Security for Telecommunications
Telecommunications security is the protection of the networks, systems, protocols, and infrastructure that carry voice, data, and signaling traffic across the global communications ecosystem.
# Security for Telecommunications
Definition
Telecommunications security is the protection of the networks, systems, protocols, and infrastructure that carry voice, data, and signaling traffic across the global communications ecosystem. It encompasses the defense of carrier networks (mobile, fixed-line, and internet service providers), the signaling protocols that coordinate calls and messages between networks, the systems that authenticate subscribers and route traffic, and the increasingly complex intersection of telecommunications infrastructure with every other sector of the economy.
Telecommunications occupies a unique position in the security landscape: it is simultaneously critical infrastructure in its own right and the underlying medium through which security controls in every other sector operate. When SMS-based multi-factor authentication is used to protect banking, healthcare, or government accounts, that security control depends entirely on the integrity of the telecommunications network that delivers the text message. When law enforcement seeks to intercept communications under a lawful court order, that capability depends on telecommunications carriers having implemented CALEA-mandated interception architecture. When a hospital calls emergency services during a mass casualty event, the call routes through telecommunications infrastructure. The failure of that infrastructure is not a telecommunications problem; it is a cross-sector catastrophe.
The Salt Typhoon intrusion campaign, publicly confirmed in late 2024, demonstrated that the most sophisticated nation-state adversaries are not merely trying to access carrier systems for conventional data theft. They are targeting the specific systems that carriers built to comply with lawful intercept requirements, the CALEA-compliant interception infrastructure that gives law enforcement access to communications. By compromising that infrastructure, Chinese Ministry of State Security (MSS) operators gained access to the communications of a select set of high-value targets, including U.S. government officials, political figures, and individuals under investigation by federal law enforcement. The surveillance apparatus built to serve lawful government access was accessed by a foreign government for illegitimate intelligence collection.
This is not an isolated failure of a single carrier. AT&T, Verizon, Lumen, T-Mobile, and additional carriers were confirmed as compromised. It represents the most significant telecommunications security breach in U.S. history and has prompted regulatory, legislative, and industry responses that will reshape mandatory security requirements for the sector for years.
---
Threat Landscape
Salt Typhoon: Lawful Intercept Systems as Attack Targets
Salt Typhoon (also tracked as Earth Estries and GhostEmperor by different threat intelligence vendors) is a Chinese MSS-affiliated threat actor that achieved access to the CALEA lawful intercept systems of multiple major U.S. telecommunications carriers. The significance of this specific targeting cannot be overstated. CALEA systems are the interfaces that allow authorized law enforcement agencies to receive real-time intercept of specified communications. An adversary who has access to CALEA infrastructure has, in effect, a lawful intercept capability they are operating without authorization.
The reported access extended beyond CALEA infrastructure to include call detail records and, in some cases, audio of specific communications. The targeting appeared selective and intelligence-driven: the victims whose communications were accessed were identified targets of value to Chinese intelligence, not indiscriminate bulk collection. This is consistent with MSS collection doctrine, which prioritizes high-value human intelligence targets over bulk signals collection.
The dwell time in some carrier networks was reported to be months or years before detection. Initial access methods included exploitation of vulnerabilities in network edge devices, particularly Cisco and Fortinet products used by carriers for network management. Once inside, the actors moved laterally through management networks to reach CALEA-adjacent systems.
The Salt Typhoon campaign has direct implications for the security architecture of every U.S. telecommunications carrier. CALEA compliance creates a permanent structural vulnerability: the interception interfaces, by design, provide access to communications traffic. Any architecture that provides such access is a high-value target, and the security controls governing access to those systems must be commensurate with the sensitivity of what they can deliver to an attacker.
SS7 and Diameter: The Insecure Signaling Foundation
The Signaling System 7 (SS7) protocol suite, developed in the 1970s and deployed globally through the 1980s and 1990s, underpins the call routing, SMS delivery, and location services of the global telecommunications network. SS7 was designed in an era when the global telephone network was operated by a small number of trusted national monopolies, and its design reflects that assumption: there is essentially no authentication in SS7. Any entity with access to the SS7 network can send messages that allow call forwarding, call interception, SMS interception, and subscriber location tracking.
Access to the SS7 network is not restricted to legitimate carriers. Telecom operators in dozens of countries have loose procedures for authorizing access. Commercially available SS7 access is sold by intermediaries. Intelligence agencies, surveillance companies, criminal organizations, and, in some documented cases, private investigators have used SS7 access to track individuals, intercept SMS messages (including SMS-based one-time passwords), and redirect calls.
