America's Phone Networks Could Soon Face Financial - and Criminal - Penalties for Insecure Networks (msn.com) 55
The head of America's FCC "has drafted plans to regulate the cybersecurity of telecommunications companies," reports the Washington Post, and the plans could include financial penalties phone network operators with insufficient security — "the first time the agency has asserted such powers under federal wiretapping law."
Rosenworcel said the FCC's authority in this matter comes from Section 105 of the Communications Assistance for Law Enforcement Act [passed in 1994] — a single sentence that stipulates, without elaboration, that telecommunications carriers should ensure systems security "in accordance with regulations prescribed by the Commission." As one of the measures, she is seeking to require network providers to submit an annual certification to the FCC that they are implementing a cybersecurity risk management plan. In addition to imposing fines, the FCC could coordinate with other agencies to pursue criminal penalties against carriers deemed too careless on cybersecurity...
Biden administration officials said voluntary efforts to protect against aggressive Chinese hacking activity have fallen short. "We've had for the last decade voluntary public-private partnership efforts," Neuberger told The Post in a recent interview. "But we continue to see successful breaches, and in many cases, as with ransomware attacks, we continue to see pretty basic cybersecurity practices not being followed." With China's hackers becoming more brazen, pre-positioning themselves in U.S. critical networks, "we need to lock our digital doors," Neuberger said...
Cyber requirements can make a difference, she said. After the Colonial Pipeline ransomware attack in 2021 shut down one of the nation's largest energy pipelines for several days, creating a national security scare, the Transportation Security Administration issued several security directives, and today, all of the country's several dozen critical pipeline companies are in compliance, she said. Similar directives were subsequently issued for rail and aviation sectors, and the compliance rates in those industries are now at 68 and 57 percent respectively, she said.
Biden administration officials said voluntary efforts to protect against aggressive Chinese hacking activity have fallen short. "We've had for the last decade voluntary public-private partnership efforts," Neuberger told The Post in a recent interview. "But we continue to see successful breaches, and in many cases, as with ransomware attacks, we continue to see pretty basic cybersecurity practices not being followed." With China's hackers becoming more brazen, pre-positioning themselves in U.S. critical networks, "we need to lock our digital doors," Neuberger said...
Cyber requirements can make a difference, she said. After the Colonial Pipeline ransomware attack in 2021 shut down one of the nation's largest energy pipelines for several days, creating a national security scare, the Transportation Security Administration issued several security directives, and today, all of the country's several dozen critical pipeline companies are in compliance, she said. Similar directives were subsequently issued for rail and aviation sectors, and the compliance rates in those industries are now at 68 and 57 percent respectively, she said.
What did you expect? (Score:5, Insightful)
OF COURSE voluntary efforts have fallen short. Corps do not voluntarily throw proper resources at (perceived) cost sinks until forced to do so.
Re:What did you expect? (Score:5, Insightful)
Indeed. No major industry has ever successfully "self-regulated". In Europe some are even admitting that this cannot work.
Re:What did you expect? (Score:4, Interesting)
But do you really understand the scope of this particular problem?
Here is a video about SS7 vulnerabilities He's a mathematician and approached the problem from an unusual perspective, but the results of his little experiments certainly dismayed me. Sad historical stuff, too. https://www.youtube.com/watch?... [youtube.com]
Trying to think of a short summary, but it's difficult... Basically if a bad actor has sufficient financial resources, then your so-called smartphone is not your friend. But seems too obvious?
Re: (Score:3, Informative)
You invalid AdHominem is invalid. I have attended my first talk on SS7 vulnerabilities about 25 years ago. The problem is that the US telco industry is lazy and does not even try to address the problems. But get this: I have had 3 spam calls in the last 20 years. Because a telco provider that does not use effective SS7 firewalling and anomaly detection here (some place in Europe) faces some pretty stiff fines.
Re: (Score:3)
My, my, such thin skin. I was merely reacting to your comment as it stood and even looking for an excuse to share the video.
Doesn't sound like you watched it. Perhaps too sure of yourself? However it did support some of your defensive extension. In particular, as regards the main violence the attackers went after a number of targets within a few minutes, but the post mortem research was only able to get data (from the firewall logs, presumably) for the many attempts that were blocked and circumstantial evid
Re: (Score:2)
You expect me to watch a _video_? Do you know where you are? People here do not even read the story!
Re: (Score:2)
What did I expect? Not the flood of sock puppets targeting me with censor mod points. That is really an unfunny coincidence considering the evidence of your thin skin. I have already clarified that no ad hominem was intended.
