Reconfiguring U.S. Cyber Strategy in the Wake of Salt Typhoon

In a multiyear campaign called Salt Typhoon, threat actors from the People’s Republic of China (PRC) have broken into many major telecom providers, including Verizon, AT&T, and T-Mobile. Collectively, 397.1 million users subscribe to these three telecom providers, indicating that Salt Typhoon could impact hundreds of millions of people. Due to the magnitude of this data breach, Sen. Mark Warner (D-Va.), vice chairman of the Senate Select Committee on Intelligence, claimed Salt Typhoon is the “worst telecom hack in our nation’s history.” As former FBI director, Christopher Wray claimed Salt Typhoon is the “most significant cyber espionage campaign in history.”

Salt Typhoon could enable the PRC to infiltrate the election process, law enforcement investigations, and military networks. With each successive breach, Salt Typhoon gains further access to monitor and manipulate the U.S. government’s internal functions. Threat actors target high-ranking political figures—obtaining call logs, unencrypted texts, and audio—to track networks of contacts influencing decision-makers. In the 2024 election, the PRC targeted the political candidates’ phones, which could be used for election interference or political blackmail. Salt Typhoon targeted law enforcement intercept backdoors, as the PRC sought to monitor U.S. law enforcement’s wiretapping requests—confidential information protected by sealed court orders—in ongoing investigations. Sens. Ron Wyden (D-Ore.) and Eric Schmitt (R-Mo.) emphasized that the Salt Typhoon attack threatens national security information. Between March and December 2024, Salt Typhoon compromised an Army National Guard’s network, stealing administrator credentials, network traffic diagrams, work locations of state cybersecurity personnel, and personal information on service members. This stolen information has fueled further cyberattacks, as the threat actors used the exfiltrated network traffic diagram to compromise another vulnerable device on a different government agency’s network. With more successful breaches, Salt Typhoon can penetrate deeper into the layers of the U.S. government—making the matter more urgent as PRC-backed threat actors become further entrenched in domestic networks.

Salt Typhoon can access millions of people’s geolocation information and can steal data from businesses. Salt Typhoon may enable the PRC to steal data from almost every American, and the FBI estimates that “intruders likely obtained more than one million call records.” The FBI also contacted over 600 companies that were impacted by the espionage. Anne Neuberger, then deputy national security adviser, stated that the threat actors behind Salt Typhoon had the “capability to geolocate millions of individuals, to record phone calls at will.” As Chief Justice John Roberts noted in Carpenter v. United States, such communications information is “detailed, encyclopedic, and effortlessly compiled.” Cell site location information reveals the real-time geolocation of devices, which can be used to track soldiers on military bases. While network traffic reveals sensitive information, the true extent of Salt Typhoon’s data collection is unsettled—warranting further investigation and response.

PRC-backed threat actors have maintained persistent access to domestic networks, as previous efforts to remove Salt Typhoon have been unsuccessful. In 2024, AT&T stated it observed “no activity by nation-state actors in our networks,” and Verizon claimed it had “contained the activities.” However, these assurances are difficult to reconcile with the joint cybersecurity advisory that Salt Typhoon continues to penetrate multiple telecom providers and maintains “persistent, long-term access to networks.” With each failed attempt to remove Salt Typhoon from domestic networks, it is increasingly clear that a more concerted and coordinated effort is necessary.

The U.S. government should counter persistent cyberattacks on telecom providers by strengthening defenses and clarifying its offensive posture. Credible deterrence depends on resilient networks that can withstand retaliation. To strengthen defenses, government agencies can coordinate to sanction threat actors, disrupt compromised devices, and remove vulnerabilities. To clarify offensive posture, policymakers can set clear thresholds for deterrence and balance offensive operations with intelligence priorities. Denying adversaries long-term access to U.S. networks will reinforce deterrence and sharpen cyber capabilities.

Strengthening Cyber Defenses

To remove threat actors’ persistent presence in domestic networks, the executive branch ought to expand efforts to (a) sanction threat actors, (b) disrupt threat actors’ existing footholds, and (c) address further vulnerabilities. A joint cybersecurity advisory from the U.S. government describes how PRC threat actors “move laterally” in target networks, indicating that prior efforts to remove Salt Typhoon did not completely disrupt threat actors’ footholds for pivoting between networks or identify other vulnerabilities that threat actors can exploit. In a coordinated response, the president should sanction threat actors to disincentivize support for attacks, authorize agencies to seize compromised devices to eliminate existing footholds, and strengthen defenses to prevent new vulnerabilities. Together, these measures raise the costs of cyber operations, remove adversaries from U.S. networks, and block future points of entry. 

