Join War on the Rocks and gain access to content trusted by policymakers, military leaders, and strategic thinkers worldwide.
China didn’t break into America’s telecom networks with futuristic cyber weapons — it walked through unlocked doors.
Washington often frames the cyber conflict with Beijing as high-stakes statecraft, a sophisticated great-power chess match characterized by daring spies and zero-day exploits. This narrative is flattering, but false. As the recent Salt Typhoon revelations show, America is not losing a chess match to China’s hackers. It is failing a safety inspection of its own making.
Securing U.S. networks requires treating telecom cyber security not as a voluntary partnership, but as a critical safety discipline: enforcing mandatory operational baselines, demanding executive verification of network hygiene, and locking down the lawful intercept systems that adversaries are actively targeting.
The Myth of Sophistication
In December 2025, the Senate Commerce Committee aired a blunt conclusion about Salt Typhoon, the Chinese state-sponsored cyber espionage campaign against U.S. telecommunications networks and critical infrastructure: America’s networks remain vulnerable, and telecom firms like Verizon, AT&T, T-Mobile, and others still have not convincingly shown they have evicted the intruders. The Senate hearing cited basic failures, such as legacy equipment, weak passwords, and years-old patches that were never applied, as key reasons the breach succeeded.
This operational reality matters. In Washington, the reflex is to reach for dramatic fixes. Some lawmakers and former officials call for more sanctions and tougher China-tech restrictions. Others float the idea of offensive “hack back” operations to disrupt attacker infrastructure. These tools might impose costs and signal resolve, but as repeated rounds of Chinese hacker indictments and sanctions have shown, they rarely change behavior on their own when access remains easy to restore.
The uncomfortable lesson of Salt Typhoon is not that Beijing has futuristic capabilities. It’s that Washington often treats major intrusions as proof of overwhelming adversary sophistication, when in reality, basic, preventable weaknesses still account for much of the vulnerability. A 2025 joint advisory issued by U.S. and allied intelligence agencies warned that Chinese state-sponsored threats have targeted networks globally — especially telecommunications — and that these actors have not relied on zero-day exploits. Instead, they often succeed by manipulating publicly known vulnerabilities and avoidable weaknesses.
From Beijing’s perspective, long-term access into U.S. telecom infrastructure creates options — not just intelligence collection, but the ability to exploit access in a crisis to disrupt service, degrade confidence, or selectively intercept or expose private communications. This leverage exists whether intended primarily for espionage or in preparation for military operations.
This distinction matters. While Salt Typhoon is best understood as an espionage campaign based on communications access, Volt Typhoon has been framed as pre-positioning for potential disruption of critical infrastructure ahead of a military attack. Sen. Maria Cantwell’s Nov. 2025 letter to the Federal Communications Commission underscores why Salt Typhoon still carries strategic stakes. The breach allowed adversaries to geolocate millions of Americans and access to the “lawful intercept” wiretap interfaces used across federal, state, and local law enforcement.
The Policy Trap
The official U.S. response to Salt Typhoon has fractured along familiar lines. In late 2025, the Federal Communications Commission rescinded binding cyber security orders for telecom carriers, replacing them with a framework of voluntary industry collaboration. At the same time, the Trump administration doubled down on external punishment, expanding export blacklists and issuing new sanctions against Chinese state-linked technology firms and Ministry of State Security front companies. This response shows how policy gets stuck between two unsatisfying poles: voluntarism and techno-protectionism.
On the one hand, major telecom associations argue the U.S. government should avoid binding mandates and lean on information sharing and voluntary partnership with industry. They worry that rules only create checklist compliance and delay adaptation against fast-moving threats. That concern is valid. Poorly designed regulation can force companies to prioritize paperwork over beefing up security. For example, after the May 2021 Colonial Pipeline ransomware attack, the Transportation Security Administration’s emergency directives were criticized as rushed and for imposing rigid information technology protocols that were technically incompatible with the specialized control systems used to manage the flow of fuel. In response, the Transportation Security Administration shifted to performance-based standards, which set specific security goals while allowing operators to choose the technical methods to achieve them.
On the other hand, a congressional group led by conservative lawmakers sees network vulnerability primarily as a supply-chain issue: rip out Chinese equipment, tighten export controls, and call it a day. This logic is reflected in recent congressional debates over “rip-and-replace.” Federal Communications Commission Chairman Brendan Carr and Sens. Ted Cruz and Deb Fischer all touted existing laws requiring the removal of Huawei and ZTE gear as evidence the United States is already responding forcefully to Salt Typhoon. While supply-chain security matters, it does not necessarily explain how Salt Typhoon succeeded in the first place. As public reporting confirmed, the breach did not rely on Chinese hardware. It exploited basic maintenance failures in U.S.-made equipment, including seven-year-old unpatched vulnerabilities in Cisco routers.
