Penelope Iroko Table of Contents
Salt Typhoon cybersecurity is driving a renewed push in Congress to expand information sharing with telecom providers after a year of intrusions across major U.S. networks.
At a Senate Commerce Committee hearing, lawmakers weighed voluntary partnerships against new oversight to improve resilience and accountability.
The central question: how to verify progress and deter future campaigns without burdening carriers with compliance exercises that miss active threats.
Salt Typhoon cybersecurity: What You Need to Know
- Congress favors collaboration over new FCC rules, while the threat persists across U.S. telecom infrastructure.
Recommended Security Solutions
- Harden endpoints against APT tradecraft with Bitdefender: Get Bitdefender
- Enforce strong authentication using 1Password for teams: Try 1Password
- Centralize password management with Passpack: Start Passpack
- Find and fix exposure with Tenable vulnerability management: Shop Tenable
- Protect email domains and cut spoofing with EasyDMARC: Use EasyDMARC
- Monitor networks and reduce dwell time with Auvik: Try Auvik
- Secure cloud collaboration with Tresorit: Get Tresorit
- Back up critical data and endpoints with IDrive: Protect with IDrive
A year on: what Congress and regulators have done
Following last year’s breaches in U.S. communications networks, the Senate Commerce Committee reviewed progress. Security leaders differed on whether the campaign represented traditional espionage or a broader, systemic threat to critical infrastructure.
The policy debate now uses Salt Typhoon cybersecurity as shorthand for regulation versus voluntary coordination.
Several Republicans, including Chair Sen. Ted Cruz and Sen. Deb Fischer, supported the FCC’s move to drop late-stage rules from the previous administration. They argued that actionable collaboration and continuous information sharing would improve Salt Typhoon cybersecurity faster than prescriptive checklists.
Jamil Jaffer of George Mason University urged clearer deterrence and practical, real-time cooperation.
Why the rules were withdrawn
The shelved FCC telecom cybersecurity regulations would have interpreted existing law to require blocking unauthorized foreign interception and compelled annual attestations of cybersecurity plans.
FCC Commissioner Brendan Carr said the measures were rushed and unnecessary, citing sector-led improvements. Supporters added that rigid attestations could redirect resources from adversary-focused defenses to paperwork, weakening Salt Typhoon cybersecurity outcomes.
The case for stronger oversight
Critics countered that voluntary commitments lack verification. Former FCC Public Safety and Homeland Security Bureau chief Debra Jordan argued the withdrawn standards aimed to move proactively before the next breach.
Sen. Maria Cantwell raised transparency concerns after AT&T and Verizon resisted sharing more documentation on their response. Commissioner Anna Gomez said the pullback removed the only meaningful regulatory response so far.
Public reporting continues to spotlight Chinese hackers telecom networks and their long-term access operations. For background on PRC-linked telecom targeting, see analysis on PRC cyber espionage against telecoms.
The vulnerabilities and the ongoing risk
Officials stated the intrusions did not depend on Huawei or ZTE gear. Instead, attackers exploited well-known gaps: unpatched, long-public vulnerabilities, weak passwords, and missing multifactor authentication.
These basics keep Salt Typhoon cybersecurity pressure elevated for carriers and downstream organizations that rely on their services. Related risks include password cracking advances; see how AI can crack your passwords.
Sen. Ben Ray Luján criticized the regulatory retreat, warning that voluntary pledges fall short when networks remain exposed. Witnesses said the campaign is ongoing and could enable disruption or interception of emergency communications.
The risk extends beyond Tier 1 carriers to schools, hospitals, libraries, and first responders with limited defensive resources. For mobile network exposure, review LTE and 5G security flaws and broader 5G cybersecurity risks and opportunities.
Parallel federal cloud efforts show mandates can complement collaboration, as seen in CISA’s 2025 initiatives (cloud security mandate).
Information sharing over mandates
Supporters of the FCC withdrawal prioritize deeper information exchange with carriers as the most practical defense. They argue Salt Typhoon cybersecurity depends on frequent sharing of indicators, incident lessons, and mitigations across government and industry.
