China didn’t break into America’s telecom networks with futuristic cyber weapons — it walked by way of unlocked doorways.
Washington typically frames the cyber battle with Beijing as high-stakes statecraft, a complicated great-power chess match characterised by daring spies and zero-day exploits. This narrative is flattering, however false. Because the latest Salt Hurricane revelations present, America shouldn’t be dropping a chess match to China’s hackers. It’s failing a security inspection of its personal making.
Securing U.S. networks requires treating telecom cyber safety not as a voluntary partnership, however as a vital security self-discipline: implementing obligatory operational baselines, demanding govt verification of community hygiene, and locking down the lawful intercept methods that adversaries are actively concentrating on.
The Fable of Sophistication
In December 2025, the Senate Commerce Committee aired a blunt conclusion about Salt Hurricane, the Chinese language state-sponsored cyber espionage marketing campaign towards U.S. telecommunications networks and significant infrastructure: America’s networks stay weak, and telecom corporations like Verizon, AT&T, T-Cell, and others nonetheless haven’t convincingly proven they’ve evicted the intruders. The Senate listening to cited primary failures, resembling legacy gear, weak passwords, and years-old patches that have been by no means utilized, as key causes the breach succeeded.
This operational actuality issues. In Washington, the reflex is to succeed in for dramatic fixes. Some lawmakers and former officers name for extra sanctions and harder China-tech restrictions. Others float the thought of offensive “hack again” operations to disrupt attacker infrastructure. These instruments may impose prices and sign resolve, however as repeated rounds of Chinese language hacker indictments and sanctions have proven, they not often change conduct on their very own when entry stays simple to revive.
The uncomfortable lesson of Salt Hurricane shouldn’t be that Beijing has futuristic capabilities. It’s that Washington typically treats main intrusions as proof of overwhelming adversary sophistication, when in actuality, primary, preventable weaknesses nonetheless account for a lot of the vulnerability. A 2025 joint advisory issued by U.S. and allied intelligence companies warned that Chinese language state-sponsored threats have focused networks globally — particularly telecommunications — and that these actors haven’t relied on zero-day exploits. As a substitute, they typically succeed by manipulating publicly identified vulnerabilities and avoidable weaknesses.
From Beijing’s perspective, long-term entry into U.S. telecom infrastructure creates choices — not simply intelligence assortment, however the capacity to take advantage of entry in a disaster to disrupt service, degrade confidence, or selectively intercept or expose personal communications. This leverage exists whether or not supposed primarily for espionage or in preparation for army operations.
This distinction issues. Whereas Salt Hurricane is greatest understood as an espionage marketing campaign primarily based on communications entry, Volt Hurricane has been framed as pre-positioning for potential disruption of vital infrastructure forward of a army assault. Sen. Maria Cantwell’s Nov. 2025 letter to the Federal Communications Fee underscores why Salt Hurricane nonetheless carries strategic stakes. The breach allowed adversaries to geolocate hundreds of thousands of Individuals and entry to the “lawful intercept” wiretap interfaces used throughout federal, state, and native regulation enforcement.
The Coverage Entice
The official U.S. response to Salt Hurricane has fractured alongside acquainted traces. In late 2025, the Federal Communications Fee rescinded binding cyber safety orders for telecom carriers, changing them with a framework of voluntary business collaboration. On the identical time, the Trump administration doubled down on exterior punishment, increasing export blacklists and issuing new sanctions towards Chinese language state-linked expertise corporations and Ministry of State Safety entrance corporations. This response exhibits how coverage will get caught between two unsatisfying poles: voluntarism and techno-protectionism.
On the one hand, main telecom associations argue the U.S. authorities ought to keep away from binding mandates and lean on info sharing and voluntary partnership with business. They fear that guidelines solely create guidelines compliance and delay adaptation towards fast-moving threats. That concern is legitimate. Poorly designed regulation can pressure corporations to prioritize paperwork over beefing up safety. For instance, after the Might 2021 Colonial Pipeline ransomware assault, the Transportation Safety Administration’s emergency directives have been criticized as rushed and for imposing inflexible info expertise protocols that have been technically incompatible with the specialised management methods used to handle the circulation of gasoline. In response, the Transportation Safety Administration shifted to performance-based requirements, which set particular safety objectives whereas permitting operators to decide on the technical strategies to attain them.
Then again, a congressional group led by conservative lawmakers sees community vulnerability primarily as a supply-chain subject: rip out Chinese language gear, tighten export controls, and name it a day. This logic is mirrored in latest congressional debates over “rip-and-replace.” Federal Communications Fee Chairman Brendan Carr and Sens. Ted Cruz and Deb Fischer all touted present legal guidelines requiring the removing of Huawei and ZTE gear as proof the US is already responding forcefully to Salt Hurricane. Whereas supply-chain safety issues, it doesn’t essentially clarify how Salt Hurricane succeeded within the first place. As public reporting confirmed, the breach didn’t depend on Chinese language {hardware}. It exploited primary upkeep failures in U.S.-made gear, together with seven-year-old unpatched vulnerabilities in Cisco routers.
