Security

Is End-to-End Encryption a Defense Against Salt Typhoon and Other APTs?

Salt Typhoon’s successful infiltration of U.S. telecom networks has given threat actors ideas and agencies a reason to revisit E2EE.

John Morell

John Morell is a long-time business writer covering new developments in tech out of Los Angeles. His work has appeared in the Los Angeles Times, The New York Times and the Chicago Tribune

An “October surprise” occurred in 2024, but it had nothing to do with the presidential election. The Cybersecurity and Infrastructure Security Agency and the FBI revealed that a group of Chinese cyber spies had infiltrated the telecommunications networks of nine U.S. providers.

The advanced persistent threat actor, which Microsoft named Salt Typhoon, committed what lawmakers called the worst telecom security breach ever — granting the Chinese the ability to sift through the emails, texts and phone calls of millions of Americans. Law enforcement suspects the goal of the intrusion, which occurred in early 2024, was to access the sensitive communications of government and business leaders.

The Federal Communications Commission voted in the final days of the Biden administration to require telecom companies to institute cyber risk management plans, and it’s believed that Salt Typhoon’s attack has been fully countered. But bad actors will learn from this incident and refine their tactics now that it’s proven that calls and text messages are vulnerable.

What’s the best defense? Increasing security around telecom networks, for starters, and in case a cybercriminal does infiltrate a network, protecting communications with end-to-end encryption.

Click the banner below to begin developing a comprehensive cyber resilience strategy.

x-cyberresillience4-static-2024-na-desktop

x-cyberresillience4-static-2024-na-mobile

How Does End-to-End Encryption Work?

E2EE protocol developed as Wi-Fi became popular in the late 1990s.

“It was completely open in those early days,” says Terry Dunlap, senior vice president of corporate strategy and development at NetRise and former network vulnerability analyst at the National Security Agency. “Virtually any hacker who had access to a network could see what everyone was doing.”

Recognizing that this would hinder the technology’s adoption, engineers began to encrypt Wi-Fi communications traveling from router to router; they also applied it to mobile data networks. Today, E2EE is recognized as a highly secure technique to maintain the privacy of network communications.

The process encrypts data as it’s moved from the sender’s device, with the recipient’s system using a unique decryption key to unlock and receive the message. Anyone intercepting the information in transit will find it unintelligible. The process isn’t complete until the recipient’s device authenticates the credentials, showing proof that the data hasn’t been altered in transit.

Security software is not something you want to get from a relatively new, obscure company with the lowest bid.”

Richard Forno Assistant Director, Center for Cybersecurity, University of Maryland, Baltimore County

While E2EE doesn’t prevent cyberattacks such as the one Salt Typhoon perpetrated, it can render them useless.

“The biggest advantage is that it mitigates vulnerability,” says Richard Forno, assistant director of the Center for Cybersecurity at the University of Maryland, Baltimore County. “So, if your network was compromised by a third party, your encrypted communications would still be secure. That’s why adopting an E2EE strategy was the first recommendation of the Cybersecurity and Infrastructure Security Agency.”

How Can Your Agency Get Started With Encryption?

Some challenges need to be addressed before choosing an encryption provider. The first is figuring out how encryption relates to a department’s document retention policies.

“Wall Street firms have had to deal with this problem for years, as traders have been caught deleting messages while using Signal to get around insider trading and compliance regulations,” Forno says. “And, of course, the government also requires agency documents and communications to be preserved.”

DISCOVER: Samsung’s secure mobile solutions make agency connectivity seamless.

There’s also the issue of complying with federal procurement regulations.

“Some agencies are constrained to buying only U.S. products and services, which limits the number of possible vendors,” Forno says. “Ideally, you’ll want to buy from well-known, reliable vendors. Security software is not something you want to get from a relatively new, obscure company with the lowest bid.”

“The more open a company is about having their encryption technology vetted and validated by the community, the better,” Dunlap says. “You want an industry standard that’s been thoroughly checked out by cryptographic professionals. If a company says they’ve developed an encryption product and shows you what the professionals think about it, that’s better than, ‘Come buy our cool, new encryption. No one on the outside has had access to it or tested it, but trust us, it’s secure.’”

Another value to companies offering open-source E2EE products is that user communities often find and correct issues.

“It’s not uncommon for good citizens or ethical researchers to reach out to the makers of an open-source product and let them know about a problem that needs a patch or update,” Dunlap says. “That’s better than a nation-state finding a flaw that lets them crack a high level of encryption and them keeping that information close to the vest and not telling anyone.”

LEARN MORE: DOD’s higher-level security framework makes sharing systems tricky, but not impossible.

Using Encryption in the Real World

Adopting an encryption program won’t shield anything if employees avoid using it. Perhaps they’re used to communicating with colleagues in other offices via text message, or they find the new encrypted communication program has a clunky interface.

“Of course, there are also instances where an agency employee defaults to using personal email or texting for business, and we’ve even seen that with politicians,” Dunlap says. “Educating and training people on secure communications is essential for federal agencies.”

Another issue that hasn’t been worked out yet is program compatibility.

“Apple’s iMessage is a perfectly good, encrypted message program; however, an iMessage user can’t communicate with someone using Google Messages or Signal,” Forno says. “You’ve got to kind of pick your ecosystem and make sure everyone’s on board with it.”

There’s also the problem of group chats. If a group chat is set up among agency employees and a handful of independent contractors regarding a project, but the contractors don’t have the encryption program used by the agency staff, the chat communications are unencrypted to allow those users to participate.

“Making sure the outside people use the same program is the answer, but it is an extra step to take,” Forno says.

Overall, the work to put encrypted communications in place is worth the benefits.

“It greatly reduces the risk of sensitive information getting in the wrong hands, and that’s a critical mission for every federal employee,” Dunlap says.

da-kuk/Getty Images