back to article FCC to telcos: By law you must secure your networks from foreign spies. Get on it

Decades-old legislation requiring American telcos to lock down their systems to prevent foreign snoops from intercepting communications isn't mere decoration on the pages of law books – it actually means carriers need to secure their networks, the FCC has huffed. On Thursday, the US regulator issued a formal ruling that states …

  1. Doctor Syntax Silver badge

    "Backdoors that adversaries are clearly happy to use against us."

    Not possible. By definition backdoors can only be used by the good guys (whoever they may be).

    1. Groo The Wanderer - A Canuck

      Given the personalities seizing control of the US, China could well end up being "the good guy", relatively speaking.

      1. Anonymous Coward
        Anonymous Coward

        I was thinking the same thing this morning, in that the way things across the pond look like heading, spying from China poses a lower risk than spying from the USA. Legislating for all UK telecos to now install Huawei kit would help balance things up (after all, does anyone have hardware or software on their phone or PC that doesn't answer to the USA at various points)!

  2. ecofeco Silver badge
    Pirate

    LOL

    As if U.S. corporations will actually do so. Especially the effing telcos. ----------------------------->>>

  3. Dimmer Silver badge

    Paperwork is not going to fix the problem.

    “These providers would also be required to submit an annual certification to the FCC confirming that these plans have been created, updated, and implemented.“

    hey I have an idea, how about we start requiring the manufacturer to take a bit of the responsibility. Best I can tell, it is not in their best interest to provide a product that is secure.

    If your router was secure, and functional, the only reason to upgrade is if the service provided requires it.

    With no or less hardware churn, and if you don’t need patches, why would you pay for maintenance. Not a good business model.

    The best analog to this is printer ink. At first it was that you had to only pay a massive amount for ink. That was not enough, so now the cartridge fails when the time runs out.

    Does not matter how much paper you throw at it, it will not secure a device. Only a secure device can be secured.

    I have seen too many hacks that were done to “secure” systems, fully patched and maintained by well trained personnel. Stop blaming the professionals and start looking at the cause.

    1. abend0c4 Silver badge

      Re: Paperwork is not going to fix the problem.

      In the real world, we know that nothing based on software is invulnerable. Plus, if you consider all of the equipment in a corporate network - routers, firewalls, servers, clients, peripherals, etc. - there are millions of configuration settings, any small handful of which, if wrong or inconsistent, could provide unintended access. And it's not as if the fundamental technologies have not proved insecure - there have been many generations of SSL and TLS to fix bugs in the protocols themselves.

      That's not to say that manufacturers can't do a better job: having multiple different implementations of management interfaces and authentication/authorisation, many of which are supplied by the least-cost third party subcontracted to manufacture a device to a particular specification, means you're often starting from zero with a fresh set of bugs rather than taking advantage of previous fixes. But we have to be realistic - in IT there's a constant stream of new features that "have" to be delivered and time-to-market is often the economic imperative. If we want more robust products, we also need greater stability in our requirements.

      We'd all like security to be someone else's problem. Unfortunately, present technology has evolved from a time when security - particularly of the kind necessary to deal with threats on a global scale - was simply not a goal and, simultaneously, organisations are outsourcing their business processes much more so every perimeter fence is breached to a greater or lesser extent.

      It's a mess, but it's a mess we all have to deal with and it's unlikely it will get any less messy in the foreseeable future.

      1. O'Reg Inalsin

        Re: Paperwork is not going to fix the problem.

        And let's not forget that insiders can also be bought. The humans are also a weak link.

        1. cmb11

          Re: Paperwork is not going to fix the problem.

          As one of those professionals who are charged with securing systems, I can say it's not the hardware or software where the problems lie, for the most part. Most of the time social engineering is uses to deploy the nasty. After the Aussie BoM was hit by a RAT a few years ago, https://www.abc.net.au/news/2016-10-12/bureau-of-meteorology-bom-cyber-hacked-by-foreign-spies/7923770, it was discovered to have been, most likely, been due to a staff member opening an email attachment. This is how bad actors get in to networks, not though a hole in a firewall, people open the door for them.

          The way we fix it is to, yes keep out kit updated and patched, but also train our people so they can spot a potential attempted attack. If not that "speeding fine," "request from the CEO," that nice Nigeran Prince or the helpful man from "Windows Support/Amazon/Credit Card Company/etc." will be a lot more expansive then anyone could have thought.

      2. IGotOut Silver badge

        Re: Paperwork is not going to fix the problem.

        Oh manufacturers can do a f'ing lot more

        1. No default passwords.

        2. No hard coded credentials.

        3. Secured by default.

        4. Security fixes without need for maintenance contracts

        Fixed many of the issues right there.

  4. Yorick Hunt Silver badge
    Holmes

    And the corollary...

    "By law you must open your networks to domestic spies."

