The Big Truth Salt Typhoon Reveals About Network Security

Updated January 10, 2025 in cloud security, threat intelligence By Chris McHenry, SVP of Product Management

 

Network encryption has taken on new importance following recent guidance from the FBI and CISA urging organizations to make securing network communications a critical priority. The shift stems from a newly uncovered hack by Salt Typhoon, a group associated with China’s Ministry of Public Security — now being called one of the largest hacks of U.S. infrastructure in history. The campaign, which compromised major trusted telecoms including AT&T, Verizon, and others, prompted U.S. government agencies to do a 180 on their previous guidance discouraging the use of encrypted messaging platforms (think WhatsApp, etc.).

Encrypted communications have historically put strain on regulators who are less able to gain access to their contents during the course of criminal investigations. The fact that the agencies are now reversing course on their previous advice shows just how potent this newly discovered threat is.

While we do have practical advice for businesses looking to secure their network communications — which we’ll dive into below — this event is truly a wake-up call for businesses concerned with the security of their information. The scale and scope of this hack, as well as the major players and providers affected, shine a light on vulnerabilities that can exist within even the largest organizations.

Ultimately, it’s up to each company to understand and take responsibility for their own security posture. Organizations who trusted “private circuits” from service providers like Verizon and others to protect their data and didn’t invest in encryption need to look into ways to encrypt those circuits.

What You’ll Learn:

• Why the Salt Typhoon hack should prompt organizations to rethink their network security
• The hidden risks of relying on “private circuits” for data protection
• Why MACsec encryption may be leaving your network vulnerable
• Practical alternatives to strengthen your network security
• Steps to effectively implement network encryption

 

The Fallacy of Private Circuits

Many customers trust private circuits from their providers, assuming that because they are not on the internet, they inherently secure traffic. This perception drives the use of private connectivity solutions like AWS DirectConnect and Azure ExpressRoute. However, this is a fallacy — and in the end, many customers fail to encrypt data on these circuits because they trust the provider.

While Media Access Control Security (MACsec) is sometimes used for encryption, it is often complicated, expensive, and seems unnecessary. Ultimately, what “private” does not equate to “secure,” and organizations must take control of their privacy with encryption.

You may ask: If private circuits aren’t private, why use them at all? If encryption is the answer either way, why not just do it over the internet instead of private circuits?

 

Why Companies Pair Private Circuits with MACsec

There are three main reasons companies pair private circuits with MACsec:

1. Perceived Performance Constraints: Many believe private circuits with MACsec are the only way to achieve encryption while maintaining performance. This is a misconception, and can actually be addressed with innovative solutions like Aviatrix’s patented High-Performance Encryption (HPE) technology.
2. Egress Data-Transfer Costs: Concerns about egress charges often lead customers to private circuits. However, while these circuits have fixed hourly charges from cloud providers, customers also pay ingress and egress fees. Either way, encryption should still be added on top of private circuits. Aviatrix helps customers transition from unencrypted to encrypted environments without added complexity.
3. Dedicated Bandwidth Needs: Some customers value private circuits for guaranteed bandwidth, believing it ensures consistent performance for hybrid cloud applications. However, the internet’s shared bandwidth, running on the same infrastructure, often performs just as well. Aviatrix’s solutions, including Equinix, Megaport, and Secure High-Performance Datacenter Edge integrations, enable encrypted communications over private circuits, offering both security and flexibility.

 

Key Point

Even “private circuits” from major telecoms like AT&T and Verizon were compromised in the Salt Typhoon hack. Private doesn’t mean secure: encryption is essential regardless of your connection type.

 

Security Risks Associated with MACsec

While MACsec provides encryption, it can also introduce vulnerabilities due to its operational design, if you don’t own all the hops. Each physical router along the data path must decrypt your data, and because another entity may own those physical routers, the decrypted data is not under your control. This process of decryption and re-encryption at every hop leaves the data unencrypted, exposing it to potential interception and exploitation when the data traverses third-party networks, where the routers involved are often outside your ownership or control, making it difficult to ensure consistent security measures.

