Telco Security Is A Dumpster Fire And Everyone’s Getting Burned

Opinion Here’s a front-page headline you won’t see these days: CHINA’S SPIES ARE TAPPING OUR PHONES. Not that they’re not – they are – but, like the environment, there’s so much cybersecurity horror in the media that, yes, of course they are. And?

The story deserves screaming headlines everywhere, from national TV news down to the Windy Creek Pig Farmer Bugle. The raw facts are bad enough. Chinese state hackers have infiltrated US telco infrastructure so deeply that only major rebuilds can expel them. The reasonable inferences are worse. The US government has lost the ability to enforce the responsibilities of telcos, and that other democratic countries will be in a similar pickle.

America has plenty of institutional paranoia and ass-covering secrecy as a service. But it also has a history of getting things out into the open where its allies would much rather stay shtum. Good luck finding any politician in the UK prepared to talk about the same thing. Wherever you are, this story includes you.

Alongside the fact that the US dropped the telco regulation ball, we must also reluctantly entertain the idea that telcos themselves may harbor tiny pockets of incompetence in much the same way that herds of bison may contain bison. In particular, telcos have evolved from circuit switching to the same IP packet switching as the rest of us, but without the end-to-end encryption of the sort even the Chinese state’s cleverest attackers can’t crack.

Some of this may be a hangover from those circuit switched days, when switches were physically and connection-wise under the complete control of the telco. Mass unauthorized interception was impossible without the telco’s knowledge and cooperation – well, almost impossible. Some of this may be political dissuasion.

The same state that decries telco porosity to foreign attackers is also constantly pushing to make other systems more vulnerable in the name of national security. This is even in the face of suspicions that the Chinese state has helped itself to the telcos’ own legally sanctioned wire tapping systems, the exact functionality the state wants to extend across the internet. Whether it’s due to Stone Age telco thinking or political cognitive dissonance, you can’t get general-use end-to-end encryption on your landline, and China’s spies are TAPPING OUR PHONES.

There are so many ways to make this better, it hurts to think them through. Telcos have been regulated in ways that other infrastructure providers are not, as a legacy of the days when there was just one telco called the telephone company. It was either owned by the government or had a state monopoly granted in exchange for behaving soberly as one of the prime guardians of everyday life. That responsibility continued in a modified form after the free-market liberalizations of the last century. It remains much easier to tell telcos how to behave.

However, this only works if there’s political will. That comes from pressure, which is amplified by engagement and evidence. It’s worked so far to keep end-to-end encryption despite the constant attempts to club it to death. The evidence is that it is mathematically impossible to have a secure system with designed-in insecurities, logistically impossible to manage such a thing safely even were it to exist, and practically impossible to enforce on an open internet.

The evidence that telcos are fundamentally insecure is also there, but needs better airing and more substantial data.

What would be lost if all the details of the China-linked attackers’ infiltration were published in detail? It could hardly be news to Beijing, but it would vastly hinder their claims that it’s all fabricated. It’s like Andrew Tate’s denial that RealWorld was ransacked and it’s all a fabrication by The Matrix. Well, yes, except for the many gigabytes of completely convincing checkable data. Take the red pill already, Andy. If similar masses of data exist for telco infiltration, it should be used to make an undeniable public case that this happened and for ground-up reimagining of what secure core telco services look like and how they should be guaranteed.

There are extra layers of complexity, not least that in the finest traditions of spy vs spy. If they’re doing it to us, we’re doing it to them. Tacit cross-border understandings not to make too much of an embarrassing fuss are hardly new. These go only so far, especially when real damage is done, and it would be foolish to abandon one weapon liberal democracies have that autocratic states do not – sunlight as a disinfectant.

The major confounding factor in the US is Trump. The incoming administration has cognitive dissonances of its own. It wants to increase national security while removing regulations, it regards CISA as an enemy to be punished for not finding evidence of electoral hacking in 2020 and daring to say so, and who knows how things will evolve with China in general, let alone in cybersecurity in particular.

None of this is an excuse to shrug and move on. Telco security remains of primary importance. We know it’s broken and we know there are systemic, deep-rooted reasons that won’t fix themselves. Those who make tech happen must ask for the truth, decide what we need, and use politics to get there. It won’t make headlines, but it will make a difference. ®

READ MORE HERE