The leaks and press releases (hard to call them announcements) that unveiled the Salt Typhoon campaign to the public opened a window into a staggering, months-long intelligence operation breaching at least eight US telecommunications providers. Through this access, it’s reported that the adversary at a minimum targeted senior Democratic and Republican campaign officials and candidates along with the wiretap request system mandated by the Communications Assistance for Law Enforcement Act (CALEA). The compromise portends to be an astounding structural compromise of the basic information and communications networks relied upon by hundreds of millions of Americans.  

There is much to unpack about this incident and the delicate balancing act required of policymakers seeking to communicate about a months-long campaign undermining critical US information infrastructure in an effort that limited public evidence strongly suggests is espionage and counterintelligence activity backed by the Chinese government, and for which the clearest mitigation so far circulated is for many people to install end-to-end encrypted software on their own phones.   

The Cyber Statecraft team and friends offer seven thoughts on the implications of the Salt Typhoon campaign based on what is known to date, what the campaign says about the last four years of cybersecurity policy, and where policymakers should focus in the months ahead. The gist from this group is that we should have known better, we did know it was possible, and we shouldn’t be surprised that China prioritized this target. 

Respondents from the ACTech Program: Nitansha Bansal, Sara Ann Brackett, Trey Herr, Emma Schroeder, Stewart Scott, Nikita Shah, Kenton Thibaut; and Marc Rogers

Telecommunications and internet service providers like Lumen, Charter, Verizon, and AT&T are tightly interwoven into our daily lives. We call our families, manage our finances, and talk with our doctors through this infrastructure every day. Trust between Americans and these networks is fundamental.   

Not satisfied only to compromise what we hope to trust, a key focus of adversaries’ effort was the surveillance and wiretap request system used by US law enforcement. This should provoke a conversation about the premise of “nobody but us” access and how much it might reasonably be guaranteed. Regardless of instincts about who and what was likely targeted, if someone steals a master key to an apartment complex—even if their motivations were to access the package storage room—you would want to deeply scrutinize the number of master keys in circulation and their stewards. 

To reach its strategic targets, the adversary compromised critical infrastructure that Americans rely on every day, making it quite clear in the process that this industry was not ready to protect individuals from modern cyber threats. That is something everyone should care about. 

Emma Schroeder, Associate Director, Cyber Statecraft Initiative, Atlantic Council

No, I don’t think we should be surprised. With the exception of how effectively the threat actors executed the campaign at scale, nothing here was significantly novel. The threat actors abused the well understood technical debt of a sector in which acquisitions typically lead to smaller, older carriers becoming fossilized inside larger carriers. At the same time, the pace of evolution means that to maintain interoperability newer, more secure technologies end up living alongside or being layered on top of older less secure ones. 

The adversaries in this operation travelled interconnected networks, took advantage of inadequate defenses and monitoring, broke into vulnerable edge devices, and made configuration changes to maintain persistence—risks that have been well understood by all industries for decades. This is the reason that it was not particularly surprising to see that T-Mobile appears to have fared better than other US carriers after making a series of common-sense cyber hygiene improvements in the face of FCC’s September consent decree. 

Marc Rogers, Co-Founder and Chief Technology Officer, nbhd.ai  

No. 

There shouldn’t be surprise at the gravity of this incident all-round. The capability of China’s cyber actors is well understood by industry and assessment communities around the world, whether in terms of their sophistication, stealth, scale, or ability to both anticipate and successfully penetrate strategic targets over years-long campaigns. Moreover, reporting that details the targeting of US telecommunications systems by Chinese cyber actors goes back to at least 2018. The ability of Chinese cyber actors to compromise Western telecommunications networks has also been a significant concern in the Huawei debate, that the integration of such systems confers a high degree of risk and vulnerability. It therefore should come as no surprise that US telecommunications networks were able to be so deeply compromised years later. 

Nikita Shah, Resident Senior Fellow, Cyber Statecraft Initiative, Atlantic Council

It is still too early to discern with certainty the full intent behind this incident. However, given the sophistication of the adversary and its tactics, techniques, and procedures (TTPs), it is possible that this is an organization working for a Chinese state institution, such as the Ministry of State Security or People’s Liberation Army. The Chinese cyber ecosystem is becoming increasingly complex and sprawling, fed in part of by the range of private-sector suppliers that support Chinese state cyber institutions, complicating both attribution and meaningful distinction of effort.  

