Salt Typhoon Still Haunts U.S. Telecoms Because Washington Chose Cheap Over Secure

What are U.S. officials saying about Salt Typhoon now?

Two officials familiar with the matter said the Chinese state-sponsored group known as Salt Typhoon remains inside select U.S. telecom networks months after the breach became public, and federal investigators have not yet confirmed that every compromised device has been removed. A senior official, speaking on condition of anonymity, described the cleanup as a long-term project rather than a closed case.

The assessment comes more than a year after U.S. authorities first disclosed Salt Typhoon's campaign against American carriers. By December 2024, the group had breached at least nine U.S. telecom firms, according to private-sector analysts who tracked the incidents. The intrusions targeted metadata and unclassified communications linked to government officials, a reminder that the most sensitive traffic is not always the easiest to protect.

Intelligence agencies view the persistence as a strategic message. Beijing does not need to steal every secret on day one. It needs to live inside the network long enough to map relationships, identify sources, and wait for a moment of crisis. That patience is harder to counter than a smash-and-grab raid.

A former Senate Intelligence Committee staffer said the latest classified briefings have centered on supply-chain vulnerabilities and the difficulty of spotting backdoors in software updates. The same official noted that rural carriers remain especially exposed because they often lack the engineering staff to hunt for subtle intrusions.

How did Chinese hackers maintain access for so long?

Salt Typhoon exploited known vulnerabilities in network devices from multiple vendors, moved laterally through carrier systems, and embedded itself deeply enough that simple password resets and patch cycles could not dislodge it, according to a cybersecurity advisory issued by U.S. and allied agencies. The group relied on trusted relationships between carriers and equipment makers to hide in plain sight.

The Federal Communications Commission's rip-and-replace program was supposed to remove risky Chinese equipment from rural networks. Congress authorized it in 2020 with an estimated cost that has since ballooned to roughly $4.98 billion, while appropriations have fallen about $3.08 billion short. That gap leaves hundreds of small carriers operating hardware that U.S. officials have already flagged as a national security risk.

Even among larger carriers, the attack surface is vast. Telecom networks rely on thousands of routers, switches, and base stations from a shrinking pool of global suppliers. When a single firmware update can travel to millions of devices, a compromised update mechanism becomes a skeleton key. Salt Typhoon did not need to invent a new technique. It needed patience and a target that had prioritized speed over verification.

A Justice Department official with knowledge of the case said investigators are examining whether any U.S. personnel knowingly facilitated the placement of vulnerable equipment. No public charges have been filed, but the inquiry reflects a growing recognition that cybersecurity cannot be separated from procurement decisions.

Why has the federal response fallen behind?

Years of budget fights, workforce cuts, and inconsistent White House attention have left the Cybersecurity and Infrastructure Security Agency operating at roughly two-thirds of its prior capacity, according to outside assessments. A senior official said cleanup efforts now compete with election security and World Cup protection.

The 2026 intelligence budget request totals roughly $107 billion, but the slice that goes toward network defense is classified and often shortchanged by competing priorities. Meanwhile, CISA's public-facing workforce has shrunk through attrition and buyouts, leaving fewer analysts to help private carriers hunt for intrusions.

Congress has held hearings and issued reports. It has not yet passed legislation that would require carriers to report significant breaches quickly, share threat signatures with the government, or meet minimum security standards for equipment tied to critical infrastructure. The result is a policy landscape that rewards disclosure after embarrassment rather than prevention before damage.

World Cup 2026 has added another strain. Federal agencies are directing $250 million toward counter-drone technology and coordinating more than 400 law enforcement agencies, stretching the same cyber teams that are supposed to be hunting Salt Typhoon. A senior official said the tournament is a soft target for adversaries who want to test U.S. response capabilities while attention is elsewhere.

What would a serious cyber policy look like?

A serious policy would start with money Congress has already promised, require carriers to meet baseline security standards before handling government traffic, and create a fast process for replacing foreign equipment that American intelligence agencies cannot certify as clean of hidden backdoors. It would also treat telecom infrastructure as critical infrastructure in more than name alone.

The first step is to close the rip-and-replace funding gap. The second is to give CISA the authority and the personnel to conduct unannounced inspections of carriers that handle sensitive government or defense communications. The third is to stop pretending that market competition alone will produce secure networks. It has not, and it will not.

Congress should also pass a breach notification law tailored to critical infrastructure, with penalties severe enough to overcome corporate instinct to hide problems until after the quarterly earnings call. Two officials familiar with the matter said such a law is under discussion but faces opposition from industry groups worried about liability.

Finally, U.S. cyber policy must stop treating each breach as a discrete incident. Salt Typhoon, Volt Typhoon, and the Iranian groups tracked in the April 7 joint advisory are parts of a single strategic reality: adversaries view American networks as contested territory. Pretending otherwise is not restraint. It is negligence with a lobbying budget.