GAO mulls cost evaluation of nationwide telecom hardware replacement

The nation’s top oversight office is considering penning a study to assess the cost of administering a far-reaching operation to rip out and replace swaths of at-risk or compromised telecommunications equipment owned by small communications providers around the country, according to a senior U.S. official.

The deliberations, which have not been previously reported, are fueled by an ongoing Chinese espionage intrusion into U.S. and allied telecommunications networks by Salt Typhoon, a hacking unit tied to Beijing’s Ministry of State Security that likely had unfettered access to key elements of America’s telecommunications backbone for around two years.

As part of the work, the U.S. Government Accountability Office would study the costs of undertaking such a project and, separately, would also evaluate security vulnerabilities impacting the telecommunications industry, said the official, who spoke on the condition of anonymity because they were not authorized to discuss the private deliberations.

Should President-elect Donald Trump’s national security team support this study, it could motivate his allies in Congress to greenlight what would likely be a multi-billion dollar effort to weed out troves of telecommunications hardware that’s been accessed or is at risk of being ensnared by Chinese hackers and other adversaries.

It’s not entirely clear when the study would commence, but GAO staff are anticipating that Congress will formally request that the work begin soon, the senior official said.

The Federal Communications Commission is already locked in an ongoing effort to help small, rural broadband providers remove and replace equipment made by Huawei and ZTE, a pair of Chinese telecom companies deemed an unsuitable security risk to U.S. networks. 

That “rip and replace” program was toplined with $2 billion in funding when it initially passed in 2020. Only last month did it receive an added $3 billion from Congress to cover a funding shortfall that the FCC had been flagging to lawmakers for months. 

This GAO study, however, would be significantly broader in scope. It would focus on the viability of discarding and replacing telecom equipment embedded across the entire nation, including hardware managed by smaller providers who were among the victims ensnared by Salt Typhoon. 

The Chinese cyberspies broke into the systems of major providers, including AT&T, Verizon and Lumen. They also accessed Charter Communications, Consolidated Communications and Windstream, the Wall Street Journal reported Saturday, citing people familiar with the matter. In total, the hackers infiltrated at least nine U.S. communications firms and dozens of others around the world. 

Telecommunications Industry Association CEO Dave Stehlin said in a statement that TIA has “consistently championed the use of trusted suppliers throughout our expansive network ecosystem, encompassing wireless, wireline, satellite, subsea cables and IoT networks” and added the trade group has advocated for rip and replace initiatives for several years.

The Competitive Carriers Association, which represents regional and rural wireless providers, declined to comment. The FCC and a staffer for incoming Republican leader Brendan Carr did not return a comment.

Multiple providers recently disclosed that Salt Typhoon was no longer in their networks. Still, several hundred organizations comprising telecom companies and other sectors were notified over the past couple of months that they may be at risk of compromise, Nextgov/FCW reported in December.

One of the major vulnerabilities exploited is a hardware flaw within Cisco equipment that cannot be patched with a software update and requires physical replacement, according to a person with knowledge of the intrusions.

“The [GAO] study is needed,” said the person, who was granted anonymity to be candid about their understanding of the hacks.

The government watchdog may also explore providers’ equipment supply chains. Beijing can legally compel companies that operate in China’s borders to hand over schematics about their products. Given its operating unit in mainland China, it’s likely that Chinese intelligence services had extensive knowledge about Cisco device architecture that allowed Salt Typhoon to later get inside, according to a congressional aide familiar with the hacks.

The Chinese cyber unit also exploited software vulnerabilities in Ivanti, Fortinent, Sophos and Microsoft Exchange Server systems.

Early glimpses of what a nationwide rip-and-replace initiative could involve are already taking shape. Officials are researching national security risks tied to China-owned router provider TP-Link, and are readying for a possible countrywide ban of the firm, which can be invoked under a Commerce Department authority created in Trump’s first term.

Commerce is also moving to jettison remaining operating units of China Telecom in the U.S., the New York Times reported last month.

