CISA’s communications guidance: A wake-up call for all industries
In late 2024, it became clear that the intensity of state sponsored attacks on the network infrastructure critical to both public and private organizations has reached unprecedented levels, with potentially extreme consequences. Earlier in the July, CrowdStrike exposed how even minor, innocent errors can lead to major disruption. So it is no real surprise that by the end of December, following the discovery of the Salt Typhoon compromise, that the then White House Deputy National Security Advisor for Cyber, Anne Neuberger, announced that the United States would follow the United Kingdom and Australia in implementing enhanced security and resilience regulations. These regulations recognize the critical role of the telecommunications sector, noting “the nation’s secrets and the nation’s economy” depend upon it.
Throughout December and into January, the U.S. government agencies and Communications Service Providers (CSPs) were working urgently to address the Salt Typhoon attacks which compromised major telco networks. However, the threat extends beyond telcos to all organizations — and in many cases the groundwork may already be in place. Anne Neuberger underscored this urgency by naming the critical steps organizations must implement, including improving configuration management for network devices and enhancing vulnerability management. These measures are no longer optional — they are essential.
Calls for urgent change: Defending against heightened threats
The stakes could not be higher. Volt and Salt Typhoon attacks date back as far as 2022, even though they were only recently discovered. This means state-sponsored threat groups have had the potential, at any time, to control Critical National Infrastructure networks and extract sensitive data, including information from health and financial sectors. As a result, for the first time in a decade, new rules for protecting healthcare data are also being introduced across the U.S.
Beyond this, Salt Typhoon highlights the deep threat of intellectual property theft affecting industries from aerospace to media and entertainment, along with the surge in ransomware and extortion threats that is impacting these sectors too.
Moving forward: Leveraging new guidance
In response to these escalating threats, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the NSA, FBI and their Five Eyes counterparts has issued guidance for telecommunications infrastructure defenders. The guidance emphasizes five key areas: network visibility, access control, segmentation, change detection and configuration management. These principles are critical not just for CSPs but for any organization with on-premise enterprise equipment.
Enhancing operational resilience: Four key practices
Aligned with CISA’s guidance, the following four actionable steps are foundational for strengthening defenses and building organizational resilience and recoverability.
Segment networks to contain breaches
Network Segmentation — both macro and micro — is a proven strategy to prevent or delay attackers from moving laterally within a system. Begin by identifying critical systems and data, isolating them from enterprise IT networks using least privilege access. Enforce segmentation by monitoring all network and user change against approved whitelists and flagging anomalies in traffic. Effective segmentation can mean the difference between a manageable incident and a catastrophic failure.
Achieve full network visibility to identify anomalies
Without a comprehensive view of your network’s architecture, configurations, access controls and activity, defending it is nearly impossible. Continuous visibility allows organizations to establish baselines, differentiate between planned and unplanned changes, and quickly identify anomalies or indicators of compromise.
Assess risk exposure to known industry attacks
Organizations must understand and monitor their exposure to known attack vectors specific to their organization or industry. Continuously assess and prioritize vulnerabilities — whether configuration or software — based on their relevance to these attack vectors. Focus remediation efforts on the most critical risks to reduce the attack surface effectively. Advanced risk exposure monitoring solutions are essential for achieving this.
Maintain accurate CMDBs to aid business continuity and disaster recovery
Relying on network devices themselves as the ‘source of truth’ for their configurations introduces significant risk — especially in disaster recovery scenarios. Accurate, up-to-date Configuration Management Databases (CMDBs) are critical for roll-back and recovery, root cause analysis and business process improvement. Automating CMDB updates ensures all changes — planned or unauthorized — are documented, enabling swift recovery and preventing new exposure risks.
Maintaining economic security and prosperity: Network readiness, resilience & recoverability
By implementing these practices, organizations can improve their network readiness, resilience and recoverability. These measures not only safeguard critical systems and data but also enable CSPs and other CNI providers to fulfil their role in maintaining national security and economic prosperity.
