A federal agency on Wednesday issued urgent written guidance to top government officials and politicians to immediately stop using standard phone calls and text messages after major U.S. telecommunications companies were targeted by Chinese hackers.
“Use only end-to-end encrypted communications,” it said, saying that these “highly targeted individuals” also “should assume that all communications between mobile devices—including government and personal devices—and internet services are at risk of interception or manipulation.”
End-to-end encryption refers to data protection that makes information unreadable except for the sender and its recipient. A number of chat apps including WhatsApp, Signal, iMessage, BrightChat, and others already have end-to-end encryption.
Regular phone calls and text messages are not end-to-end encrypted, meaning they can be monitored, either by telephone companies, law enforcement, or potentially by hackers.
Previously, CISA warned that Chinese regime-linked hackers known as “Salt Typhoon” have hacked into U.S. telecommunications systems and may be able to obtain sensitive data on individuals.
That message was reiterated on Wednesday, with CISA executive assistant director for cybersecurity Jeff Greene telling reporters that the government’s investigation into the breach is ongoing and various targeted agencies and people are at different stages of their response. Based on his comments, it’s not clear whether Chinese hackers are still lurking within U.S. telecommunications companies’ systems.
Salt Typhoon’s compromise “is part of a broader pattern of [Chinese regime] activity directed at critical infrastructure,” Greene said, referring to Chinese-linked cyber operations focused on utilities and other sensitive networks and tracked under the nickname “Volt Typhoon.”
“This is ongoing [Chinese regime] activity that we need to both prepare for and defend against for the long term,” he said.
Other recommendations from CISA include avoiding text messages based on one-time passwords such as ones that are often sent by U.S. banks to verify logins and using hardware keys, which help protect against a password-stealing technique known as phishing.
Earlier this month, Greene, the CISA official, said that Americans broadly should consider using encrypted messaging platforms.
“Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” Greene told reporters.
Around the same time, Democratic and Republican senators sent a letter to the Department of Defense (DOD) to investigate Chinese-led espionage attempts targeting American telecom companies. These hackers stole information from private communications from “a limited number of individuals” involved in politics, officials have said.
The recent warnings are a reversal from previous comments made by top-level federal officials in recent years. In a 2018 event, FBI Director Christopher Wray warned that end-to-end encryption poses a problem for federal law enforcement efforts, describing it as an “urgent public safety issue.”
