CISA to Order Salt Typhoon Forensic Sweep of Major Telecom Data Centers by Feb 8

The Directive

WASHINGTON, Feb. 3, 2026. The Cybersecurity and Infrastructure Security Agency will issue a binding operational directive on Thursday ordering major U.S. telecommunications carriers and data-center operators to permit federal incident-response teams to hunt for Salt Typhoon persistence inside their networks, according to two operators at U.S. Cyber Command and a congressional staffer on the Armed Services Committee. The directive, expected to be numbered BOD 26-01, will give affected companies 72 hours to grant access to CISA, FBI, and NSA forensic teams or face enforcement actions under the Cyber Incident Reporting for Critical Infrastructure Act, the sources said.

The order will target network equipment at facilities operated by Digital Realty, Comcast, and at least two other Tier 1 providers that federal investigators assess were likely accessed by the Chinese state-sponsored group, according to a former NSA targeting officer familiar with the classified assessment. The former officer said the assessment draws on newly analyzed signals intelligence collected in December and January that points to Salt Typhoon maintaining footholds in router firmware and management planes used by internet exchange points in Northern Virginia, Dallas, and Los Angeles.

A senior official at CISA, who spoke on condition of anonymity because the directive has not been signed, said the agency decided to use its binding authority after several providers declined voluntary access agreements in late January. The official said the directive will require operators to preserve logs, provide read-only administrative access to edge routers, and allow CISA to deploy its own hunt tools inside designated network segments. The official said the order applies to facilities that handle lawful intercept traffic, signaling-system-7 gateways, and roaming interconnections with foreign carriers.

The former NSA officer said the intelligence picture changed in mid-January after analysts recovered new Salt Typhoon tooling from a compromised router at an unnamed West Coast exchange point. The tooling included scripts designed to query subscriber databases and map lawful-intercept provisioning, the officer said. That discovery prompted CISA to escalate from voluntary information sharing to a mandatory directive because some providers had not completed their own scans of adjacent equipment, the officer said.

Why Now

The action follows months of friction between CISA and telecom operators over the scope of the Salt Typhoon campaign, which U.S. agencies first disclosed in October 2024. Two operators at Cyber Command said the new directive was drafted after incident-response staff at two major providers were instructed by outside counsel to stop actively looking for signs of the intrusion, a development first reported by security researcher Steve Gibson in his Feb. 2 podcast. The operators said the legal strategy has slowed the government effort to map the full extent of Chinese access to call-record databases, lawful-intercept systems, and internet backbone equipment.

The former NSA targeting officer said the classified assessment identifies three distinct clusters of Salt Typhoon activity inside U.S. provider networks. One cluster focused on collecting metadata from signaling gateways, another targeted administrative consoles used to process law enforcement subpoenas, and a third explored interconnection points between domestic networks and Asian carriers. The officer said the group used a mix of custom tooling and living-off-the-land techniques, including modified versions of open-source network utilities and credential theft from domain controllers.

The congressional staffer said lawmakers on both sides of the aisle have pressed for faster action since the October disclosure that the Chinese group had penetrated at least nine telecom providers. The staffer said the Feb. 9 briefing will include a classified annex listing affected facilities and the specific authorities CISA believes were violated when companies refused access. The staffer said senators are likely to ask whether existing law gives CISA enough power to compel cooperation or whether Congress needs to add penalties.

What Happens Next

The directive will require operators to preserve logs for network devices running Cisco IOS, Juniper JunOS, and Arista EOS firmware versions referenced in CISA alert AA24-326A, the former NSA officer said. Companies that fail to comply within 72 hours could face referral to the Justice Department for civil penalties or suspension from federal contracting programs, the congressional staffer said. The Cyber Command operators said U.S. Cyber Command Cyber National Mission Force teams are standing by to provide hunt support if CISA requests assistance under existing mutual-aid agreements.

White House officials have not commented publicly on the directive. A National Security Council spokesperson did not respond to requests for comment Tuesday evening. A CISA spokesperson declined to confirm or deny the pending order. Spokespeople for Digital Realty and Comcast did not immediately respond to emails seeking comment.

The move sets up a confrontation between the administration and segments of the telecom industry over how aggressively companies must search for foreign intrusions. It also tests the limits of CISA authority to compel private infrastructure operators to cooperate with federal investigators. Industry lawyers have privately warned that companies may challenge the directive as exceeding CISA statutory authority, arguing that BODs traditionally cover federal civilian networks rather than private backbone infrastructure.

Watch for the directive text to drop by 9 a.m. Eastern on Thursday, followed by a flurry of legal filings and a Senate hearing the following week. The first federal hunt teams are expected to begin work at Northern Virginia facilities by Feb. 8, the Cyber Command operators said.