Lax security controls played a significant role in allowing a China-government sponsored threat group to gain broad and full access to U.S. telecom networks, a senior White House official said Friday.

“From what we’re seeing regarding the level of cybersecurity implemented across the telecom sectors, those networks are not as defensible as they need to be to defend against a well-resourced, capable, offensive cyber actor like China,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, said during a Friday media briefing.

Neuberger's remarks came as the White House confirmed a ninth telecom company was among those compromised by Salt Typhoon’s widespread intrusion of U.S. telecom networks. The unnamed company recently determined it was impacted after reviewing threat hunting and hardening guidance provided by the U.S. government, Neuberger said.

Earlier this month, U.S. officials said at least 8 U.S. telecom providers or infrastructure companies were compromised in a campaign that went undetected for months and has been underway for up to two years.

Private-sector companies operating critical infrastructure are still not doing the basics, Neuberger said.

“In one telecom’s case, there was one administrator account that had access to over 100,000 routers,” Neuberger said. “So when the Chinese compromised that account, they gained that kind of broad access across the network. That's not meaningful cybersecurity to defend against a nation-state actor.”

Salt Typhoon geolocated millions of individuals at will and directly targeted and stole communications of probably less than 100 individuals, Neuberger said.

US officials want to lock down telecom infrastructure

Neuberger said an investigation into the campaign is ongoing but acknowledged U.S. officials will likely never know some details regarding the scope and scale of the intrusion.

“That’s why we’re looking forward and saying ‘let’s lock down this infrastructure,’ and frankly, let’s hold the Chinese accountable for this,” Neuberger said.

U.S. officials are still scrambling to get a handle on the damage done and contain potential follow-on risk, while the threat group remains embedded in all of the compromised networks.

Salt Typhoon was very careful with its techniques and erased logs. “In many cases, companies were not keeping adequate logs,” Neuberger said.

Voluntary cybersecurity practices are inadequate to defend U.S. critical infrastructure against nation-state threat groups, Neuberger said.

“We wouldn't leave our homes, our offices unlocked and yet our critical infrastructure, the private companies owning and operating our critical infrastructure, often do not have the basic cybersecurity practices in place that would make our infrastructure riskier, costlier and harder for countries and criminals to attack,” Neuberger said.

The White House is calling for more regulations and urged all five members of the Federal Communications Commission to support stronger security rules proposed by Chair Jessica Rosenworcel earlier this month. FCC commissioners are due to vote on the rule by Jan. 15, Neuberger said.