Sanction Threat Actors

The International Emergency Economic Powers Act (IEEPA) gives the president broad authority to block transactions and seize property of foreign persons engaged in hostile cyber activities. Under 50 U.S.C. § 1702(a)(1)(B), the president may “investigate, regulate, or prohibit” transactions involving foreign persons or entities when a national emergency is declared. This general blocking authority has been used repeatedly in cyberspace, including to sanction Russian election interference (Executive Order 13757), restrict foreign adversary ownership of U.S. telecom providers (Executive Order 13873), limit malicious foreign adversary access to U.S. internet infrastructure (Executive Order 13984), and sanction actors responsible for the SolarWinds attack (Executive Order 14024).

In addition to this general IEEPA authority, Congress created a cyber-espionage-specific sanction tool in 50 U.S.C. § 1708(b) (enacted through the National Defense Authorization Act for fiscal year 2015). Section 1708(b)(2) empowers the president, pursuant to IEEPA, to block all transactions and property of foreign persons that “knowingly requests, engages in, supports, facilitates, or benefits from” significant cyber-enabled economic or industrial espionage. This provision directly targets the type of espionage against private-sector infrastructure that underpins the Salt Typhoon. 

Using this authority, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) is well positioned to expand the Cyber-Related Sanctions Program. OFAC’s Cyber-Related Sanctions program should sanction more entities involved in stealing data. The program has already sanctioned Sichuan Juxinhe Network Technology Co., Ltd., for its involvement in the Salt Typhoon attack, and the program could also sanction the two other companies named in the joint cybersecurity advisory: Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. 

In addition to sanctioning the perpetrators of the Salt Typhoon attack, the Treasury can collaborate with other executive agencies to target the numerous companies that the PRC relies on for launching cyberattacks and exfiltrating data. For example, OFAC sanctioned Shanghai Heiying for acting as a “data broker, selling illegally exfiltrated data and access to compromised computer networks.” The sanctions program should target the entire industry that “supports, facilitates, or benefits from” stealing and reselling data. PRC threat actors often circumvent sanctions over time by leveraging state subsidies or restructuring under new entities, underscoring the need for targeted and persistent measures. A broader OFAC sanctioning campaign could align its sanction strategy with investigations into violations of the Bulk Data Transfer Rule and the Protecting Americans’ Data from Foreign Adversaries Act, as these efforts aim to restrict data collection and espionage against U.S. citizens and companies.

Disrupt Threat Actors’ Infrastructure 

Law enforcement should identify and disrupt compromised devices that threat actors use to gain a foothold in domestic networks. Threat actors often use compromised devices owned by other entities to bypass security measures, pivot between networks, and disguise their identity when launching cyberattacks. The joint cybersecurity advisory explains Salt Typhoon threat actors “often simultaneously exploit large numbers of vulnerable, Internet-exposed devices across many IP addresses and may revisit individual systems for follow-on operations.” Threat actors utilize networks of infected devices to “leverage compromised devices and trusted connections … to pivot into other networks.” Cybersecurity researchers have identified particular devices, such as Cisco routers, that Salt Typhoon threat actors exploit to launch privilege escalation attacks, exfiltrate data, and maintain persistent access to networks. By identifying and removing vulnerable devices, law enforcement can prevent threat actors from using these devices to launch cyberattacks on domestic networks.

The FBI could expand its cyber operations to disrupt threat actors’ control over compromised devices. The FBI has previously dismantled botnets operated by the PRC, Russia, and organized crime rings. Although the joint cybersecurity advisory notes that the current threat actors are not leveraging a “publicly known botnet or obfuscation network infrastructure,” the FBI should investigate whether a botnet is being used. In addition to botnets, the FBI can also work to disrupt compromised devices in command-and-control systems (such as multi-hop proxies) that Salt Typhoon threat actors use to exfiltrate data.