This security shortcoming, combined with hardware dependencies, licensing costs, and operational complexities, raises significant concerns about MACsec’s overall effectiveness. To protect your network, you must critically assess whether MACsec aligns with your organization’s security needs and explore more secure alternatives.

 

Gaps in MACsec’s Encryption Method

MACsec’s encryption method leaves gaps that hackers could exploit:

• Decryption Vulnerabilities: Each point where decryption occurs that is outside of your control presents a risk of compromise. Attackers infiltrating any hop could access or manipulate network traffic. If a malicious actor gains access to one of these intermediary nodes within a third-party network, they can exploit the decrypted data to exfiltrate sensitive information, inject malicious code, or disrupt communications. The hop-by-hop model inherently increases the number of potential attack surfaces when hops are not owned, magnifying the risk across the network.
• Attack Surface: When using MACsec, networks become vulnerable to sophisticated threats at every hop outside of your control, including Man-in-the-Middle (MitM) attacks, packet injection, and data exfiltration, to name a few. When an intermediary hop is compromised, attackers can impersonate legitimate devices within the network, intercept sensitive communications, and manipulate data in transit. This method allows attackers to remain undetected while exfiltrating information or planting malicious payloads. Moreover, advanced persistent threats (APTs) can exploit these vulnerabilities to establish long-term footholds within the network, undermining overall security.

 

 

MACsec Encryption Increases Complexity and Costs

MACsec encryption also intensifies the challenges of cloud complexity — already an issue for overworked networking teams — and high costs:

• Hardware Demands: MACsec encryption requires proprietary, hardware-specific silicon, increasing costs and limiting flexibility.
• Licensing Parameters: Deploying MACsec involves layered licensing costs, such as Cisco’s Edge Sec and DNA licenses, which add to the overall expense.
• Operational Overhead: Managing MACsec encryption demands a secure key infrastructure, which can be complex and costly. This includes navigating between less-secure pre-shared keys or more robust PKI systems and cloud solutions like Azure Key Vault.
• Performance Implications: Encryption and decryption at every network hop introduces latency and potential bottlenecks, affecting overall performance.
• Ingress and Egress Fees: Private circuits have a fixed hourly charge from the cloud service provider. You are charged for both ingress and egress, albeit at a lower rate.

 

You Can Do Better than MACsec: Recommended Alternatives

The authoring agencies urge software manufacturers to incorporate secure by design principles into their software development lifecycle to strengthen the security posture of their customers. — CISA, “Enhanced Visibility and Hardening Guidance for Communications Infrastructure”

Aligned with CISA’s guidance to “incorporate secure by design” principles, organizations should:

• Ensure that traffic is end-to-end encrypted to the maximum extent possible: Aviatrix empowers organizations to protect their data by ensuring encryption and security across any network, even in potentially compromised environments.
• Review Communication Practices: Evaluate internal and external communication methods to maintain visibility and control over data flows, ensuring sensitive information is encrypted and protected throughout its journey.
• Implement Holistic Security Strategies: With Aviatrix, data remains encrypted and secure at critical points in the network, providing comprehensive protection that eliminates the vulnerabilities of methods like MACsec.

 

MACsec’s limitations in security, cost, and operational complexity make it an ineffective solution for today’s hyper-connected cloud applications. By integrating high-performance encryption (HPE) at the network layer in place of MACsec, organizations can better secure their networks, meet stringent compliance requirements, and gain operational efficiency.

Understanding MACsec and how to improve your organization’s encryption is a solid first step toward building your in-house network security muscle and taking back control of your overall network security posture.

Another great step: connect with our cloud networking experts to learn how Aviatrix’s Secure High-Performance Datacenter Edge solution offers high-performance encryption and other features that give you full network control.

You can also:

• Explore how you can partner with Aviatrix to defend your network against state-sponsored threats like Salt Typhoon.
• Learn more about how MACsec compares to IPsec for encrypting cloud connectivity.
• Register for our webinar on January 23, “What the Salt Typhoon Hack Reveals About Network Security.”