China's Telecom Hack Shows the IC Still Cannot See Inside Its Own Networks

How did Salt Typhoon evade detection for so long?

Chinese state-sponsored hackers compromised at least nine major US telecommunications carriers beginning in 2022 and maintained access for months before discovery, according to officials familiar with the matter. The intrusion, publicly disclosed in fall 2024, allowed the actors to intercept metadata and, in some cases, the content of calls and texts associated with senior government officials. The attackers did not need zero-day exploits. They used stolen credentials and patience.

The scale of the breach became clearer in congressional briefings held in early 2026. Two officials familiar with the matter said the compromised carriers included Verizon, AT&T, and T-Mobile, along with several smaller regional providers. The hackers targeted systems used for court-ordered surveillance, which gave them insight into both criminal investigations and national security collection. That is not a routine espionage operation. It is a strategic strike against the infrastructure of American law enforcement.

Telecom executives testified before the Senate Intelligence Committee in March 2026 that their networks lacked complete visibility into legacy systems, some of which dated back more than a decade. The companies had focused spending on customer-facing services rather than on the internal switching equipment that makes interception possible. A senior official, speaking on condition of anonymity, told committee staff that this blind spot was exploited with sophistication but not novelty. Old doors left unlocked will be opened by patient adversaries.

The intrusion also raised questions about supply chain security. Equipment from vendors with ties to China has been embedded in American telecom infrastructure for years, and previous efforts to remove it have moved slowly due to cost and technical complexity. A former Senate Intelligence Committee staffer said the Salt Typhoon campaign accelerated debate over whether existing replacement timelines are too generous. Adversaries do not wait for budget cycles. They map networks while committees hold hearings.

What does the breach reveal about NSA and FBI coordination?

The Salt Typhoon response exposed long-standing friction between the National Security Agency and the Federal Bureau of Investigation over who owns cyber defense inside the United States. NSA collects foreign intelligence, FBI investigates crimes, and neither agency has clear authority when foreign hackers operate on American phone networks. But when both claim relevance and neither takes full responsibility, the result is hesitation while adversaries move.

A former Senate Intelligence Committee staffer said the breach prompted at least three interagency meetings in late 2024 and early 2025 over whether to issue a public warning. NSA pushed for disclosure. Some FBI officials worried that revealing the compromise would tip off targets under investigation. The delay allowed the intrusion to continue. And it left millions of ordinary Americans exposed while agencies debated jurisdiction.

The Cybersecurity and Infrastructure Security Agency eventually issued guidance in November 2024 urging carriers to segment sensitive systems and adopt stronger authentication. But officials familiar with the matter said uptake was uneven. Large carriers moved slowly. Smaller providers lacked the staff to comply. And no federal regulator had clear authority to mandate fixes. The intelligence community could see the threat. It could not compel the defense.

Congress has held five hearings on the breach since January 2026, but no senior official has been held accountable for the delayed response. Lawmakers from both parties have expressed frustration, yet the institutional map remains unchanged. A Justice Department official with knowledge of the case said the administration is considering a formal review of cyber defense responsibilities but has not made a decision. Reviews do not stop hackers. Only structural change can.

Can Congress force a real fix?

Congress has introduced legislation to require baseline cybersecurity standards for telecommunications providers, but the bills remain stalled in committee as of June 2026. A Justice Department official with knowledge of the case said the administration supports mandatory reporting and network segmentation rules but faces opposition from industry groups warning about compliance costs. Those costs must be weighed against the price of leaving the nation's phone system open to Beijing.

The Federal Communications Commission has broad authority over carriers but has historically treated cybersecurity as a voluntary concern. That should change. A former Senate Intelligence Committee staffer noted that the FCC could use its licensing power to require minimum security practices for any provider handling court-ordered surveillance data. If a company wants access to that sensitive function, it should prove it can protect it. No audit, no license. No compliance, no government contract.

China is not going to stop. Salt Typhoon was one campaign among many. The same actors have targeted water utilities, ports, and defense contractors across the country. Deterrence requires consequences. It also requires defenders who can see their own networks clearly. The intelligence community has the tools to watch the enemy abroad. The harder problem, and the one Congress must solve soon, is forcing American companies to secure the ground beneath our feet.