The Cybersecurity and Infrastructure Security Agency advised senior government and political officials to drill deep into their mobile phone settings to protect their communications from interception or manipulation in the wake of a massive compromise of U.S. telecom networks.

The detailed best practices represent CISA’s latest response to Salt Typhoon’s active and deep-rooted intrusion of at least eight U.S. telecom companies. The China-government sponsored threat group already stole a large amount of metadata and compromised private communications of highly targeted individuals, officials said.

CISA’s mobile security recommendations are not for the technically inept, yet the agency says they are applicable to all audiences. The complicated steps are also an acknowledgment that federal authorities don’t have confidence in the structural integrity of telecom networks’ security.

“Until we have secure devices by design, secure software by design, we all have to own our personal security,” Jeff Greene, executive assistant director for cybersecurity at CISA, said during a Wednesday media briefing.

“Going forward, I don’t think we’ll ever be at a point where an individual can ignore their own security,” Greene said. “Just as, you know, we’re walking down the street we need to keep an eye out [for] what’s going on around us.”

What to do

The extraordinary measures CISA recommends stress the widespread alarm and worries officials have about the sweeping attacks on U.S. critical infrastructure.

Officials are still scrambling to determine the full extent of damages caused, and worse yet the attackers remain embedded in the networks and could cause significant disruption at a time of their choosing.

CISA’s guidance includes specific recommendations for iOS and Android devices and broadly applicable best practices for mobile communications, including calls to:

• Exclusively use end-to-end encrypted messaging and communications apps, such as Signal.
• Enable fast identity online (FIDO) phishing-resistent authentication, including hardware-based FIDO security keys where feasible or FIDO passkeys as an alternative.
• Stop using simple text messages, short message service (SMS), for multifactor authentication. SMS is not encrypted and not resistant to phishing. 
• Use a passwords manager to store all passwords and protect the primary password with a strong passphrase.
• Set a personal identification number (PIN) for telecom provider accounts.
• Update software often and check weekly or enable automatic updates to ensure devices are running the latest version operating systems and other applications.
• Purchase the latest version of hardware offered by your preferred mobile phone manufacturer.
• Don’t use a personal virtual private network (VPN).

“There's no single solution that will eliminate all risks, but implementing these best practices will significantly enhance the protection of your communications,” Greene said during the briefing. “We urge everyone, but in particular those highly targeted individuals, to review our guidance and apply those that suit their needs.”