Major U.S. telecommunications companies launched a new information sharing group on Tuesday in a bid to redouble their collective efforts to combat AI-powered cyberattacks, state-sponsored espionage and other increasing threats to communications networks.
The Communications Cybersecurity Information Sharing and Analysis Center, or C2 ISAC, will give telecoms a private venue for exchanging sensitive information such as newly discovered vulnerabilities and tips about threat actor behavior. The eight founding members are AT&T, Charter, Comcast, Cox, Lumen, T-Mobile, Verizon and Zayo. Their chief information security officers will sit on the C2 ISAC’s board, while Valerie Moon, a former top official at the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI’s Cyber Division, will serve as the group’s executive director.
The group’s formation comes as major cyberattacks like China’s Salt Typhoon espionage operation highlight the growing risks facing the U.S. telecom sector — and as the Trump administration’s pullback from key cybersecurity partnerships forces the private sector to take a leading role.
“The main driver for us is our recognition that the threat environment has evolved, and we as a sector and private entities need to evolve and really keep up with the pace and velocity [at which] that’s happening,” Mark Clancy, T-Mobile’s chief security officer and a C2 ISAC board member, told Cybersecurity Dive in an interview.
As telecoms scrambled to respond to Salt Typhoon, Clancy added, “the need for us to collaborate on a private-to-private basis really became amplified.”
The telecom industry already shares threat intelligence and best practices under the auspices of the Communications ISAC, also known as the National Coordinating Center for Communications. But that group, created in 1984, is unique among ISACs in that it sits within the federal government, at CISA, rather than being a private entity. That arrangement has discouraged some companies from sharing sensitive data through the group, according to Clancy.
“There’s been concerns and hesitations about it,” he said.
By excluding government agencies from discussion channels, Clancy said, the C2 ISAC hopes to encourage more candid and sensitive discussions. “When you have public-sector entities involved, there’s more review and deliberation about what gets put into that channel,” he said, “where[as] we can be a little more raw and early in sharing information.”
Telecom companies have realized over the years that they were “being too restrictive in what we were sharing” in the Comms ISAC, Clancy said, including withholding data about seemingly low-level threat activity that was “actually tethered to bigger activity.” With the C2 ISAC’s industry-only membership, he said, “we can be a little more direct.”
Telecom companies will still participate in the Comms ISAC, Moon, the C2 ISAC’s executive director, told Cybersecurity Dive in an interview — in part because the new group will focus exclusively on cybersecurity issues, leaving physical hazards to the existing ISAC.
“We really see this as a complementary effort,” she said. “When you think about each of these companies and their adherence to ensuring that the privacy of their data is very much at the forefront of their minds, they see this as a trusted space.”
How telecoms share cybersecurity intel
Information sharing has benefited the telecom sector in ways far beyond indicators of compromise, with companies using the existing ISAC and bilateral relationships to exchange data and insights about a wide range of activity that they’re seeing.
After T-Mobile uncovered telltale signs of SIM boxes — devices that hackers use to generate hard-to-block spam calls and messages — the company shared its findings with other telecoms, which helped them identify and block SIM boxes on their networks.
Collaboration is the only way to address a threat like SIM boxes, Clancy said, because while T-Mobile can identify an individual box on its network, the command-and-control server for that box may reside on a different telecom’s network. “In order to figure out what’s happening, you’ve got to look at both sides,” he said.
T-Mobile has benefited from the industrywide sharing of other best practices, too.
“I learned a technique for dealing with some of the residential proxy networks from another operator that was really clever,” Clancy said, “and I’m, like, ‘Yeah, we’re going to go do that.’”
Beyond exchanging threat data
Candid information sharing is the core of the C2 ISAC’s mission, but its leaders may want to expand its remit in the future.
“We could build automation platforms and other [technologies] that are easier to coordinate on the private-to-private side than going through some public-sector rulemaking process,” Clancy said.
For coordinated operations like botnet takedowns, companies probably won’t use the new ISAC for the foreseeable future, but Moon said board members are interested in discussing how that would work. “It just depends on what the operation is and where the authorities lie and what we are trying to accomplish.”
The group is “in its nascent stages,” she added, and some of its goals “are yet to be determined.”
Also undetermined: How quickly the group will add new members.
“There are more than eight companies in the communications sector, and so we won’t be fully effective until we increase that membership base,” Clancy said, “but we haven’t formally laid out our timeline.”
Government dysfunction looms large
The C2 ISAC will launch at a time of unprecedented cuts to government cybersecurity funding, personnel and programs, and the group’s leaders are closely tracking what those changes mean for their work.
“Obviously, what’s happening in the public sector informs what we need to do,” Clancy said, alluding to “various issues with agencies and funding and the legislative process.”
In particular, he encouraged the Department of Homeland Security to fast-track the creation of a replacement for the now-shuttered Critical Infrastructure Partnership Advisory Council framework, which facilitated candid discussions between industry and government — although he said the reauthorization of the Cybersecurity Information Sharing Act had given the private sector “sufficient capability and authorities” to exchange intelligence with the government.
While government agencies won’t sit in on C2 ISAC discussions, the group still plans to share its findings with federal agencies, whether directly or through the Comms ISAC.
“We could have a more freewheeling private-to-private conversation [and] we could distill the useful, important bits and push them … over to the government side,” Clancy said.
Salt Typhoon exposed glaring security weaknesses
The high-profile Salt Typhoon attacks underscored what previous breaches had already established: telecom companies’ networks are rife with security vulnerabilities that can open the door for major intrusions. Carriers’ networks are often full of computer systems that have been combined over decades of acquisitions, mergers and spinoffs, resulting in inadequate visibility and weak security controls. These sprawling IT environments are difficult to fully assess, let alone protect.
It remains unclear how the C2 ISAC will address that pressing issue facing the sector. But companies say they’ve made significant improvements since Salt Typhoon.
“We’ve all made huge investments in cybersecurity and improved our operational capabilities,” Clancy said. “The challenge in this space is, are you getting better faster than the environment’s getting worse? That’s the race you’re in. And the environment’s getting worse pretty fast.”
Telecom providers believe they will be better at combating hackers the more closely they work together.
“By formalizing real-time intelligence sharing among industry leaders,” Verizon CISO Nasrin Rezai said in a statement to Cybersecurity Dive, “we are building a unified defense that no single company could achieve alone.”
