Salt Storm’s Influence on the US and Past

COMMENTARY

The Chinese language-linked hacking group Salt Storm not too long ago was detected lurking in main US telecommunication techniques, exposing almost each American’s communications to Chinese language intelligence and safety companies. 

In response, on Dec. 4, 2024, the Cybersecurity and Infrastructure Safety Company (CISA) and the FBI issued a joint assertion recommending that Americans and corporations undertake end-to-end encrypted communication instruments to keep away from exposing delicate info to China. Whereas this recommendation is prudent to safe communications, hasty adoption of those applied sciences may lead to regulatory noncompliance for organizations in extremely regulated industries. These organizations ought to fastidiously study each their safety danger and regulatory obligations as they undertake new safety options.

Background: Salt Storm

Salt Storm exploited legacy techniques all through the telecommunications trade that have been too previous to implement fashionable cybersecurity practices, with some components relationship again to the late Nineteen Seventies. Generally accepted baseline cyber protections like multifactor authentication weren’t carried out. Whereas the scope of this assault is widespread, together with voice calls and SMS messages, US intelligence officers famous that communications inside encrypted communication functions equivalent to Apple’s iMessage, Meta’s WhatsApp, and Sign weren’t uncovered.

Salt Storm marks one of the crucial refined assaults on US important infrastructure in historical past. US officers have concluded that each main telecommunications supplier has been implicated. China stays probably the most lively and protracted cyber risk to the US, and the Salt Storm marketing campaign marks one of the crucial refined assaults on US important infrastructure in historical past. 

Safety vs. Compliance: Adopting Finish-to-Finish Encryption Applied sciences

US cybersecurity and intelligence officers suggested corporations and people to undertake end-to-end encrypted functions for communications the place solely the sender and the supposed recipients can entry the content material of the communication. Finish-to-end encryption works by securing the content material of communications utilizing cryptographic keys at each the sender and recipient. The tip result’s knowledge in transit is safe, rendering the contents of any intercepted or compromised communications indecipherable with out the cryptographic key, together with by Web service suppliers and telecommunications corporations — and overseas hackers concentrating on these entities.

Whereas end-to-end encrypted functions present apparent benefits for safety, many aren’t designed to adjust to the information retention and entry necessities imposed upon sure extremely regulated industries. 

Within the monetary companies sector, Securities and Trade Fee (SEC) Rule 17a-4(b)(4) requires that communications obtained and despatched by a member, dealer, or seller that relate to the enterprise of a corporation are to be retained for at the very least three years. Moreover, Part 802 of the Sarbanes-Oxley Act requires accountants who audit or evaluation monetary statements to retain data, which embody any communications related to the audit or evaluation. 

Within the healthcare sector, Part 164.312(e) of the Well being Insurance coverage Portability and Accessibility Act (HIPAA) requires that lined entities implement technical safeguards to forestall unauthorized entry to digital protected well being info (ePHI) that’s being transmitted over an digital communications community. Many encrypted communications functions prohibit a lined entity’s potential to watch for or audit unauthorized disclosure of ePHI. Moreover, Part 164.350(j) of HIPAA requires that lined entities retain documentation of any communications containing ePHI for at the very least six years. 

Suggestions

As Salt Storm has revealed, unsecured communications of executives and workers throughout each sector could also be focused by Chinese language intelligence companies for exploitation. On this new surroundings, balancing communications safety with compliance may be difficult. To appropriately navigate these dangers, organizations in each sector ought to contemplate three issues.

First, organizations ought to implement end-to-end encryption for all enterprise communications internally and, to the best extent practicable, externally. There are quite a few cell and desktop functions at the moment obtainable which are designed to serve this goal. For corporations in regulated industries, it is very important additionally contemplate regulatory retention, monitoring, and auditing necessities when contemplating these instruments. Such organizations ought to search to implement options that may guarantee acceptable encryption requirements for messaging, collaboration, and voice and video calls particularly configured to permit for auditing and knowledge preservation. 

Second, organizations ought to implement insurance policies and procedures to information using encrypted communications. For instance, many encrypted communication functions enable customers to individually set up time-based purge guidelines for messages. Whereas priceless for info safety, this might render a corporation non-compliant with knowledge retention and audit necessities. The place doable, such capabilities ought to be disabled for people and archiving instruments ought to be in place. Moreover, workers ought to obtain common coaching on communications safety and regulatory compliance.

Third, a key lesson from Salt Storm is that baseline cybersecurity measures nonetheless present significant defenses in opposition to malicious events. Cybersecurity measures equivalent to multifactor authentication, use of password managers, encrypting knowledge at relaxation and in movement, and making certain that each one software program and {hardware} are fashionable and outfitted with the most recent updates will give organizations a a lot stronger cybersecurity posture. 

Conclusion

Salt Storm underscores the pressing want for organizations to quickly undertake fashionable safety practices to satisfy evolving threats. Nevertheless, in doing so, organizations have to stability the safety imperatives with their regulatory obligations.