And I did NOT send a bare video link. I deliberately explained why I thought I hadn't wasted my time with that particular video. Should I have mentioned more about what sort of heavy duty mathematician he is? For examples, he's done a number of quite interesting videos about generative
Re: (Score:2)
Or just watch Veritasium cover the same aspect - where he hijacks a friend's cellphone while on a video call with them.
https://youtu.be/wVyu7NB7W6Y?s... [youtu.be]
Of course, it's interesting that 5G wireless doesn't use SS7 anynmore
Re: (Score:2)
Re: (Score:2)
Thanks for clarifying that. I though I might have posted the wrong link.
Re: (Score:2)
Re: (Score:2)
OF COURSE voluntary efforts have fallen short. Corps do not voluntarily throw proper resources at (perceived) cost sinks until forced to do so.
Voluntary self regulation by industry has not worked since it was popularised during the Reagan era and it still does not work. The only thing remotely surprising about that is that it has taken America this long to realise it.
That's not *entirely* true. Some aspects of industry can self-regulate in the presence of large enough amounts of competition, i.e. companies competing to suck less than the other companies. But to the extent that this happens, it is competitive pressure causing that self-regulation.
In industries with little to no competition, including Internet service providers, telephone networks, etc., expecting the industry to self-regulate is like expecting a hungry lion not to eat a gazelle.
Re: (Score:2)
Interestingly, before the big tobacco companies elbowed their way in, the e-cig industry was highly effective at self regulation. For example, by the time the FDA put out a notice "discouraging" the use of di-acetyl (butter flavor), the e-cig industry had for the most part removed it as aa flavoring.
But in spite of that, the feds couldn't wait to regulate it. It's only the large companies that need regulation that seem to inspire the whole lat the market work it out.
Re: (Score:2)
Small companies don't need regulation? The phrase "fly-by-night" isn't usually referring to large companies.
Re: (Score:2)
Small companies that have demonstrated self-regulation don't need all that much special regulation. They're not big enough or lawyered up enough to pull the crap big companies do. The fly-by-night thing is quite well covered under the more general legal framework we all must follow.
Re: (Score:2)
So do we write exceptions for those companies in legislation (i.e. let legislators play favorites)?
No law has ever been written to regulate the well-behaved. But since assholes will always exist, we need laws to codify the penalties for acting outside the boundaries of reasonable behavior.
Re: (Score:2)
At the time the ecig regulations went in to effect, the industry was 100% small corporations. The regulations actually helped sweep them away to make room for the big tobacco companies to elbow in with markedly inferior products.
They Also Use Vendors They Know They Shouldn't (Score:2)
Re: (Score:1)
Since I am now retired, I can peruse Slashdot endlessly. I applaud this info since it convinces me that my voicing the statement “That is just par for the course” is Never overused.
So it goes Thank you K. Vonnegut
Risk management plan (Score:1)
Risk? What risk?
This is data that the telecoms sell to third parties already. So, other than ensuring that they recieve compensation for (customers) data that they market, what else is at risk?
If a shopkeeper looks the other way when a poor person swipes a loaf of bread because they are hungry, is that of any concern of the governments?
Re:Risk management plan (Score:5, Insightful)
If a shopkeeper looks the other way when a poor person swipes a loaf of bread because they are hungry, is that of any concern of the governments?
Your analogy fails spectacularly.
The entities doing the stealing are not poor. They are government agencies of sovereign nations. And they're not stealing bread to eat it, they're stealing information for nefarious purposes. Information about you and me.
Re: (Score:2)
> The entities doing the stealing are not poor.
So, stealing bread to poison it and serve to the king?
Re: (Score:2)
The entities doing the stealing are not poor.
That doesn't matter. Stealing what AT&T was going to sell anyway isn't a security issue. If AT&T wants to file a police report for theft, that's up to them.
they're stealing information for nefarious purposes.
Who cares what the purpose is? If they paid AT&T for the data, these entities would be free to use it for "nefarious purposes". Or spreading peanut butter on it and eating it.
Information about you and me.
Doesn't matter. It belongs to AT&T. And they can sell it if they want.
Pointless effort (Score:3, Insightful)
Instead of requiring them to do this, the FCC should be requiring them to eliminate spam calls.
Re: (Score:2)
assert("walking" XOR "chewing gum")?
Re: (Score:3)
What is a "spam call"? Ah, you mean like the "Indian MS tech support call" I got about 12 years ago? Or maybe the other call I got about 7 years ago where they tried to make me sign up for a different health-insurance, but then the call-center got raided and everybody got arrested a few days later? Those calls? Of course, I am in Europe.
