The Department of Defense is facing criticism from two US senators for failing to protect the communications of its military personnel from Chinese hacking and espionage. Democratic Senator Ron Wyden from Oregon and Republican Senator Eric Schmitt from Missouri have accused the DoD of relying too heavily on old-fashioned landline calls, unencrypted cellular calls, and texts, which are vulnerable to snooping by foreign spies.

The senators' concerns are rooted in the ongoing Chinese hacking campaign targeting American phone and internet giants. Specifically, they point to the Chinese government espionage group known as Salt Typhoon, which was recently accused of breaking into US major telecommunications providers, including AT&T and Verizon, to spy on Americans.

In a bipartisan letter to the DoD's government watchdog, the senators wrote that the "widespread adoption of insecure, proprietary tools" is a direct result of DoD leadership failing to require the use of default end-to-end encryption, a cybersecurity best practice. They also highlighted the failure to prioritize communications security when evaluating different communications platforms.

The senators also identified SS7, a decades-old protocol used by phone carriers worldwide to route calls and texts, as a weakness that DoD employees are still vulnerable to. SS7 is routinely exploited for espionage, and its successor protocol, Diameter, is also a concern. Global telcos have yet to adopt new methods to protect regular calls and texts in transit, leaving DoD personnel exposed.

Wyden and Schmitt are urging the DoD to reconsider its contracts with US telcos and instead "renegotiate with the contracted wireless carriers, to require them to adopt meaningful cyber defenses against surveillance threats, and if requested, to share their third-party cybersecurity audits with DoD." This would ensure that military communications are better protected from foreign espionage.

The senators' letter includes two whitepapers from the DoD, which responded to a series of questions related to the department's cybersecurity posture. In one of the responses, the DoD's chief information officer conceded that SS7 and Diameter are not secure, but noted that the department has not conducted its own audits, instead relying on telecommunications providers' own and third-party commissioned audits.

However, the CIO also admitted that the DoD has not reviewed those audits because the carriers consider them protected as attorney-client privileged information. Furthermore, the DoD has not disabled roaming or rejected SS7 and Diameter traffic, even for DoD users in Russia, China, and other high-risk countries known for conducting cyberattacks on phones.

Jeffrey Castro, a spokesperson for the DoD's Inspector General, told TechCrunch that the watchdog has received the letter and is reviewing it. The senators' concerns highlight the need for the DoD to prioritize the security of its communications, particularly in the face of ongoing Chinese hacking campaigns.

The implications of the DoD's failure to secure its communications are far-reaching, with potential consequences for national security and the safety of military personnel. As the US government continues to grapple with the threat of Chinese espionage, it is essential that the DoD takes immediate action to address these vulnerabilities and protect its communications.

In the broader context, this incident highlights the need for greater investment in cybersecurity and encryption technologies to protect sensitive information. As the world becomes increasingly reliant on digital communications, the importance of securing these channels cannot be overstated. The DoD's failure to do so serves as a stark reminder of the risks of complacency in the face of emerging threats.