Salt Hurricane’s Influence on the US and Past

COMMENTARY

The Chinese language-linked hacking group Salt Hurricane lately was detected lurking in main US telecommunication techniques, exposing practically each American’s communications to Chinese language intelligence and safety providers. 

In response, on Dec. 4, 2024, the Cybersecurity and Infrastructure Safety Company (CISA) and the FBI issued a joint assertion recommending that Americans and firms undertake end-to-end encrypted communication instruments to keep away from exposing delicate info to China. Whereas this recommendation is prudent to safe communications, hasty adoption of those applied sciences may end in regulatory noncompliance for organizations in extremely regulated industries. These organizations ought to rigorously look at each their safety threat and regulatory obligations as they undertake new safety options.

Background: Salt Hurricane

Salt Hurricane exploited legacy techniques all through the telecommunications trade that have been too previous to implement fashionable cybersecurity practices, with some elements relationship again to the late Seventies. Generally accepted baseline cyber protections like multifactor authentication weren’t carried out. Whereas the scope of this assault is widespread, together with voice calls and SMS messages, US intelligence officers famous that communications inside encrypted communication purposes reminiscent of Apple’s iMessage, Meta’s WhatsApp, and Sign weren’t uncovered.

Salt Hurricane marks some of the refined assaults on US crucial infrastructure in historical past. US officers have concluded that each main telecommunications supplier has been implicated. China stays essentially the most lively and protracted cyber menace to the USA, and the Salt Hurricane marketing campaign marks some of the refined assaults on US crucial infrastructure in historical past. 

Safety vs. Compliance: Adopting Finish-to-Finish Encryption Applied sciences

US cybersecurity and intelligence officers suggested firms and people to undertake end-to-end encrypted purposes for communications the place solely the sender and the meant recipients can entry the content material of the communication. Finish-to-end encryption works by securing the content material of communications utilizing cryptographic keys at each the sender and recipient. The top result’s information in transit is safe, rendering the contents of any intercepted or compromised communications indecipherable with out the cryptographic key, together with by Web service suppliers and telecommunications firms — and international hackers concentrating on these entities.

Whereas end-to-end encrypted purposes present apparent benefits for safety, many should not designed to adjust to the information retention and entry necessities imposed upon sure extremely regulated industries. 

Within the monetary providers sector, Securities and Change Fee (SEC) Rule 17a-4(b)(4) requires that communications obtained and despatched by a member, dealer, or vendor that relate to the enterprise of a company are to be retained for not less than three years. Moreover, Part 802 of the Sarbanes-Oxley Act requires accountants who audit or evaluation monetary statements to retain information, which embody any communications related to the audit or evaluation. 

Within the healthcare sector, Part 164.312(e) of the Well being Insurance coverage Portability and Accessibility Act (HIPAA) requires that lined entities implement technical safeguards to stop unauthorized entry to digital protected well being info (ePHI) that’s being transmitted over an digital communications community. Many encrypted communications purposes prohibit a lined entity’s means to watch for or audit unauthorized disclosure of ePHI. Moreover, Part 164.350(j) of HIPAA requires that lined entities retain documentation of any communications containing ePHI for not less than six years. 

Suggestions

As Salt Hurricane has revealed, unsecured communications of executives and staff throughout each sector could also be focused by Chinese language intelligence providers for exploitation. On this new setting, balancing communications safety with compliance could be difficult. To appropriately navigate these dangers, organizations in each sector ought to think about three issues.

First, organizations ought to implement end-to-end encryption for all enterprise communications internally and, to the best extent practicable, externally. There are quite a few cell and desktop purposes at present obtainable which might be designed to serve this goal. For firms in regulated industries, it is very important additionally think about regulatory retention, monitoring, and auditing necessities when contemplating these instruments. Such organizations ought to search to implement options that may guarantee applicable encryption requirements for messaging, collaboration, and voice and video calls particularly configured to permit for auditing and information preservation. 

Second, organizations ought to implement insurance policies and procedures to information using encrypted communications. For instance, many encrypted communication purposes enable customers to individually set up time-based purge guidelines for messages. Whereas beneficial for info safety, this might render a company non-compliant with information retention and audit necessities. The place attainable, such capabilities ought to be disabled for people and archiving instruments ought to be in place. Moreover, staff ought to obtain common coaching on communications safety and regulatory compliance.

Third, a key lesson from Salt Hurricane is that baseline cybersecurity measures nonetheless present significant defenses in opposition to malicious events. Cybersecurity measures reminiscent of multifactor authentication, use of password managers, encrypting information at relaxation and in movement, and making certain that every one software program and {hardware} are fashionable and outfitted with the most recent updates will give organizations a a lot stronger cybersecurity posture. 

Conclusion

Salt Hurricane underscores the pressing want for organizations to quickly undertake fashionable safety practices to satisfy evolving threats. Nevertheless, in doing so, organizations must steadiness the safety imperatives with their regulatory obligations.