The practical consequence for security is severe: SMS-based multi-factor authentication is not secure against adversaries with SS7 access. This has been known in the security community since at least 2014, when SS7 vulnerabilities were publicly demonstrated at the Chaos Communication Congress. Yet SMS-based MFA remains the dominant second factor for consumer authentication across banking, healthcare, government services, and enterprise applications. The weakness is structural and cannot be patched; it can only be mitigated by replacing SMS-based authentication with phishing-resistant alternatives.
Diameter, the protocol that replaced SS7 in 4G LTE networks for many signaling functions, improved on SS7 but did not solve the fundamental problem. Diameter has its own documented vulnerabilities, and both SS7 and Diameter remain in use simultaneously, because the global network must interoperate with legacy infrastructure that has not completed the transition.
SIM Swapping: Social Engineering the Telecom Stack
SIM swapping is a fraud technique in which an attacker convinces or bribes a telecommunications carrier's customer service representative to transfer a victim's phone number to a SIM card controlled by the attacker. Once the attacker controls the phone number, they receive the victim's SMS messages, including SMS-based MFA codes, and voice calls, including voicemail-based OTP delivery. The attacker can then reset passwords, bypass MFA, and take over accounts across any service that uses that phone number as a recovery or authentication factor.
SIM swapping exploits the weakest link in the telecommunications security chain: the human customer service process. Carriers have implemented progressively stronger controls, including port freeze options, account PINs, and in-store ID verification requirements, but motivated attackers work around these controls through social engineering, corrupt insiders, or by targeting carriers with weaker verification procedures.
The Scattered Spider threat group, responsible for the 2023 MGM Resorts breach, used SIM swapping as a key technique for initial access and privilege escalation. Jack Dorsey, then CEO of Twitter, had his phone number SIM-swapped in 2019, demonstrating that high-profile targets are not immune. The cryptocurrency ecosystem has been particularly targeted, with individual victims losing millions of dollars through SIM swap-enabled account takeovers.
BGP Hijacking: Routing Table Manipulation
Border Gateway Protocol (BGP) is the routing protocol that enables the internet. BGP was designed, like SS7, with the assumption that participants were cooperative and trusted. It has essentially no authentication at the protocol level. Any BGP-speaking network can announce routes for IP address blocks it does not own, and other networks will, by default, accept and propagate those announcements. A BGP hijack allows an attacker to redirect internet traffic for a specific IP range through attacker-controlled infrastructure, enabling traffic interception, denial of service, and man-in-the-middle attacks.
BGP hijacks have been used by state actors (documented cases involving Russian and Chinese telecommunications carriers announcing routes for U.S. government and military IP blocks), criminal actors (targeting cryptocurrency exchange traffic), and, occasionally, through misconfiguration rather than malice. Resource Public Key Infrastructure (RPKI), a cryptographic validation system for BGP route origins, is the primary mitigation, but its deployment is uneven and an attacker who compromises a carrier with RPKI-valid route announcements can still conduct a hijack.
5G Security Considerations
5G networks introduce new security dimensions while addressing some vulnerabilities of earlier generations. The 5G core architecture separates network functions, moves control plane functions to software-defined implementations, and introduces network slicing (the ability to create isolated logical networks for specific use cases on shared physical infrastructure). Each of these architectural changes creates new attack surfaces.
Network slicing security depends on the isolation mechanisms working correctly; a vulnerability in the slice isolation implementation could allow cross-slice traffic access. The open RAN (O-RAN) initiative, which promotes disaggregated, multi-vendor radio access networks, introduces supply chain risk at the RAN layer that was previously contained within single-vendor proprietary hardware. 5G edge computing, which moves processing closer to the subscriber for latency-sensitive applications, expands the geographic footprint of sensitive network functions to locations with physical security profiles very different from traditional carrier central offices.
---
Industry-Specific Challenges
CALEA Compliance: The Permanent Structural Vulnerability
The Communications Assistance for Law Enforcement Act (1994) requires telecommunications carriers and broadband providers to build interception capabilities into their networks that allow authorized law enforcement to conduct electronic surveillance under court order. CALEA compliance is not optional; it is a federal statutory requirement. The architecture it mandates creates interfaces that, by design, provide access to live communications traffic.
