Salt Typhoon Breach: Why the FBI’s Signal and WhatsApp Recommendation Is a Bad Idea for Enterprises

In the wake of the Salt Typhoon breach, a sophisticated attack exploiting telecom infrastructure to intercept calls, texts, and metadata, the FBI has recommended that private citizens move their communications to end-to-end encrypted apps like Signal and WhatsApp to safeguard their privacy.

While this is solid advice for individual users, it’s actually more risky—and possibly quite costly—for enterprises.

Why Consumer Apps Fall Short

The FBI’s recommendation highlights the value of end-to-end encryption for safeguarding private communications.

However, Signal and WhatsApp, while designed for individual privacy, fall dangerously short of meeting enterprise needs during a crisis.

Here are key gaps in consumer encryption apps:

No User Management Controls

Enterprises need the ability to manage user access, permissions, and policies. How would you ensure you’ve removed a previous employee from every WhatsApp chat or ensure your critical data is purged from devices they take with them? Signal and WhatsApp offer no centralized controls for enterprise organizations.

Failure to Meet Compliance Standards

Regulatory frameworks require retention, monitoring, and audit capabilities. For privacy apps, even if you were lucky enough to image the phones for every key player in your organization, how would you prove in a court of law that those messages haven’t been deleted or edited? Audit features aren’t even available in consumer tools.

Lack of Scalability Creates Security Gaps

No one can predict with any accuracy how a threat actor attacks your organization and who they target, making it impossible to say with any confidence exactly how many people will need access to your out of band communications tool. How would you quickly onboard an entire team from a DFIR provider or 100 people from an impacted business unit onto Signal? Without enterprise-level onboarding and offboarding, consumer tools pose significant risks, particularly during active incident response where access must be tightly controlled but scalable at the same time.

The Telecom Sector’s Unique Challenge Amid the Salt Typhoon Attack

The Salt Typhoon breach has left telecom networks compromised and uncertain and has exposed three critical problem areas many telecoms need to address:

1. Compromised Communications Channels: Email, Slack, Microsoft Teams, and other platforms are likely already compromised once an incident is identified, shutting critical teams out of the network before they can even begin to coordinate.

2. High-Stakes Coordination: With cyber reporting clocks counting down, incident response, legal teams, and external remediation services require immediate, secure communication to manage ongoing threats—without exposing remediation efforts to their adversary.

3. Obligations to Document Incidents: Accurate incident documentation is crucial for ensuring that legal teams can provide truthful and compliant disclosures. Failure to accurately record and report what happened and how teams responded can lead to significant regulatory fines, as highlighted in recent SEC enforcement actions.

In this environment, consumer encryption tools are insufficient to protect enterprise communications, let alone ensure compliance and effective crisis management.

Major Telecom Turns to ArmorText for Secure Crisis Communication

Earlier in 2024, a top US telecom provider chose to deploy a secure out of band communications tool in anticipation of scenarios where they couldn’t trust in their day-to-day network tools to communicate.

They were looking for a solution that would allow their critical response teams to communicate confidently but recognized that consumer tools like Signal and WhatsApp could not meet enterprise security and compliance requirements.

They ultimately deployed ArmorText due to its enterprise-ready compliance and scalable capabilities, but also were happy to discover the patented user+device end-to-end encryption allowed the most granular, need-to-know data access controls they’d been able to find in the market, allowing true TLP Red enforcement at any moment, in any conversation.

There are a few reasons ArmorText is a better choice for high-stakes communications between critical response teams and business units:

True Out-of-Band Communication

ArmorText operates entirely outside compromised enterprise systems, which ensures adversaries cannot intercept or monitor critical incident response communications.

Enterprise-Grade Security and Control

Role-based user management, granular access controls, and centralized policy enforcement align with enterprise security standards.

Compliance-Aligned Collaboration

Audit trails, record retention policies, and robust documentation ensure communications meet legal, regulatory, and operational requirements, which are all essential during incident response.

Seamless Team Coordination

ArmorText enables internal teams, such as CISOs, incident response, and threat hunting, to collaborate securely with external partners like digital forensics, legal counsel, and advisors on a unified platform, which ensures real-time, coordinated decision-making.

Proven Impact

For this major telecom provider, having tools like ArmorText in place during Salt Typhoon gave their incident response teams the added confidence they needed to respond quickly and decisively to the new threat.

ArmorText empowered them to:

• Coordinate Without Fear of Eavesdropping: Teams communicated confidently, knowing adversaries could not intercept conversations.

• Maintain Compliance: All communications were secure, auditable, and able to comply with their regulatory requirements.

• Enforce Need-To-Know Access: ArmorText’s User+Device End-to-end encryption meant every message and file attachment was only able to be decrypted and viewed by identified individuals and reviewers who were uniquely encrypted for that data. By no longer worrying about privileged access vulnerabilities, they could confidently enforce TLP protocol for the entire lifecycle of their data.

What Should Telecom Leaders Do Now?

The Salt Typhoon breach highlights the urgent need for telecom leaders to respond effectively to this specific incident while preparing for future targeted campaigns. Although this attack was focused on certain regions and organizations in the US, similar breaches could target others tomorrow.

Here’s a clear path to address the immediate fallout and strengthen your defenses for what’s next:

Review and Update Communication Policies

Identify and implement a secure, compliant out-of-band communication tool and practice its use to ensure readiness during critical incidents. This helps avoid reliance on unapproved channels or shadow IT when a breach happens.

Enable Secure Cross-Team Collaboration

Prepare internal and external stakeholders by practicing coordination on a trusted, secure platform, ensuring readiness to transition to out-of-band communication when needed.

Avoid Consumer Apps Like Signal or WhatsApp

While these apps protect individual privacy, they are not built for enterprise incident response.

Deploy Secure Out-of-Band Communications

Implement secure out-of-band communication to ensure your IR, legal, and digital forensics teams can communicate securely outside compromised systems.

Conclusion

The FBI’s recommendation to use Signal or WhatsApp underscores the importance of secure communication. However, for enterprises grappling with the scale and complexity of the Salt Typhoon breach, more comprehensive solutions are necessary to address the broader security challenges. For telecom organizations, where compliance, control, and security are non-negotiable, consumer tools are inadequate.

ArmorText delivers an enterprise-grade, out-of-band communication solution that empowers all stakeholders to coordinate effectively and securely without compromising compliance or operational integrity. In a crisis where adversaries may still have access, ArmorText ensures organizations can respond with confidence, clarity, and control.

Don’t let compromised communications undermine your incident response.

Schedule a consultation with ArmorText today to secure your most critical conversations and restore control. Let’s talk.