The incident also points to a degree of sophistication in both how targeted and also how sprawling it was. Initial reporting identified a compromise in internet addressing systems and risks to “government and military personnel”. Follow on coverage pointed to the compromise of the wiretap system used by the US Department of Justice for sensitive national security cases, suggesting a significant counterintelligence operation by Chinese cyber actors. However, the later revelation that political figures had also been targeted suggested that this one campaign had a significantly broader strategic intent. On top of that, the unusual advisory by the Cybersecurity and Infrastructure Security Agency (CISA) then suggested an even more serious— and alarming—compromise of US telecommunications networks, by giving as its first recommendation the advice that high-profile individuals should shift to using only end-to-end encrypted communications. Altogether, this bears the markings of a highly sophisticated actor willing to deeply and thoroughly compromise the backbone of US digital architecture to capture extremely sensitive information. 

Much of this is speculation based on what we know of previous attributions and disclosures. The fact that we do not know a lot for certain right now may signal that the US government is still assessing the scale of the compromise and its fallout and is weighing possible response options. 

Nikita Shah, Resident Senior Fellow, Cyber Statecraft Initiative, Atlantic Council
Kenton Thibaut, Resident Fellow, China, Democracy and Tech Initiative, Atlantic Council

The 2023 US National Cybersecurity Strategy (NCS) set a bold vision to rebalance responsibility for security in the cyber ecosystem, arguing that “end users bear too great a burden for mitigating cyber risk.” Fast forward to 2024, and the chief guidance in response to Salt Typhoon—from several of the same agencies responsible for implementing the NCS—puts the onus on users to mitigate a major failure by telecommunications providers. The recommendation to only use end-to-end encrypted communications has received widespread attention, engendering an abject lack of confidence in providers’ security in the long term. 

It might be that the 2023 strategy just needs more time, and this is part of a diminishing pattern. It might be that long-range ideals need to be put on pause in the middle of a crisis—that we shouldn’t debate housing codes amidst a five-alarm fire. More worryingly, it might be that the vulnerabilities abused by the Salt Typhoon attackers are not easily fixed, whether by virtue of the age of the target networks or innate security flaws in the standards that govern them, that there’s little hope for change from the telecommunications providers themselves, and so policymakers are calling on users to step up into the breach. 

Stewart Scott, Associate Director, Cyber Statecraft Initiative, Atlantic Council

As bad as this incident appears, at least in public reporting, it has not been revealed to involve disruption or damage to these networks. It’s still too early to determine what the depth of intrusion would have enabled, but the immediate incident response would have been entirely different if the campaign had involved service denial. First,  networks going down would have made it more difficult for the US government or companies to communicate with the public. Second, the response would have been sharply focused on the immediate recovery of the networks and getting critical services back up and running rather than what we have seen so far in shifting high-profile individuals towards end-to-end encrypted messaging platforms. 

Regardless of intent, policymakers should see this as (yet another) wake-up call to get serious about preparedness and resilience. This incident is a reminder that the lessons from the 2019 decision to remove Huawei from telecommunications networks due to cybersecurity concerns have still not been implemented in terms of basic cyber hygiene, removing legacy hardware, or defending the most critical assets against the threat. 

Sara Ann Brackett, Assistant Director, Cyber Statecraft Initiative
Nikita Shah, Resident Senior Fellow, Cyber Statecraft Initiative, Atlantic Council

Though there appear to have been significant shifts in security practices throughout industry in the past four years, there is no macro-scale empirical evidence to suggest that cyberspace has grown more secure insofar as fewer bad things have happened. Sandwiching the last four years of policymaking between a multi-year espionage campaign targeting American cloud services and software providers (SolarWinds/Sunburst, 2020) and then another targeting telecommunications and internet service providers (Salt Typhoon, 2024) does not lend much credence to claims of success in US cybersecurity policy. 

There are the mildest indications that you are less secure—ransomware attacks against Microsoft customers have tripled in the past year and that’s bad  and recent projections from US government claim cybercrime will cost $23 trillion globally in 2027 (though these figures are hard to draw conclusions from). Projections for financial harms caused by cybercrime are generally in consensus that damages will grow, with one estimate pegging a 15 percent annual rate of growth. Generally though, there is little rigorous, broad empirical evidence of any kind with regards to cybersecurity policy outcomes. Anecdotally, major compromises have not abated in a noticeable way, though they haven’t grown more frequent or severe, at least subjectively, either. 

More secure? Maybe not. 

Trey Herr, Senior Director, Cyber Statecraft Initiative
Stewart Scott, Associate Director, Cyber Statecraft Initiative, Atlantic Council