Salt Typhoon Proves the IC Still Cannot Defend the Wire

What Salt Typhoon Actually Did

Chinese state-sponsored actors tracked as Salt Typhoon penetrated the networks of at least eight major American telecommunications providers beginning in 2022, according to a November 2024 joint advisory from CISA, the FBI, and the NSA. The compromise reached deep into domestic communications infrastructure and gave attackers call records, text messages, and lawful-intercept systems. That means they exploited the same infrastructure the government uses to conduct surveillance under court order.

The Wall Street Journal reported in December 2024 that the campaign affected the communications of senior government officials and both major presidential campaigns. This was not a smash-and-grab ransomware incident. It was a long-term signals intelligence operation run by a foreign power against domestic carriers.

And the carriers did not catch it first. The intelligence community did. That is worth remembering the next time someone says the private sector can handle nation-state defense on its own.

CISA followed with remediation guidance and added the actor's tools to its Known Exploited Vulnerabilities catalog. But patching a router does not fix the policy failure that left the wire undefended while collection budgets grew.

The Title 10 and Title 50 Split Is Not a Theoretical Problem

Most Americans have never read Title 10 or Title 50 of the United States Code, but the distinction controls who can conduct military cyber operations, who can collect foreign intelligence, and which agency has the legal standing to act when a foreign adversary is inside a domestic telecom network. Title 10 gives the Department of Defense and U.S. Cyber Command the authority to conduct military operations, including offensive cyber actions and the defense of DoD networks. Title 50 gives the intelligence community, primarily the NSA under the National Security Act, the authority to collect foreign intelligence, including under FISA Section 702 and Executive Order 12333.

CYBERCOM and NSA share a commander, the dual-hat arrangement that puts one four-star officer in charge of both a military command and an intelligence agency. The theory is synergy. The reality is friction. Operators under Title 10 need permission to act against threats inside the United States or against U.S. infrastructure, even when the adversary is foreign. Intelligence collectors under Title 50 can see the intrusion but lack the legal mandate to shut it down on private networks.

Salt Typhoon lived in that seam. The NSA likely saw pieces of the activity through foreign collection. The FBI has the domestic investigative role under its National Security Branch. CISA has the lead for federal civilian network defense. The carriers own the networks. No single authority could force a coordinated response until after the damage was public.

This is not a complaint about law. The law exists for good reasons. The complaint is about leadership that treats the seam as permanent instead of staffing, authorizing, and funding around it. Congress writes the authorities. The White House sets the rules of engagement. The workforce executes with whatever it is given.

Section 702 and the Workforce Problem

FISA Section 702 is the authority that lets the NSA target foreign persons located outside the United States for intelligence without an individual court order for each target, while requiring court-approved procedures to protect Americans whose communications are collected incidentally. Its future will dominate the intelligence debate before the December 31, 2026 sunset. The Reforming Intelligence and Securing America Act extended Section 702 through that date, so the next Congress will face reauthorization during a presidential transition year.

Section 702 is not the reason Salt Typhoon succeeded. It is, however, the reason analysts can sometimes see foreign infrastructure from the outside. The same authority that lets NSA watch a Chinese router overseas can alert CISA to malicious traffic heading toward a U.S. telecom backbone. Take 702 away without a replacement and you blind the defenders more than you blind the attackers.

But reauthorization is not enough. The IC also needs to fix minimization, query oversight, and the FBI's access to raw 702 data. The FISA Court documented compliance problems in 2023 and 2024. Each incident feeds the political case for gutting the authority. That case, if it succeeds, will be celebrated by people who have never sat in a watch floor at Fort Meade at three in the morning.

The workforce is tired of being blamed for both too much surveillance and too little defense. These are the same people who flagged SolarWinds, who tracked Volt Typhoon since at least 2021, and who warned that Salt Typhoon was inside telecom networks before the headlines. They do not need another press release. They need clear authorities, realistic authorities, and leaders who will defend them when Congress gets nervous.

Volt Typhoon has been in U.S. critical infrastructure networks since at least 2021, according to CISA and the Five Eyes advisory from May 2023. Salt Typhoon followed. There will be a next group. The question is whether the next compromise becomes a thirty-day news cycle or a real reorganization of who defends the wire.