During a Congressional session earlier this week, Matt Blaze emphasized that CALEA, the statute enacted in 1994 mandating telecom companies to allow phone calls to be wiretapped, is obsolete in the current threat landscape and requires reconsideration:

To put it differently, although the legally required CALEA capabilities have altered little in the past thirty years, the framework that must execute and safeguard these requirements has transformed dramatically. This transformation has significantly broadened the “attack surface” that requires protection to prevent unauthorized wiretaps, particularly at scale. The task of illicit eavesdroppers has become notably simpler, granting them numerous avenues and chances to exploit. Breaching our telecommunications framework is now hardly distinguishable from conducting any other form of computer infiltration or data leak, a widespread and persistent cybersecurity challenge. Frankly, incidents like Salt Typhoon were unavoidable, and are likely to reoccur unless substantial reforms are instituted.

This is the infiltration method that the Chinese threat group Salt Typhoon utilized to monitor Americans:

The Wall Street Journal initially disclosed on Friday that a Chinese state-sponsored hacking organization known as Salt Typhoon accessed three of the largest U.S. internet service providers, including AT&T, Lumen (previously CenturyLink), and Verizon, to infiltrate systems employed for facilitating customer data transfer to law enforcement and governmental bodies. The breaches allegedly resulted in the “extensive aggregation of internet traffic” from these telecom and internet behemoths. CNN and The Washington Post have also corroborated the breaches and reported that the investigation by the U.S. government is still in the preliminary stages.