The Salt Typhoon Breach Shows the FBI Needs More Than Warnings

How Long the Lines Stayed Open

Chinese state hackers known as Salt Typhoon maintained access to at least eight U.S. telecom providers from 2022 through 2024, according to a joint advisory from the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation released in January 2025. The intrusion was not a brief smash-and-grab. It was a years-long presence inside the systems that carry American phone calls, texts, and metadata. CISA and the FBI named the affected companies in a deliberately careful way, but the list includes some of the largest wireless and wireline carriers in the country.

The advisory described a campaign that targeted network management tools, lawful intercept interfaces, and the back-end databases that route domestic traffic. Two officials familiar with the matter said the intruders were able to vacuum up call detail records for an unknown number of Americans, including senior government officials and political figures. The same officials said the hackers also obtained court-ordered wiretap information tied to criminal and national security investigations. If that is accurate, then a foreign intelligence service spent years inside the machinery that U.S. courts use to authorize surveillance of Americans.

The carriers have not been eager to discuss the damage. AT&T, Verizon, and T-Mobile issued statements acknowledging the investigation but offering few details. The Federal Communications Commission opened a formal inquiry in late 2024 and demanded incident reports. By the spring of 2026, the commission had collected thousands of pages of material. None of it has been released to the public.

What the Agencies Are Not Saying

Officials at the Department of Homeland Security and the Office of the Director of National Intelligence have confirmed the scale of the compromise but have refused in public hearings to say how many Americans' call metadata was actually accessed by foreign operators. That silence is a choice. It protects sources and methods. It also protects the telecoms.

A senior official, speaking on condition of anonymity, told reporters in March 2026 that the government was still assessing whether the hackers could re-enter cleaned networks. The official would not provide a timeline for completing that review. A former Senate Intelligence Committee staffer said the classified briefings suggested the number of affected accounts was far larger than the carriers had initially disclosed. Neither the official nor the staffer would be quoted by name, which is standard for intelligence reporting but frustrating for citizens trying to understand the scope of the breach.

The Office of the Director of National Intelligence's 2025 Annual Threat Assessment described China as the most active and persistent cyber threat to U.S. critical infrastructure. The assessment specifically warned that Chinese hackers were positioning themselves to disrupt military mobilization and communications in the event of a conflict over Taiwan. Salt Typhoon fits that pattern. It was not an ordinary espionage operation. It was preparation.

Congress Has the Tools But Not the Will

The Senate Intelligence Committee held a closed hearing on the breach in March 2026, yet no mandatory cyber standards for telecommunications have reached the floor despite bipartisan staff drafts circulating since last year. That gap between diagnosis and action leaves the networks that carry American communications exposed to the same adversaries who have already proved they can get inside. The hearing produced heated statements behind closed doors. It produced no legislation.

The problem is not a shortage of authority. The FCC already has broad power to set security requirements for common carriers under Title II and related provisions. Congress could also mandate reporting timelines, baseline encryption standards, and supply-chain audits for network equipment. The $1.9 billion rip-and-replace program Congress created in 2020 to remove Huawei and ZTE gear from rural networks is proof that lawmakers understand the hardware side of the threat. That program is still paying out as of 2026. The software and operational-security side remains mostly unregulated.

A Justice Department official with knowledge of the case said prosecutors have weighed using existing computer fraud statutes against carriers that misrepresent their security posture to regulators. That would be a novel application. It might also be the only language the C-suites understand. Fines tied to failure to report an intrusion within seventy-two hours would focus executive minds far more than another interagency advisory.

A Real Deterrent Starts at Home

The United States can raise the price of these operations by fortifying carrier networks, imposing consequences on firms that mislead regulators, and using existing authorities to disrupt the infrastructure Chinese hackers rely on. This requires regulators to treat telecom security as critical infrastructure rather than a customer-service problem, and lawmakers to back that judgment with enforceable rules. Deterrence is not a speech at a conference. It is a series of concrete decisions that make the next breach harder, slower, and costlier.

Start with mandatory security standards. The FCC should require multi-factor authentication for network management interfaces, logging of privileged access, and regular third-party audits of lawful intercept systems. These are not exotic demands. They are the basics that private-sector security teams have preached for a decade. The 2025 advisory from CISA and the FBI listed specific indicators of compromise and mitigation steps. Carriers should have to certify that they have implemented them.

Then add consequences. Companies that fail to report intrusions in a timely manner should face civil penalties large enough to affect quarterly earnings. A $200 million FCC cybersecurity pilot program launched in 2024 could be expanded into a permanent fund that ties subsidy payments to verified security improvements. And the Commerce Department's Bureau of Industry and Security should use export controls and entity-list designations to target the Chinese firms that provide support services to state hackers.

Finally, the intelligence community should shift from warning to disruption. The National Security Agency and U.S. Cyber Command have the authority to act against foreign infrastructure used to attack domestic targets. Two officials familiar with the matter said planning for such operations accelerated after the Salt Typhoon advisory was published. That is welcome. But planning is not action. Americans deserve a telecom sector that is too hard to hack and a government that is too serious to let the next breach slide.