Infrastructure Defense: Communications systems

The Communications Sector is a key enabler in the operations of nearly all other infrastructure and industries. It is considered one of the four foundational sectors and includes multiple domains like mobile broadband, cloud computing, broadcasting, and networks that support the internet and other information systems. These systems are partially illustrated here: 

The modern Communications Sector is nearly unrecognizable to those who first defined it thirty years ago. The 1996 Executive Order 13010 (EO 13010) identified telecommunications as one of eight sectors that were vital to the defense and economic security of the United States. EO13010 recognized both physical and cyberthreats and provided the first formal definition of critical infrastructure. The telecommunications sector was focused on traditional telecommunications systems and networks.

The 1998 Presidential Decision Directive 63 (PDD-63) expanded the scope of cyberthreats, increased the critical infrastructure sectors, and assigned specific federal agencies to lead government efforts with each sector. Terminology was also updated to reflect a larger set of industries and functions within each sector. This brought us the Communications Sector, which was more inclusive of emerging technologies and new information systems.  

The Communications Sector has extensive interconnections with virtually all other critical infrastructure. Here are some details on its interdependencies with the three other core sectors:

These interdependencies create a complex risk landscape, where a disruption in one sector can have cascading effects across multiple others.

Who’s in charge?

Ownership of the assets in the communications sector involves a mix of private companies, public entities, and hybrid structures, with hundreds of companies operating within several industries.  Examples:

Private Sector Owners

Public Corporation: Verizon Communications Inc. owns and manages an extensive network of cellular towers, fiber-optic cables, and other critical communications assets.

Private Companies: Diamond Communications owns and manages over 4,000 tenanted wireless communication sites, distributed antenna properties, and other assets.

Public Sector Owners

The U.S. Department of Defense (DoD) owns and operates multiple communications systems including the Defense Information Systems Network (DISN), the Joint Worldwide Intelligence Communication System (JWICS), and the Defense Communications and Army Transmission Systems (DCATS). The DoD is one of the largest public sector owners of critical infrastructure in the U.S.

Hybrid Partnership Structures

The Main Connectivity Authority is a public-private partnership in the communications sector. This state-owned organization exists to expand broadband services to rural areas and other communities in Maine. To this end, the state government partners with multiple private companies that can deliver these services.

Public-Private Partnerships (PPPs)

The Eastern Shore of Virginia Broadband Authority is a partnership between Accomack and Northampton counties. This authority built a middle-mile broadband backbone throughout the two rural counties and made it available to local communities and private service providers.

The private sector owns most of the communication assets in the United States. Because the owners and operators are responsible for the security of their assets, the private sector is responsible for securing most of the communications infrastructure in the U.S.

Each sector has a Sector Risk Management Agency (SRMA) and Sector-Specific Plan (SSP) meant to help owners and operators with managing current risks. Although the development of the SSP is mandatory, the implementation of the SSP guidance is almost always voluntary for the private sector and other non-federal entities.

The U.S. Department of Homeland Security (DHS) is the Sector Risk Management Agency (SRMA) for the Communications Sector. The Cybersecurity and Infrastructure Security Agency (CISA) is the agency that performs these SRMA duties. The Communications SSP is published here.

Risks and challenges

A 2021 report by the U.S. Government Accountability Office (GAO) summarized risks to the Communications Sector in a 43-page report that identified three key issues:

• CISA had not assessed the performance of its support the Communications Sector. There were no metrics or feedback mechanisms in place to measure effectiveness.
• CISA had not completed a capability assessment for its role as federal coordinator incident response and recovery. There may be unknown gaps in resources or staffing.
• CISA has not updated the 2015 Communications Sector-Specific Plan to reflect new and emerging threats, risks, and its statutory responsibilities. The SRMA recommends all SSPs to be updated every four years.

The GAO included recommendations for executive action to address these key issues. As of this writing, these recommendations remain open / undone.

