly auto-updating). If your server gets compromised then it doesn't affect all the others with their own copies.

    Security and convenience have a fraught relationship, and you rarely get both together.

    1. Claptrap314 Silver badge

      If you make the owner of the site liable for what ever they send in response to a query, that would clean things up in a hurry, no?

      1. CowHorseFrog Silver badge

        Exactly the owner of the site needs to be criminally liable for consequences of their actions. If they are irresponsible then they shoudl be legally liable for REAL compensation and many other punishments.

      2. Doctor Syntax Silver badge

        "that would clean things up in a hurry, no?"

        In a hurry but not immediately. A few successful prosecutions would be needed to get too many business's attention.

    2. Anonymous Coward
      Anonymous Coward

      > The only way you're going to improve that is to put all of that server side,

      Or simply stop serving ads?

  8. Claptrap314 Silver badge

    Let me know when you find one..

    "We suggest finding an industry that has indulged its gargantuan appetite on the benefits of digital infrastructure while not investing in its security"

    1. UnknownUnknown

      Re: Let me know when you find one..

      https://www.lightreading.com/security/here-s-how-the-us-government-plans-to-destroy-huawei-s-equipment

      Happy to take $2bn in Federal money though ….

  9. DoctorNine

    My grandmother was correct

    I've always been suspicious of free cookies and those who would try to use them for nefarius porpoises. My granny warned me off such enticements as a lad. And even worse, are the cookie and candy store owners, who don't care about what the ultimate result of their enterprise might be, as long as they are making coin. Onward in sales regardless, you know. Caveat emptor. Even if the poor lamb consuming said sweets has not a clue whats in the wrapper. At some point, we will need to decide what we are willing to eat, and what we will not. It's a matter of survival.

    1. sabroni Silver badge
      WTF?

      Re: It's a matter of survival.

      What the fuck are you talking about?

      1. CowHorseFrog Silver badge

        Re: It's a matter of survival.

        Your friend is talking about why web browser cookies exist, and why sites given them out.

      2. Sceptic Tank Silver badge
        Devil

        Re: It's a matter of survival.

        The LLM needs some more tweaking.

  10. Anonymous Coward
    Anonymous Coward

    I've not actually clicked through to the daily express have I?

    "The only thing that can save us from China, and it's not vinegar!"

    1. Anonymous Coward
      Anonymous Coward

      If you can't tell the difference between the journalism on here and in the Express then you're wasting your time here.

      1. Steve Graham

        That was hyperbole, to point out Rupert's hysteria.

  11. Anonymous Coward
    Anonymous Coward

    No Fixes Will Be Financed!

    Quote: "Malicious activities can look indistinguishable from legitimate actions."

    Actually (per Edward Snowden) "Malicious activities ARE indistinguishable from legitimate actions."

    If anyone thinks that the Chinese are "bad" and the Five Eyes are "good".....then they are drinking the kool-aid supplied by Fort Meade (or Cheltenham)!

    But I do agree about one thing......there are fundamental problems with EVERYONE'S technology.....

    ....and there are lots of government and corporate entities who will be VERY P***ED if anyone tries to fix the faults!

    1. Anonymous Coward
      Anonymous Coward

      Ah.....Where Is Ambrose Bierce When You Need Him?

      Devil's Dictionary:

      peace, n. A period of cheating between two periods of fighting.

  12. cookiecutter

    Cybersecurity is pointless

    Why bother when we still treat the Chinese as a manufacturing partner? When western universities train their students?

    At EVERY point you hear "IT has to do more with less ". Vendors lying about what their products can do. Outsourced & offshored development done at minimum cost....I heard the phrase "just in time training" on an Indian website dedicated to getting developers trained on JUST ENOUGH to get through an interview.

    Any sysadmin will tell you how seriously companies take security.."oh but the BYOB consultants said that it's perfectly safe ".

    We have accenshite, crap Gemini, crapita, infoshite, wipero, Tuti...bringing down rates & "advising clients" doing the "needful" by people who'd struggle to point out a firewall in a rack!

    Security vendors are always happy to point out that 79% of ALREADY compromised organisations DON'T improve their security stance.

    And on the other side? A $10 TRILLION industry both criminal & state actors. IT guys struggle to pay the bills while Russian criminals drive Audi R8s & north Korea funds an entire nation.

    Don't EVER tell me that any organisation takes security seriously.

  13. Anonymous Coward
    Anonymous Coward

    This isn’t a security incident

    Correct, it isn't. It's an act of war, and more decisive leadership would likely conclude it justifies a kinetic response.

    It's good that you called out both the security industrial complex and the telcos in this article. Security salesmen and telco securocrats have managed to make their systems simultaneously harder to access legitimately and less secure.

    Anon, because some of the buggers know my name.

    1. Anonymous Coward
      Anonymous Coward

      Re: This isn’t a security incident

      Yo....."act of war"....

      What about the attack on Iraq?.....when there were ABSOLUTELY NO WEAPONS OF MASS DESTRUCTION......

      ....apart of course from the American nukes!!!

      Please......take a deep breath.....

      1. Anonymous Coward
        Anonymous Coward

        Re: This isn’t a security incident

        Whataboutwhataboutwhataboutwhataboutwhataboutwhatabout... Fucking child.

      2. Claptrap314 Silver badge
        FAIL

        Re: This isn’t a security incident

        There were literal tons of chemical weapons found at multiple locations. A fact that was not terribly hard to confirm on the web for a few years, notably a major British newspaper condemned the US for exposing troops to it, but every time I point this out, it gets harder to find.

        Funny.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like