Seriously, this is because your politicians do not care and want to do these things themselves to manipulate your votes. Vote better, make your voice heard and these calls w
Re: (Score:2)
What is a "spam call"?
Probably like the 12 that my iPhone blocked on Friday alone. Or the 8 on Thursday. Wednesday was a good day and I only blocked 3. So like a lot of people, unless you're whitelisted you go directly to voicemail. And these spam calls almost never leave voicemail. Then before the election it was spam call and spam text hell from both sides.
But but... (Score:3, Interesting)
Re: (Score:2, Insightful)
Re:But but... (Score:4, Funny)
Re: (Score:2)
I don't think you understand the intricacies of HIPAA. There is nothing "scott-free" about what happens to healthcare companies that lose private information to breaches. These companies face BIG fines and penalties for breaches, even if they did everything by the book.
Re: But but... (Score:2)
No, they won’t (Score:5, Interesting)
Some civil servant scribbled down an idea and posted it on the internet. Oh noes
Let's take it a step further (Score:5, Interesting)
Re: (Score:1)
I would like to know what you, and many others, are doing to get all these spam calls. I'm trying to remember the last time I got one of those. It has definitely been months, if not over a year. Aside from the spam from the recent election, I never get these fraud calls.
Re: (Score:2)
While we're at it, can they also be penalized for the dozens of fraudulent calls I receive on a daily basis? The ones they know have forged DIDs, yet they don't have any interest in blocking.
Um, how will they finance their second yacht if they don't sell those services? If you have a yacht on the West Coast, it is easier to just buy another yacht for the Caribbean than to have your crew sail your yacht there.
I don't understand how they can be so bad at this (Score:5, Interesting)
Re: (Score:3)
Requirements and fulfilling them somewhat on paper is one thing. Actually fulfilling them in reality is quite another. And I say this as a part-time IT and IT security auditor. Without political will, all these requirements mean nothing. I have one audit customers that simply delays everything and halfasses the rest. They are about to get stomped so that it hurts from the regulator though. But without that regulator, all I can do is document the defects and shortcomings.
CALEA (Score:3)
Re: (Score:2)
That does seem to be the point.
Brendan Carr is a real civil rights advocate - I've been following him for years. Very consistent.
The No Bad Press/Too Big to Rig strategy seems to have paid off but I'd give 85% odds S.702 does not get reauthorized.
penalties (Score:1)
Re: (Score:3)
The GDPR does not require intent to allocate penalties. Mess up, regardless for whatever reason, get punished. Do not fix the problems and mess up badly enough again 2 or 3 times? Have your business shut down. See, not hard to do. Of course, AFAIK, there is a single case of a company that did things so badly they got a permanent prohibition to process personal data of any kind. That usually kills the organization.
Re: (Score:2)
ALL companies that have or collect data about people should be help liable for loss of data.
That doesn't matter. It's the telephone companies data. Don't like it? Don't do business with the telephone company.
It would be like charging me criminally every time I lost my car keys.
Financial penalties are a joke (Score:4, Insightful)
Damned if you do, damned if you don't (Score:4, Interesting)
Doesn't CALEA criminalize making phone networks secure?!
It sounds like if you're a telecommunications provider, then you're required by law to be a criminal. But at least you'll get to pick which kind of criminal. Yay freedom!
and of course it will be pass the blame downwards (Score:3)
A few issues (Score:2)
Which government department measures security and audits its providers? Which budget line item pays for that department?
This isn't about finding a good answer. It's about demanding government work as intended.
Translation: The government has no authority and/or political will to shine a light on this nest of vipers.
In which case, this demand for responsibility and intervention will fail.
Using a 30-year old 'key', you mean. It's clear, that has failed, and now the US government is demanding nothing ch
LOL (Score:2)
A financial penalty . . . . .
So, here's some trivia. The telecom I work for makes about one point four BILLION a week. A WEEK.
( Gross profit for the twelve months ending September 30, 2024 was $73.123B )
Show of hands for anyone who believes a financial penalty will mean or do anything at those profit levels ?
( Hell, they would probably claim the loss against their taxes at the end of the year )
The company will do the math and determine which will cost them more. Fixing the problem or eating the penalty.
(
Trump (Score:1)
China? Yeah, right? (Score:1)
We don't believe you.
> Chinese hacking activity
You mean the CIA with their vault 7 BS. They can fool you into thinking anyone (else) is the attacker. If you secure the networks the CIA would not be able 50 infiltrate them, so it'll never happen.
As ever, what are they attempting to distract you from?
I Needed That Laugh (Score:2)