Locking the Backdoor
Beyond the two poles, a third approach is needed. The U.S. government should treat telecom cyber security as a public safety discipline and regulate telecom networks as critical infrastructure. This means moving beyond purely voluntary frameworks and enforcing mandatory safety baselines, like structural inspections required for bridges or pre-flight checks for commercial aviation. Here’s what that looks like in practice:
First, the United States needs a minimum cyber security floor for telecom carriers and the backbone systems they operate — the way safety baselines are set for aviation or drinking water. That does not mean a 200-page checklist. It means a short set of standards enforced by the Federal Communications Commission, potentially using the Cybersecurity and Infrastructure Security Agency’s existing Cross-Sector Cybersecurity Performance Goals. These goals map directly onto the kinds of weaknesses lawmakers and investigators keep highlighting: multi-factor authentication for every privileged account (administrative logins with deep system access), with no carve-outs for “legacy” remote access; an end to shared administrator credentials; patching and configuration deadlines for internet-facing systems so critical fixes are applied in days rather than weeks; and a realistic plan to retire unsupported equipment instead of keeping it online indefinitely.
Second, these standards should come with verification protocols. Right now, the American public is asked to take assurances on faith that intruders have been expelled, even as lawmakers warn that telecom firms still cannot convincingly prove it. Verification does not require publishing network diagrams or exposing vulnerabilities. An oversight framework should have separate testing procedures and auditable verification methods using protected communication channels to connect with regulatory bodies. Large telecom carriers like Verizon or AT&T should perform third-party penetration tests and simulations that assume an adversary is already inside, checking their ability to detect and contain intrusions within hours, not months. Telecom executives should provide written confirmation to the Federal Communications Commission about their company’s core control systems — the sensitive infrastructure that manages user databases, routing equipment, and lawful intercept portals. This would create a personal liability loop: False attestations about safety would result in civil or criminal penalties, just as false financial certifications do under corporate fraud law.
Third, civil liberties should be protected because telecom breaches can tempt the wrong lesson. After a high-profile hack, policy responses tend to call for expanding domestic monitoring or weakening encryption. This is what happened after the 2015 San Bernardino terrorist attack, when the Federal Bureau of Investigation demanded encryption backdoors, and after the 2020 SolarWinds cyber attack, when lawmakers debated expanding intelligence agencies’ domestic surveillance powers.
That would be a strategic gift to adversaries. Mandating backdoors or weaker encryption creates a single point of failure that foreign intelligence services can target. Salt Typhoon proved why: The intruders reportedly exploited the very lawful intercept capability used by law enforcement. A more effective policy response would focus on strengthening the hardware that processes wiretap orders and administrative gateways like the Communications Assistance for Law Enforcement Act servers that aggregate wiretap data. This requires specific protection like hardware-based credential storage and two-person authorization rules to prevent any single user from hijacking these powerful tools.
Finally, Washington should stop dismantling the few enforceable controls it currently has. Sen. Cantwell’s letter notes that the Federal Communications Commission relied on its reclassification authority to interpret the Communications Assistance for Law Enforcement Act in a way that required robust cyber security for wiretap interfaces, effectively making security failures a punishable offense. However, under pressure from industry lobbyists and dissenting commissioners who argued the mandate constituted regulatory overreach, the Federal Communications Commission rescinded the ruling months later. That was a strategic error. It stripped regulators of their authority to fine carriers for the very vulnerabilities Salt Typhoon exploited. While the legal basis for this authority has historically been a partisan flashpoint, the Salt Typhoon breach demonstrates the high cost of political gridlock. Reinstating that binding authority is not a stealthy way to grow bureaucracy. Instead, it is a declaration that if telecom networks are considered critical infrastructure, baseline cyber security is not optional.
For now, Washington may keep debating how serious China is about cyber espionage. But Salt Typhoon already answered the question that matters most: When basic defenses fail at scale, intent becomes irrelevant. In strategic competition in cyberspace, the advantage often goes to the side that treats security as routine maintenance — funded, audited, and enforced — not as an emergency patch after the damage is done.
Shaoyu Yuan is an adjunct professor of global security at New York University’s Center for Global Affairs and a research fellow at Rutgers University. He writes on the strategic implications of Chinese technology policy, critical infrastructure protection, and U.S.-Chinese competition.
Image: Gemini