“The risk to our telecommunications infrastructure has only grown since we discovered the threat posed by Huawei,” House Homeland Security Committee Chairman Mark Green, R-Tenn., said in a statement when asked about the study.

“Due to the widespread nature of this most recent intrusion by the CCP actor known as Salt Typhoon, it’s essential to fully evaluate the cost of creating a more resilient foundation for the telecommunications sector. This way, we can take concrete steps toward improving collective cyber defense across the government,” he added, referring to the Chinese Communist Party.

It’s unclear how such a sweeping rip and replace project would unfold, given society’s everyday reliance on phone systems for jobs, banking and other vital activities. Moreover, millions of Americans rely on major wireless providers for services that allow them to conduct phone calls, send text messages and browse the internet. 

Some telecom operators also have a strong presence in the federal space. AT&T, for instance, manages FirstNet, a public safety network used by first responders like firefighters and police officers. Data tied to FirstNet call logs was compromised in a separate 2022 breach, Nextgov/FCW reported in July.

The U.S. government’s communications equipment could also be scrutinized as part of the study. The fiscal year 2019 defense policy bill barred agencies from buying or using certain telecom or video surveillance equipment from several Chinese companies and their related business units, but equipment purchased before that law took effect is not considered.

Updating the vulnerable systems and security practices across the telecom industry would be a massive and costly undertaking. Modern-day telecom networks operate as a complex mix of antiquated technology from the past few decades integrated with contemporary digital infrastructure. In certain areas, protective measures were robust, but in others outdated hardware and lax security practices left vulnerabilities that Salt Typhoon identified and exploited.

Making matters more complex is the fact that Salt Typhoon also breached America’s “lawful intercept” systems that house wiretap requests used by law enforcement to surveil suspected criminals and spies. Telecom firms are required to engineer their networks for wiretapping under the Communications Assistance for Law Enforcement Act, or CALEA, which passed in 1994. The FCC oversees the law.

Over the years, wiretapping methods have shifted from analog procedures to streamlined digital systems. Today, law enforcement analysts can file requests for targets’ phone metadata directly to telecom operators. Many of those requests are processed at legal demand facilities that could be inadvertently swept up in the equipment replacement efforts.

Not all experts are confident that a mass rip and replace project would shore up U.S. communications security.

“Nothing I’ve seen of Salt Typhoon’s activity would suggest rip and replace would be a cost effective or efficient approach. Most of these intrusions took advantage of decades-old security architecture flaws and exploited known cyber hygiene issues like missing patches or vulnerable accounts and leaked passwords,” said Marc Rogers, a 35-year telecom security practitioner who worked with a major carrier on deploying, operating and securing its technology from the 1990s into the late 2010s.

“The first step should be to fix these [issues]. Exploitation of our carriers via old known flaws that have patches is an indefensible position,” he added.

Sen. Mark Warner, D-Va., who chairs the Senate Intelligence Committee, said replacing the hardware is a “necessary, but insufficient step.”

“Salt Typhoon demonstrated in a scary way how the aged telecommunications infrastructure on which Americans rely is highly fragile and extremely vulnerable,” he said in a statement that argued the need for minimum cybersecurity standards and for providers “to build their systems in ways that take into consideration security by design and not only speed to market.”

“I hope GAO will also include in their study the costs of doing such things,” Warner added.

China has repeatedly denied involvement in hacking activities against the U.S. and Western allies. Chinese embassy spokesperson Liu Pengyu told Nextgov/FCW that, during a meeting between President Biden and President Xi Jinping in Peru at the APEC Summit late last year, Xi said there’s no evidence supporting the “irrational claim” of cyberattacks from China. Biden raised the question to Xi in response to the Salt Typhoon hacks.

“The [People’s Republic of China] threat is probably the top threat that we’re addressing right now,” Brett Leatherman, the FBI’s deputy assistant director for cyber operations, said in a recent interview.

“All these PRC-based cyberattacks against the United States — they’re meant to either increase the PRC’s footprint on U.S. infrastructure for potentially some sort of wartime footing, as well as to conduct sophisticated espionage against the United States,” he added. “All of that is a threat to national security.”