It’s important to remember that the SSP provides guidance only, and no entity is required to follow the recommendations. However, the SSP speaks to the unique operating conditions and risk landscape faced by the sector. Because the SSP is currently outdated, it lacks guidance on new and emerging threats to the communications technology supply chain, or disruptions to position, navigation, and timing services. 

Other challenges are similar to those found in many other industries: Legacy Systems that are mission critical but outdated and unsupported, supply chain vulnerabilities under third-party control, and infrastructure fragmentation that creates inconsistent security practices between providers.                       

Ongoing Cyberattacks and Damages

At least nine U.S. communications providers have been compromised by Salt Typhoon, a threat actor affiliated with the  People’s Republic of China (PRC). This group has been targeting communications and other critical infrastructure worldwide since at least 2020. Researchers believe this group was targeting hotels, governments, and law firms since 2019, but the group was not identified until later. The U.S. Federal Bureau of Investigation (FBI) and CISA confirmed Salt Typhoon’s affiliation with the PRC.

Salt Typhoon is known by several other names, such as FamousSparrow, GhostEmperor, and UNC2286. The group uses a variety of sophisticated tactics, techniques, and procedures (TTPs) in their cyberattacks:

• Vulnerability Exploitation: The group exploits both known and zero-day vulnerabilities in widely used systems, such as Microsoft Exchange (ProxyLogon vulnerabilities) and Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887).
• Advanced Malware: Custom malware such as "GhostSpider" enables persistent access to compromised systems.
• Lateral Movement and Obfuscation Techniques: The group uses a variety of tools to move through systems and evade detection.

Salt Typhoon also uses stolen credentials and malware infections to gain access. These are proven methods of compromise, and you should assume that even the most sophisticated groups will use these methods.

Two other PRC affiliates have been linked to attacks on the communications sector. Volt Typhoon and APT41 have infiltrated seemingly secure systems, often through unpatched or previously unknown vulnerabilities.

The PRC isn’t alone in these attempts to destabilize other countries. Russian threat actors like Sandworm (GRU Unit 74455) and APT29 (Cozy Bear, Midnight Blizzard) have infrastructure companies in many western nations. Sandworm seems to focus its efforts on the Ukraine, while APT29 conducts global attacks.

Several groups affiliated with the Democratic People's Republic of Korea (DPRK, North Korea) have been implicated in attacks on U.S. communications. Threat groups like Andariel (APT45), Kimsuky (APT43), and Lazarus Group have infiltrated U.S. critical infrastructure to support the North Korean regime.  Mandiant researchers have published this illustration of the relationships between DPRK threat actors and the Kim Jonh-Un regime:

All these groups are motivated by espionage, strategic positioning, and financial gain.  It’s hard to calculate the damage done by these attacks, but we know there are significant financial losses and exposure of sensitive data. There have also been operational disruptions, which amplify the costs beyond the realm of incident recovery.

Guidance to communication systems operators

Communications infrastructure operators should follow these best practices and procedures:

• Network segmentation to limit lateral movement and isolate critical systems and sensitive data.
• Strong authentication methods designed to resist phishing and other credential-based attacks.
• Disable all unnecessary services and protocols on network devices, keep the operating system versions current, and apply security patches promptly.
• Educate staff on cybersecurity best practices, including how to identify phishing attempts and the importance of following the company security procedures.
• Develop an incident response plan and conduct regular security assessments.
• Assess and monitor the security practices of vendors and suppliers to mitigate risks associated with third-party access to systems and data.

Guidance to the public

One of the most important responsibilities of the public is to protect credentials and identity. Use strong passwords and MFA, be wary of phishing attempts and suspicious links or downloads and be mindful of sharing personal information on social media. Using secure wi-fi connections and protecting access to personal devices are also critical measures.  

There’s no denying that critical infrastructure is a national security issue. Each operator in these systems must encourage a culture of security awareness and practice good cyber hygiene. It’s also important that stakeholders leverage their partnerships and other support systems. We cannot properly secure the communications infrastructure without a collaborative approach involving government, industry, and the public.