The Salt Typhoon campaign exploited CALEA infrastructure directly. This creates a paradox: the security vulnerability that allowed foreign intelligence access to U.S. government communications exists because U.S. law requires it to exist. The regulatory response has focused on hardening the access controls governing CALEA interfaces rather than eliminating them, which is the only architecturally coherent response given that eliminating them would violate federal law. The lesson is that any mandated access capability is a target, and the security controls around that capability must be proportional to the value of what it provides to an attacker.
FCC Cybersecurity Requirements: Post-Salt Typhoon Rulemaking
The Federal Communications Commission, responding to Salt Typhoon, has moved toward mandatory minimum cybersecurity standards for telecommunications carriers under its authority over communications providers. Emergency directives issued in late 2024 require carriers to remediate specific vulnerabilities in network management systems and secure CALEA infrastructure access. Proposed rules would establish ongoing mandatory cybersecurity requirements, potentially including network segmentation standards, access control requirements, and incident reporting obligations.
This represents a significant regulatory shift. Prior to Salt Typhoon, FCC cybersecurity oversight was largely voluntary guidance and breach notification requirements. The movement toward mandatory minimum standards aligns the telecommunications sector with the energy sector, where NERC CIP created enforceable mandatory standards after a different set of incidents. The rulemaking process will take years to complete, but emergency directives create immediate obligations.
CPNI Protection
Customer Proprietary Network Information (CPNI) includes information that carriers collect about customers' use of their services: call records, internet usage data, location data, and service details. The FCC's CPNI rules require carriers to protect this information and restrict its use to specific authorized purposes. Data breaches involving CPNI have mandatory reporting requirements, and misuse of CPNI by carrier employees or vendors has resulted in significant enforcement actions.
CPNI protection intersects with the broader SIM swapping problem: the verification procedures carriers use to authenticate customers calling for account changes involve CPNI, and the social engineering techniques used by SIM swappers exploit weaknesses in how carriers verify caller identity against CPNI records.
Carrier-Grade Infrastructure and Availability Requirements
Telecommunications carriers operate under contractual and regulatory availability requirements that most other industries do not face. Public Switched Telephone Network (PSTN) reliability standards historically targeted 99.999 percent uptime (five-nines, approximately 5 minutes of downtime per year). First responder communications, 911 services, and emergency alert systems depend on carrier infrastructure being available precisely when demand is highest.
This extreme availability requirement constrains security operations in ways that enterprise security practitioners find frustrating. A patch that requires a 20-minute maintenance window on a network element carrying active 911 traffic cannot be deployed without extensive change management review. A detection tool that introduces 10 milliseconds of latency on a carrier-grade routing platform will be rejected by network operations before it completes proof-of-concept testing. Security tools and processes must be designed with carrier-grade operational constraints as first-class requirements, not afterthoughts.
Massive Scale and International Interconnection
A major U.S. carrier operates infrastructure that touches hundreds of millions of subscribers and interconnects with hundreds of other carriers worldwide. The attack surface is correspondingly enormous: thousands of network elements, dozens of data centers, complex software-defined networking environments, and international interconnection points where the carrier's managed network interfaces with networks whose security postures are unknown and uncontrollable.
The international interconnection point is particularly relevant for SS7 and BGP security. A carrier can implement strong security controls on its own network and still receive malicious SS7 messages from less-controlled foreign carriers through the global signaling network. The security posture of the global telecommunications ecosystem is only as strong as its weakest member, and the weakest members include carriers in countries with minimal regulatory oversight and, in some cases, deliberate policy tolerance for SS7 abuse by domestic security services.
---
CDA Perspective
Telecommunications is where every other sector's security controls either hold or break. A compromised carrier is not just a telecommunications problem; it is a banking problem, a healthcare problem, a government communications problem, and a national security problem simultaneously. CDA approaches the telecommunications vertical through a Telecom FRM built around two principles: the network is the attack surface, and the signaling plane is the most underdefended layer.
DPS: Sovereign Data Protocol (SDP) "Your data lives where you decide. Period."
CPNI, call detail records, CALEA intercept data, and subscriber authentication databases are among the most sensitive data assets in the economy. SDP in telecommunications requires both technical data protection and architectural sovereignty over where this data flows. DPS-R01 (Data Asset Discovery) must map CALEA data flows explicitly, tracing the path from intercept interfaces through lawful intercept management systems to law enforcement delivery interfaces. DPS-B03 (DLP Foundation) governs CPNI handling across the carrier's customer service and operations platforms. DPS-H02 (Data Sovereignty Mapping) documents data flows to international partners and interconnected carriers, a requirement for both regulatory compliance and for understanding the exposure surface through which Salt Typhoon-style actors could move.