    ... Which is what brought us to this mess in the first place!

    1. Sandtitz Silver badge

      Re: And the corollary...

      How do you know these mass intrusions are due to whatever possible access the TLA's had to different systems instead of previously unknown vulnerabilities and/or user errors?

      My money would be on the last option - bad security practises; credential phishing; plain ol' stupidity and laziness.

      1. Doctor Syntax Silver badge

        Re: And the corollary...

        "How do you know these mass intrusions are due to whatever possible access the TLA's had to different systems instead of previously unknown vulnerabilities and/or user errors?"

        Because TPTB have admitted it. Certainly vulnerabilities and user errors to get in there in the first place, but the wire tap back doors, once opened, were a gift.

        1. cmb11

          Re: And the corollary...

          So what you're saying is if people are trained in avoiding attacks via social engineering, these backdoors cannot be accessed by bad, state funded, attackers. To me it's better to have the backdoor there to be accessed only with a legal court order, and train the staff to stop bad actors accessing.

      2. ecofeco Silver badge

        Re: And the corollary...

        As someone who once worked for the biggest telco on the planet, you would win that bet.

        Oh, and it's far worse that THAT.

  5. Infused

    Oh the Irony...

    We won't ban the mass surveillance systems the Chinese used to hack us & steal our information, but we will ban TikTok.

    1. cmb11

      Re: Oh the Irony...

      Yeah, Tic Tok is one of the ways they could have got in, don't forget Tic Tok has a key logger running when you use the app and people are more than a little slack with passwords, often using the same ones for most online services and Telco employees have been know to use social media from time to time.

  6. Mentat74
    Facepalm

    Since when...

    Do laws apply to large American companies ?

    1. Joe W Silver badge

      Re: Since when...

      I'm pretty sure the incoming administration will call this "far off mission" as well.... along with any consumer protection efforts. This kind of stuff is just bad for companies' bottom lines, as is any red tape. Health and safety? Workers' rights? Environment? Clearly all unnecessary restrictions to the American Way we do business.

  7. Dan 55 Silver badge

    A flurry of activity when it's too late

    It's almost as if the Democrats are the Status Quo party. They won't make it worse (that's the Republicans' job), but don't expect any improvements either.

    1. Richard 12 Silver badge

      Re: A flurry of activity when it's too late

      The Republicans have been actively blocking absolutely everything.

      Several of them appear to believe it's their job to make sure absolutely nothing whatsoever passes Congress.

      1. Dan 55 Silver badge

        Re: A flurry of activity when it's too late

        They had a majority in Congress until 2023.

        1. Richard 12 Silver badge

          Re: A flurry of activity when it's too late

          Which is why everything happened in the two years when the Democrats had a thin majority.

          The Congress that just ended passed almost nothing.

          Take a look - almost everything that rebuilt the economy is from the Democrats two years of Congress.

  8. Falmari Silver badge

    Notice of Proposed Rulemaking

    In the Notice of Proposed Rulemaking the FCC are not just proposing new rules such as providers having to create, update, and implement, cybersecurity and supply chain risk management plans and having to submit an annual certification attesting that they have created, updated, and implemented cybersecurity and supply chain risk management plans.

    The FCC are also changing the Scope of Communications Service Providers Subject to Cybersecurity Proposals.* to include non-common carriers, such as broadcasters, all television stations, AM/FM radio stations, digital audio broadcasters and digital television service providers, etc.

    That has to be Agency Overreach The Communications Assistance for law Enforcement Act (CALEA) is to do this:- To amend title 18, United States Code, to make clear a telecommunications carrier's duty to cooperate in the interception of communications for law enforcement purposes, and for other purposes.

    *Scope of Communications Service Providers Subject to Cybersecurity Proposals. starts on page 10 of FCC pdf. https://docs.fcc.gov/public/attachments/FCC-25-9A1.pdf

  9. ChrisElvidge Silver badge

    I can't understand why it takes a law to get companies / people to secure their own networks. Surely it's in the companies own interest to make sure their own network is private.

    1. Doctor Syntax Silver badge

      Only to the extent that it doesn't cost too much.

    2. ecofeco Silver badge

      Psychopaths never consider the consequence to themselves.

      They're kinda funny that way.

  10. Tron Silver badge

    They should make wild fires illegal.

    That would make everyone much safer.

  11. sanmigueelbeer
    Coat

    Gee whiz, folks.

    Them Huawei kit are really secure, huh?

  12. Anonymous Coward
    Anonymous Coward

    Ah.....Edward Snowden....More Misinformation For You To Rebut.....

    ...where are you when we need you?

    How soon we forget!!!

    Oh...and no mention of seriously misleading "advice" from NIST!

    ....and no mention of built in flaws in Cisco kit......

    ....all those bad "others"....all the modern (American) "big lies".......

    ....sigh!!!!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like