US officials are investigating potential national security risks tied to a telecom company founded in China whose internet routers are used by millions, multiple sources familiar with the matter told CNN.
US officials are concerned that cheap and ubiquitous routers made by TP-Link could offer a foothold for China-backed hackers into US infrastructure, the sources said.
The Commerce Department has opened a probe into the company that is in its nascent stages. One possible outcome of the probe is a ban on the sale of TP-Link routers in the US, two of the sources, said.
It’s just one of a flurry of actions the Biden administration has taken in its waning days that officials say are aimed at blunting China’s ability to hack the American telecoms sector. The actions will carry into the Trump administration as it inherits the steep challenge of trying to counter China’s aggressive use of cyber operations to collect intelligence
The Commerce Department last week also sent a “preliminary finding” as part of a separate inquiry into another company, the US subsidiary of China Telecom, the state-owned telecoms giant, related to national security risks that US officials believe stem from the use of its equipment by American telecom companies, two sources said. It’s the first step in a potential purge of any remaining China Telecom gear from US carriers.
All of it comes as major US telecom carriers are still working to evict Chinese hackers from their networks in a cyber-espionage campaign that targeted senior US political figures, including President-elect Donald Trump.
The Wall Street Journal first reported on the Commerce Department investigation into TP-Link.
Founded in China in 1996, TP-Link has grown into a dominant player in the global market for wireless internet routers. Its exact market share in the US is unclear (a TP-Link spokesperson did not respond to a question on market share), but the gear’s wide use in the US is one reason for the investigation.
TP-Link this year announced a corporate restructuring, establishing a headquarters in California, TP-Link Systems, that it says is separate from its China operations.
“As a U.S.-headquartered company, TP-Link Systems Inc.’s security practices are fully in line with industry security standards in the U.S.,” a TP-Link Systems spokesperson told CNN.
“We welcome opportunities to engage with the federal government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the American market, American consumers, and addressing U.S. national security risks,” the statement said.
The company has not been accused of any wrongdoing.
China has an array of hacking groups that are adept at exploiting internet and phone service providers to hoover up sensitive user information, according to private experts and US officials. The hackers haven’t just exploited TP-Link routers but those made by American vendors such as Cisco.
The Chinese government routinely denies US allegations of cyberattacks.
“We urge the U.S. to stop broadening the concept of national security and cease the abuse of national power to suppress Chinese companies,” Liu Pengyu, a spokesperson for the Chinese Embassy in Washington, DC, said in an email.
A Commerce Department spokesperson declined to comment.
‘It was only a matter of time’
A wide-ranging hacking campaign aimed at the phone calls of Trump, Vice President-elect JD Vance and senior Biden administration officials, which became public this fall, has brought renewed urgency to the Commerce Department inquiries into Chinese telecom equipment.
US officials believe the Chinese hackers breached at least eight US telecommunications providers in their quest to spy on top US political figures as part of a hacking campaign that has affected dozens of countries worldwide, a senior White House official said this month.
The hackers were able to burrow deep into the networks of some US telecom providers more than a year ago and, in some cases, listen to calls and read the texts of some targets.
Although there is no evidence that TP-Link equipment was exploited in those hacks, US officials are scrambling to take a much broader look at the vulnerabilities in US telecom infrastructure in the wake of the spying campaign.
US telecom carriers “never should have been in this situation” of having their networks so thoroughly compromised by Chinese hackers, Brendan Carr, Trump’s pick to lead the Federal Communications Commission, told CNN.
Amid the fallout, the FCC has proposed tightening cybersecurity regulations for telecom carriers while a draft Senate bill from Sen. Ron Wyden would go further by requiring independent security audits for carriers. Privately, telecom executives concede that some new security requirements are inevitable because of the hack, which was carried out by an alleged Chinese group known as Salt Typhoon.
“It was only a matter of time before foreign hackers would get deep into the American communications systems,” Wyden, an Oregon Democrat who serves on the intelligence committee, told CNN.
The spying operation has stalked the Trump transition team, which has constantly rotated which phones senior staff use to try to keep the Chinese guessing, CNN previously reported. There are more in-person meetings at Trump’s Mar-a-Lago estate in Florida rather than phone calls in part because of concerns about relentless Chinese surveillance.
US intelligence agencies have previously exploited telecom networks to spy on China, according to documents leaked by former US contractor Edward Snowden. But the recent telecom spying has also added tension to US-China cyber relations, which are rarely calm. In conversations with their Chinese counterparts, US diplomats have complained that the scope and scale of the Salt Typhoon hacks is excessive, a source familiar with the matter told CNN.
The blame game
In some cases, a lack of strong security measures at some telecom carriers and equipment makers likely exacerbated the damage from the alleged Chinese hacking campaign and meant the hackers weren’t discovered earlier, two US officials said. The sources did not single out specific companies. The blame the White House has put on telecom carriers for the breach has rankled some telecom executives, who say they have invested heavily in defenses and are up against an extremely skilled hacking group.
Given their skill and resources, the alleged Chinese hackers may have succeeded in breaking into the telecom carriers and their software providers regardless of the defenses in place, sources told CNN.
But US officials and telecom executives struggled to anticipate how the alleged Chinese spies would study and exploit the totality of the telecom system, its interconnections and the software and hardware it relies on.
The status quo has to change, according to Wyden.
“This is a fork in the road and you either stay with a broken system that’s essentially been voluntary, or you say you’re going to fix this thing and you’re going to have some mandatory action,” Wyden told CNN.
Wyden’s bill would require top executives at the carriers to submit signed statements saying they are in compliance with FCC cybersecurity rules.
Telecom providers have long had to balance the privacy of their users and their ability to scour their networks for criminal and state-backed hackers, said Marcus Sachs, the former vice president of national security policy at Verizon.
The big telecom carriers are generally good at quickly finding and fixing attempts to break into their networks, he said.
“The worst case is when the stuff is unknown for months or years, and the intruder’s been sitting inside, monitoring and collecting and you had no idea that they were there,” Sachs said.