On October 25 2024, the FBI and CISA released a joint statement marking the first public acknowledgement that US telecommunications networks had been breached by Salt Typhoon, a group widely recognized to have credible links to the Chinese government.
As the months went by, numerous companies revealed they had been targeted, including AT&T and Verizon, which confirmed threat actors had successfully penetrated their systems, with the attackers likely accessing the network traffic of millions of Americans, as well as high-profile government individuals and a backdoor surveillance network used by the US authorities.
Reviewing the situation, John Ackerly, CEO and co-founder of Virtru and former tech advisor for the Bush Jr. administration believes misaligned incentives in US security laws created the perfect storm for Salt Typhoon.
Day one in the West Wing
At 7:30 am on September 11, 2001, John Ackerly was delivering a briefing on federal privacy legislation to the deputy chief of staff which, if passed, would have required opt-in consent for data to be shared from its owner to third parties.
Just over a month later, following the worst terrorist attack on American soil, Ackerly was in the room when the Patriot Act, which gave US security agencies near-unfettered authority to tap domestic and international phones in pursuit of the global war on terror, was passed.
For many at the time, the rationale behind the Patriot Act was one of, ‘if you have nothing to hide, you have nothing to fear,’ with a reduction in privacy being the trade off for better security.
The same rationale was used earlier in the mid 1990’s with the introduction of the Communications Assistance for Law Enforcement Act (CALEA), which required telecommunications companies to build backdoors into the technology and services they provided to allow US authorities to pursue warranted telephone wiretaps, which was later extended to cover internet and Voice over Internet Protocol (VoIP) networks.
Fast forward to 2024, and the very same backdoors installed to keep American citizens safe are the ones which have been breached by Salt Typhoon.
“It's the same doors that the good guys use, that the bad guys can walk through,” Ackerly says, further stating the legal structure behind the Patriot Act and CALEA, “literally opened the door for these types of breaches and made them much worse.”
“I think it’s a real wake up call," he continues. “I was there in 2000 with the Republican Convention where we explicitly added language that said that any mandates for any back doors is a bad idea. We could have seen this coming, and we should have.”
Data-centric security
The attacks have been a reality check for US security agencies, with the FBI recommending US citizens switch to using end-to-end encrypted messaging apps such as Signal for personal communications. But Ackerly believes there is more to be done, both for the authorities and for organizations.
Virtru’s Data Security Platform is built on the Trusted Data Format (TDF) specification, which packages data into an encrypted format which can only be decrypted and accessed by authorized users. The TDF format was developed by John’s brother Will, Virtru’s co-founder and CTO, as a more secure alternative to the data-transfer techniques being used by the NSA in Iraq.
“He was actually the guy running with the USB drive back and forth from the skiffs where all the top secret data was, and then getting that to helicopters to take action,” Ackerly recalls, adding how, “generally, humans running with USB drives is poor security.”
TDF has since been adopted by the Office of the Director of National Intelligence as well as the Five Eyes intelligence community, with Ackerly noting Virtru was set up to “empower people and organizations to unlock the value of data by being able to share with the confidence that it's in their control.”
Looking into the future, Ackerly points to the UK Ministry of Defence and US Department of Defense as examples of “data centric security as a first order principle,” with both organizations moving to “separate network and cloud infrastructure from the trust layer” by tagging and securing data at scale, allowing it to be shared much faster - especially in the case of classified intelligence.
“This needs to be expanded to the commercial market with real incentives,” Ackerly continues, “because it's going to take so long to upgrade all of these networks, and that's billions and billions of dollars, and decades in the making.”
Unfortunately, however, there appears to be no work businesses can do now to better protect themselves.
“There's no simple silver bullet, but it's a lot easier now than it was even a few years ago,” Ackerly says, adding that the best approach for organizations is “don't trust third parties to do the right thing with your data.”
When interacting with networks outside of your own, Ackerly recommends separating the layers by protecting your data before it even reaches a third party, placing heavy emphasis on zero trust policies, identity management and multi-factor authentication for sensitive data.
“Get started first on identity and then data protection,” he says, “and then from there, you can focus on everything else. You can get started within days and it's not that costly to do.”
“I started this business to solve the societal challenge that we saw back in the early 2000s and here we are in 2025 and we are making some progress, but there's so much more to do,” Ackerly concludes.
You might also like
- Quantum computing can crack all our encryption, and that is everyone’s problem
- These are the best endpoint protection solutions
- Take a look at our roundup of the best ZTNA solutions
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