Locking the Backdoor
Past the 2 poles, a 3rd strategy is required. The U.S. authorities ought to deal with telecom cyber safety as a public security self-discipline and regulate telecom networks as vital infrastructure. This implies transferring past purely voluntary frameworks and implementing obligatory security baselines, like structural inspections required for bridges or pre-flight checks for industrial aviation. Right here’s what that appears like in observe:
First, the US wants a minimal cyber safety ground for telecom carriers and the spine methods they function — the best way security baselines are set for aviation or consuming water. That doesn’t imply a 200-page guidelines. It means a brief set of requirements enforced by the Federal Communications Fee, probably utilizing the Cybersecurity and Infrastructure Safety Company’s present Cross-Sector Cybersecurity Efficiency Targets. These objectives map instantly onto the sorts of weaknesses lawmakers and investigators hold highlighting: multi-factor authentication for each privileged account (administrative logins with deep system entry), with no carve-outs for “legacy” distant entry; an finish to shared administrator credentials; patching and configuration deadlines for internet-facing methods so vital fixes are utilized in days somewhat than weeks; and a practical plan to retire unsupported gear as an alternative of protecting it on-line indefinitely.
Second, these requirements ought to include verification protocols. Proper now, the American public is requested to take assurances on religion that intruders have been expelled, whilst lawmakers warn that telecom corporations nonetheless can not convincingly show it. Verification doesn’t require publishing community diagrams or exposing vulnerabilities. An oversight framework ought to have separate testing procedures and auditable verification strategies utilizing protected communication channels to attach with regulatory our bodies. Giant telecom carriers like Verizon or AT&T ought to carry out third-party penetration exams and simulations that assume an adversary is already inside, checking their capacity to detect and comprise intrusions inside hours, not months. Telecom executives ought to present written affirmation to the Federal Communications Fee about their firm’s core management methods — the delicate infrastructure that manages consumer databases, routing gear, and lawful intercept portals. This might create a private legal responsibility loop: False attestations about security would lead to civil or legal penalties, simply as false monetary certifications do below company fraud regulation.
Third, civil liberties ought to be protected as a result of telecom breaches can tempt the incorrect lesson. After a high-profile hack, coverage responses are likely to name for increasing home monitoring or weakening encryption. That is what occurred after the 2015 San Bernardino terrorist assault, when the Federal Bureau of Investigation demanded encryption backdoors, and after the 2020 SolarWinds cyber assault, when lawmakers debated increasing intelligence companies’ home surveillance powers.
That might be a strategic reward to adversaries. Mandating backdoors or weaker encryption creates a single level of failure that international intelligence providers can goal. Salt Hurricane proved why: The intruders reportedly exploited the very lawful intercept functionality utilized by regulation enforcement. A more practical coverage response would concentrate on strengthening the {hardware} that processes wiretap orders and administrative gateways just like the Communications Help for Regulation Enforcement Act servers that combination wiretap knowledge. This requires particular safety like hardware-based credential storage and two-person authorization guidelines to stop any single consumer from hijacking these highly effective instruments.
Lastly, Washington ought to cease dismantling the few enforceable controls it presently has. Sen. Cantwell’s letter notes that the Federal Communications Fee relied on its reclassification authority to interpret the Communications Help for Regulation Enforcement Act in a approach that required sturdy cyber safety for wiretap interfaces, successfully making safety failures a punishable offense. Nonetheless, below strain from business lobbyists and dissenting commissioners who argued the mandate constituted regulatory overreach, the Federal Communications Fee rescinded the ruling months later. That was a strategic error. It stripped regulators of their authority to high quality carriers for the very vulnerabilities Salt Hurricane exploited. Whereas the authorized foundation for this authority has traditionally been a partisan flashpoint, the Salt Hurricane breach demonstrates the excessive price of political gridlock. Reinstating that binding authority shouldn’t be a stealthy technique to develop forms. As a substitute, it’s a declaration that if telecom networks are thought-about vital infrastructure, baseline cyber safety shouldn’t be optionally available.
For now, Washington could hold debating how severe China is about cyber espionage. However Salt Hurricane already answered the query that issues most: When primary defenses fail at scale, intent turns into irrelevant. In strategic competitors in our on-line world, the benefit typically goes to the aspect that treats safety as routine upkeep — funded, audited, and enforced — not as an emergency patch after the injury is finished.
Shaoyu Yuan is an adjunct professor of worldwide safety at New York College’s Heart for International Affairs and a analysis fellow at Rutgers College. He writes on the strategic implications of Chinese language expertise coverage, vital infrastructure safety, and U.S.-Chinese language competitors.
Picture: Gemini