They contend collaboration adapts faster than new rules and keeps teams focused on attackers rather than audits.
What ‘real-time partnerships’ mean
Real-time partnerships pair collaborative detection and response with joint playbooks to shrink dwell time and improve attribution. Cross-sector visibility helps flag suspicious activity before service disruption.
Advocates say these tactics blunt persistent, state-backed campaigns while staying aligned to operational outcomes and zero-trust principles; see zero-trust architecture for network security.
Implications for critical infrastructure and policy
A partnership-first model moves at operational speed and evolves with threat intelligence. It reduces compliance drag, encourages candid incident reporting, and channels frontline expertise into pragmatic defenses.
When executed well, Salt Typhoon cybersecurity efforts align closely to real risks and let agencies focus on facilitation, advisories, and high-impact guidance rather than rule-by-rule oversight.
The downsides are measurable. Without verification, voluntary schemes risk uneven adoption and short-lived fixes. Lawmakers fear progress cannot be assessed and that the same gaps, unpatched systems, weak authentication, and poor hygiene will persist.
Critics argue that withdrawing FCC telecom cybersecurity regulations removed leverage to enforce consistent baselines, leaving critical services exposed when a sustained campaign, again, probes U.S. networks.
Strengthen Your Telecom Security Stack
- Deepen vulnerability coverage with Tenable: Explore Tenable
- Stop domain spoofing with EasyDMARC: Get EasyDMARC
- Encrypt files and comply with Tresorit: Secure with Tresorit
- Automated, secure backups via IDrive: Start IDrive
- Network monitoring and alerting with Auvik: Deploy Auvik
- Reduce personal data exposure with Optery: Try Optery
Conclusion
One year after disclosures, Congress is betting that collaboration will harden telecom networks faster than new rules. The approach hinges on rapid indicator sharing and joint response.
Salt Typhoon cybersecurity remains a live risk. Attackers continue to exploit old flaws, weak passwords, and missing MFA. Verification mechanisms will determine whether voluntary measures translate into durable improvements.
The coming months will show whether cooperation delivers consistent action across carriers and dependent institutions, or whether targeted, flexible regulations reemerge to enforce security baselines.
Questions Worth Answering
What is Salt Typhoon and why does it matter?
- It is a PRC-linked campaign that penetrated multiple U.S. telecom networks, raising systemic national security and critical infrastructure concerns.
Why did the FCC withdraw proposed telecom rules?
- Leaders said the rules were rushed and unnecessary, citing sector-led progress and a desire to avoid checklist compliance that diverts from active threats.
What weaknesses did attackers exploit?
- Mostly basics: unpatched, long-known vulnerabilities, weak passwords, and gaps in multifactor authentication across telecom infrastructure.
Are Chinese equipment bans relevant here?
- Officials indicated Chinese-made equipment did not drive these intrusions; poor cyber hygiene and known software flaws were the primary factors.
How are lawmakers split on the solution?
- Some back partnership and information sharing; others push for verification and baseline standards, arguing voluntary pledges lack accountability.
What could be affected if the threat escalates?
- Emergency communications and public services, schools, hospitals, libraries, police, and first responders could face disruption or interception.
Where can I learn more about related threats?
- See research on PRC telecom espionage and incident response for DDoS attacks.
About the Federal Communications Commission (FCC)
The FCC regulates U.S. communications networks and is central to the telecom security policy debate.
After the Salt Typhoon disclosures, the FCC engaged carriers and later withdrew proposed cybersecurity rules, citing voluntary progress.
Commissioners differed: Brendan Carr supported withdrawal, while Anna Gomez questioned whether the industry engagement was sufficient.
About Sen. Ted Cruz
Sen. Ted Cruz chairs the Senate Commerce Committee and supported withdrawing FCC telecom cybersecurity regulations.
He argued that checklists can divert resources from real-world threats, favoring agile partnerships and timely information sharing.
Cruz emphasized real-time cooperation between government and telecom providers as essential to effective defense.
