After China's Salt Typhoon, the reconstruction starts now

If 40 years of faulty building gets blown down, don’t rebuild with the rubble

Opinion When a typhoon devastates a land, it takes a while to understand the scale of the destruction. Disaster relief kicks in, communications rebuilt, and news flows out. Salt Typhoon is no different.

The news is still fragmentary and incoherent, but each new revelation from official sources builds the picture. This wasn't a freak weather occurrence, it is evidence of a climate that is dangerously unstable, and remains dangerously unstable.

China's flag with binary code

Reminder: China-backed crews compromised 'multiple' US telcos in 'significant cyber espionage campaign'

READ MORE

There are now nine telcos, at least, known to have been hit by Chinese government-backed snoops whom they say accessed parts of their systems earlier this year. Millions of users have had their geolocation data taken. One compromised admin account controlled 100,000 routers. This isn’t a security incident, a few missed patches or lucky phishing, this is an entire sector in scandalous disarray.

That’s not the telco sector, that’s enterprise security as a whole. These people sold security to others, they partnered with enterprise security suppliers, moving billions of dollars around... and for what? To be taken apart by Chinese online attackers at industrial scale? If a Potemkin village had its idiots, they’d work in cyber security marketing.

We know how deeply rotten things are because Salt Typhoon used the same techniques used in a break-in into another national telco 40 years ago, when the UK's British Telecom's Prestel text message service was attacked. The Prestel mailbox of the husband of the late Queen, Prince Philip, was famously accessed during the attack. And as in the case of Prestel, Salt Typhoon scooped up unguarded accounts with huge privileges. The attackers could live off the land - there was no need to install special tools, because those already installed on the target were lethally capable and uncontrolled. Malicious activities can look indistinguishable from legitimate actions.

An industry unable to learn something in 40 years has no legitimacy. And there’s no sign it is learning now. Verizon’s corporate emissions are full of bland statements that there wasn’t much of a problem, it’s been "contained," and all of its highly respected friends agree. There are no specifics, nothing independently verifiable, just words they want us to believe.

In peacetime, this sort of bland denialist corporate propaganda is just part of the great game of complacent capitalism. In wartime, it’s treason. Are we at war? Ask a vandalized Baltic cable. Ask a filet of drones, on their way back from surveilling an airbase in the UK. Ask a Cisco router, snug in its rack in North Virginia but reporting back to Beijing. If we woke up one day to find an unfriendly foreign power in control of our domestic road, rail and air transport, the answer would be easy. Why is our data infrastructure different? Nobody needs to die and nothing needs to blow up, after all.

A war plan needs intelligence, logistics, tactics, strategy and a clear final goal. How many of these are in place when we look at cyber security - we being the nations who belong to their people, rather than vice versa. Assuredly, the bad guys have the set. We don’t know the extent of infiltration or all the potential on-ramps, we have no strategy for an infrastructure that isn’t open to 40-year-old attack ideas, and we have no vision of what a properly secured infrastructure would look like.

The first step is to strip away all the commercial flim-flam and send in steely-eyed data forensic specialists to build an accurate map of the landscape and its inhabitants. How many accounts can compromise security? Where can such accounts be created? How much is protected by 2FA or better? Prove it. It would be like every CISO’s worst enemies being let in with complete access, except for two things: those worst enemies are already here, and these worst enemies are actually your friends.

Once the map is drawn and the fog of shareholder value blown away, the emergency work begins. It’s resources, risk and reward, same as always, but this time the risks and rewards are defined by the public security interest, not what looks good on the books. It’s called a wartime economy, it is unbelievably expensive, and nothing else works. You do have to find the money from somewhere. We suggest finding an industry that has indulged its gargantuan appetite on the benefits of digital infrastructure while not investing in its security.

Who knows what we’ll find? Telcos are notorious nincompoops. But they’re not the only nincompoops in town. We assume that cloud providers haven’t been infiltrated like the telcos: if that’s true, then knowing how is vital. If it’s not - you can finish this sentence yourself. Without the big picture, though, nothing much will work: with it, a start can be made to lock things down.

Next, the hard bit. What does a post Salt Typhoon security landscape look like. There are excellent cyber security design principles that are routinely ignored because they cost money but are otherwise invisible on the bottom line. That has to stop, at gunpoint if need be. The creation, implementation and maintenance of a properly robust infrastructure is as complex and intriguing as any post-war reconstruction: we still know how to do that, again if we care to. And finally, what do we do with hostile state actors who behave badly? Geopolitics of the highest order, but not knowing is not an option. Bad guys drive tanks though that. Literally.

There is an alternative to going to war: surrender. We can’t win, it doesn’t really matter, it’s just the new reality. Students of history know how that ends. When you look up and see Sputnik, it’s best to take the hint. That won’t be the only one. Build a better rocket, and build it quickly. When you look down and find one infrastructure on fire, it won’t be the only one. Build better, Build fast. ®

More about

TIP US OFF

Send us news


Other stories you might like