VSD: Continuous Surface Reduction (CSR) "Every surface you expose is a surface we eliminate."
Carrier attack surface management must address IT systems, network management infrastructure, signaling plane exposure, and the customer-facing APIs that power mobile apps and third-party integrations. VSD-R01 (External Attack Surface Discovery) for a telecommunications carrier includes internet-facing management systems, SS7 and Diameter gateway exposure, BGP peering infrastructure, and CALEA management interfaces. VSD-B03 (Attack Surface Reduction) specifically targets the SS7 and Diameter filtering problem: carriers can implement signaling firewalls that filter anomalous SS7 and Diameter messages, blocking the specific message types most commonly used in location tracking and interception attacks. VSD-H03 (API Security Assessment) addresses the growing carrier API surface, including REST APIs that expose subscriber data to MVNO partners, IoT device management platforms, and third-party service providers.
SPH: Autonomous Posture Command (APC) "Your posture adapts. Your hygiene never sleeps."
Configuration management at carrier scale is a specialized discipline. A carrier's network might include hundreds of router platforms, each running complex configurations, in dozens of points of presence. Configuration drift in a carrier environment can create routing anomalies that are indistinguishable from BGP hijacking to external observers. SPH-R02 (Configuration Baseline Assessment) establishes secure configuration standards for network elements, with carrier-specific hardening guides (Cisco, Nokia, Ericsson platforms each have different hardening requirements). SPH-B04 (Asset Management System) at carrier scale requires integration with network inventory systems that track physical and virtual network elements, their software versions, and their configuration states. SPH-H02 (Change Management Hardening) is critical: changes to carrier network elements have potential service impact that requires rigorous change control, and the change management process must be security-integrated without becoming a bottleneck that prevents timely security patching.
IAT: Zero Possession Architecture (ZPA) "Trust nothing. Possess nothing. Verify everything."
The SIM swapping problem is a failure of subscriber identity verification, and ZPA principles apply directly. IAT-R01 (Identity Infrastructure Assessment) for a carrier includes both employee and subscriber identity systems. IAT-R02 (Privileged Access Audit) focuses on the high-privilege carrier operations accounts that can modify network configurations, access CALEA systems, and modify subscriber records. These accounts are the primary target of both external adversaries and malicious insiders. IAT-B01 (Zero Trust Architecture Design) applies to carrier network management environments: network engineers accessing network elements should be accessing them through a privileged access management system with MFA, session recording, and just-in-time access grants, not through persistent administrative credentials stored in shared password stores. IAT-B02 (Privileged Access Management) specifically addresses the CALEA access control problem identified in the Salt Typhoon breach response guidance issued by CISA and the FBI.
TID: Predictive Defense Intelligence (PDI) "See the threat before it sees you."
Carrier detection requirements span IT threat detection and signaling plane anomaly detection, which are fundamentally different disciplines requiring different tool sets. TID-R01 (Threat Landscape Assessment) for a major carrier must include Salt Typhoon, Volt Typhoon, and other state-sponsored actors with documented interest in telecommunications infrastructure, with specific indicator sets for each. TID-B01 (SIEM Deployment and Tuning) must ingest signaling plane data, network flow data, and IT system logs simultaneously, correlating across these data sources to detect multi-stage attack patterns. TID-H01 (Detection Engineering Program) should build detection logic specifically for SS7 abuse patterns, CALEA access anomalies, and BGP route announcement irregularities, all of which are carrier-specific attack techniques that generic detection content does not cover. TID-H03 (Threat Hunting Program) at carriers should specifically hunt for Salt Typhoon-style indicators: anomalous access to CALEA management systems, unusual authentication patterns on network management platforms, and lateral movement between IT and OT network management zones.
RGA: Perpetual Compliance Assurance (PCA) "Compliance is not an event. It is a state."
