The latest move in the US government peeling back cyber protections is from the FCC. Telecommunications companies (telcos) complained enough that protecting their customers' data (and their own network infrastructure) is too expensive and the FCC caved.
After the discovery of the Salt Typhoon breaches in multiple carriers last year, the US federal government issued an order requiring the telcos to implement additional, but minimal, measures to better protect these pieces of critical infrastructure. Now the current administration has rolled back those protections allowing telcos to continue running lightly secured infrastructure.
Unfortunately, this is the just how it works in regulated industries. Political leanings and lobbying usually win the day. You do have recourse, though. Maybe not at the telco level but at least in your own personal and business world. There are a few places that we can beef up our own security against attackers with a foothold in our Internet infrastructure.
- Implement end-to-end encryption in sensitive email communications. You can do this through selective encryption (on the sender to select) or data loss prevention (DLP) rules that detect specific content and encrypt the emails automatically.
- Use encrypted messengers such as iMessage, RCS, Signal, etc.
- Make sensitive voice calls on highly encrypted apps such as Signal.
- Ensure that you have a robust boundary firewall separating your business and personal infrastructure from the Internet. Make sure your firewall configuration and rules are strong and managed!
- Review all Internet facing systems your business hosts and remove any that aren't necessary for business. If it's not necessary, it's just adding risk with no benefit.
- Restrict access, where possible, to required Internet facing systems. If it doesn't need to be open to the public, don't let it be. Lock down those remote desktop, database, and other remote management tools to only necessary sources.
This type of action in our government is why we in the tech industry are so vocal when the government wants to force companies to implement backdoors in encrypted platforms. Those backdoors won't be restricted to the good guys for long. Remember those TSA approved luggage locks? Yeah, they became useless when pictures of the keys were leaked. Imagine that for all your sensitive data.