Telecommunications compliance is fragmenting as regulators respond to Salt Typhoon with new requirements. RGA-R01 (Compliance Landscape Mapping) must capture CALEA obligations, FCC cybersecurity requirements (both current emergency directives and proposed rules), CPNI protection requirements, state utility commission oversight in states where it exists, and international requirements for carriers operating outside the United States. RGA-B02 (Compliance Program Build) must be designed to absorb new requirements rapidly, because the regulatory environment is actively changing. RGA-H01 (Multi-Framework Compliance Alignment) finds the overlap between FCC emergency directives, NIST CSF, and CISA's Enhanced Visibility and Hardening Guidance for Communications Infrastructure (the joint advisory issued directly in response to Salt Typhoon), which is substantial, allowing unified control implementations rather than separate compliance programs.
Telecommunications FRM: Five First Actions
- Conduct a CALEA security architecture review, specifically assessing access controls to lawful intercept management systems, network management platforms with adjacency to CALEA infrastructure, and authentication mechanisms for all accounts with CALEA-adjacent access.
- Deploy SS7 and Diameter signaling firewalls to filter anomalous signaling messages, specifically implementing filtering for the message types used in location tracking and SMS interception attacks.
- Implement phishing-resistant MFA for all network operations accounts with access to carrier network elements, lawful intercept systems, and subscriber database platforms, replacing any remaining SMS or TOTP-based authentication.
- Conduct a BGP security assessment, validating RPKI deployment coverage, reviewing route acceptance policies for external BGP peers, and establishing monitoring for anomalous route announcement changes.
- Deploy behavioral anomaly detection for CALEA access and subscriber record modification, establishing baselines for normal access patterns and alerting on deviations consistent with Salt Typhoon-style low-volume, high-value access patterns.
---
Key Takeaways
- The Salt Typhoon intrusion campaign breached CALEA lawful intercept systems at multiple major U.S. carriers, demonstrating that mandated access architecture creates structural vulnerabilities that sophisticated adversaries specifically target.
- SS7's fundamental lack of authentication means SMS-based MFA is not secure against adversaries with SS7 network access or against SIM-swapping attacks; organizations that depend on SMS MFA are building their security posture on a structurally compromised foundation.
- Telecommunications carriers are not just critical infrastructure themselves; they are the delivery mechanism for security controls (MFA, emergency communications, authentication) across every other sector, making telecom breaches inherently cross-sector events.
- BGP, the routing protocol of the internet, has no native authentication and is susceptible to hijacking by any BGP-speaking network; RPKI adoption is the primary mitigation but deployment is uneven across the global carrier ecosystem.
- The FCC is moving toward mandatory minimum cybersecurity standards for carriers following Salt Typhoon, representing a regulatory shift from voluntary guidance to enforceable requirements that will reshape compliance obligations for the sector.
---
Related Articles
- Salt Typhoon: Anatomy of a Telecom Espionage Campaign [cross-reference]
- SS7 and Diameter Protocol Vulnerabilities
- SIM Swapping: Attack Techniques and Defenses
- BGP Hijacking and RPKI: Securing Internet Routing
- Security for Critical Infrastructure: Cross-Sector Principles
---
Sources
- CISA/FBI/NSA. "Enhanced Visibility and Hardening Guidance for Communications Infrastructure." Advisory, December 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-337a
- Federal Communications Commission. "Report and Order: Cybersecurity Risk Management for Communications Providers." FCC 24-XX, 2024. https://www.fcc.gov/cybersecurity
- GSMA. "SS7 Vulnerability Disclosure Programme and Interconnect Security." Security Document FS.11, 2023. https://www.gsma.com/security/
- National Institute of Standards and Technology. "SP 800-187: Guide to LTE Security." 2017. https://csrc.nist.gov/publications/detail/sp/800-187/final
- Senate Select Committee on Intelligence. "Salt Typhoon: Foreign Compromise of U.S. Telecommunications Infrastructure." Committee Briefing Summary, December 2024.
- European Union Agency for Cybersecurity (ENISA). "Threat Landscape for Telecommunications." 2023. https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-telecom
Sources
- CISA/FBI/NSA: Enhanced Visibility and Hardening Guidance for Communications Infrastructure, 2024
- FCC: Report and Order on Cybersecurity Risk Management for Communications Providers, 2024
- GSMA: SS7 Vulnerability Disclosure Program, 2023
- NIST SP 800-187: Guide to LTE Security
- Senate Intelligence Committee: Salt Typhoon Briefing Materials Summary, December 2024
- ENISA: Threat Landscape for Telecoms, 2023
Related Articles
Format-Preserving Encryption
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
HTTP/2 Security
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Written by Evan Morgan
Found an issue? Help improve this article.