After identifying a series of compromised devices, the FBI has the authority to intervene. The Department of Justice can obtain a warrant under Rule 41 of the Federal Rules of Criminal Procedure. A special authority in Rule 41(b)(6)(B) permits warrants against botnets violating 18 U.S.C. § 1030(a)(5) of the Computer Fraud and Abuse Act (CFAA). A 2016 amendment expanded this authority by allowing “remote access” when the protected computers have been “damaged without authorization and are located in five or more districts.” While this amendment has been criticized for lacking privacy and security safeguards, the FBI can strengthen these protections as it increases expertise in disrupting botnets. In 2022, the FBI disrupted a Russia-controlled global botnet called Sandworm, and it did not collect any information from victims’ networks other than device serial numbers. By leveraging this remote access authority, the FBI can launch operations to seize control of compromised devices and dismantle botnet infrastructure, thereby denying threat actors the ability to control compromised devices within domestic networks.

The FBI should increase the regularity of its disruption operations to prevent threat actors from regaining footholds in domestic networks. In January 2024, the Department of Justice and the FBI launched a joint cyber operation to disrupt Volt Typhoon, which uses a PRC-controlled botnet to target critical infrastructure. While the Salt Typhoon attack (as explained at the beginning) is an expansive espionage operation to intercept communications, Volt Typhoon is a pre-positioning operation by threat actors to “enable disruption or destruction of critical services in the event of increased geopolitical tensions.” Despite then-Attorney General Merrick Garland’s claim in January 2024 that the Justice Department “disrupted a PRC-backed hacking group,” warnings emerged later in the year that Volt Typhoon reestablished a botnet and continues to infect devices. The resurgence of Volt Typhoon demonstrates that law enforcement should continually disrupt compromised devices to remove threat actors’ footholds.

In addition to removing vulnerabilities, the Department of Commerce should restrict threat actors’ access to remote infrastructure to launch cyberattacks. The joint cybersecurity advisory details how threat actors “leverage infrastructure, such as virtual private servers (VPSs)” to target telecom networks. Executive Order 13984 restricts threat actors’ access to VPSs and other internet as a service (IaaS) products by requiring “record-keeping obligations with respect to foreign transactions.” In consultation with law enforcement and national security agencies, Executive Order 13984, § 2(d)(ii) grants the Department of Commerce authority to “prohibit … the opening … of an Account … if such an Account involves any such foreign person found to be offering United States IaaS products used in malicious cyber-enabled activities.” After identifying servers and cloud platforms threat actors use to launch cyberattacks, the U.S. government should restrict access to this infrastructure.

Detect Vulnerabilities and Promote Secure Infrastructure

The Department of Homeland Security should expand its information-sharing capabilities to better detect vulnerabilities and cyberattacks. The Cybersecurity and Infrastructure Security Agency (CISA), which leads incident response and information-sharing efforts, plays a central role in coordinating responses. Given the scale of Salt Typhoon’s attacks against U.S. telecom providers, effective information sharing is essential to prevent adversaries from exploiting weaknesses across entire industries. As a previous Lawfare article argued, the president could invoke IEEPA authority to mandate incident reporting to CISA. Mandatory reporting would give the agency a detailed, real-time understanding of evolving threats, allowing it to coordinate countermeasures and disseminate guidance to stakeholders. Greater transparency would make CISA more agile in addressing vulnerabilities and more comprehensive in its response to cyberattacks.

The Federal Communications Commission (FCC) should continue to expand national security review of vulnerable telecom infrastructure. The FCC has an important role in preventing telecommunication devices with vulnerabilities or backdoors in domestic networks. While FCC Chairman Brendan Carr criticized the commission’s initial rulemaking effort in response to the Salt Typhoon attack, he formed a Council on National Security to identify and remove vulnerabilities in telecom infrastructure. This council assists with expanding investigations into entities on the Covered List, which designates products that pose an unacceptable national security risk and cannot be sold domestically. The FCC is also strengthening the vulnerability review process by banning foreign-adversary-controlled security testing labs, such as Bad Labs. In addition to enhancing the vulnerability review process, the FCC has taken enforcement action against AT&T for insufficient data security. By proactively identifying vulnerable devices and promoting more robust industrywide cybersecurity practices, the FCC can help identify existing vulnerabilities in domestic networks and prevent future risks from emerging.

Strengthening Offensive Posture

Offensive prowess in cyberspace depends on having effective defenses already in place. Lawmakers, such as several Senate Republicans and Sen. Warner, have encouraged offensive cyber operations against the PRC in response to the Salt Typhoon attack. While Warner argues that threatening to hack the PRC back is more effective than removing threat actors from U.S. telecom networks, an offensive strategy without defensive measures is a temporary solution at best. Since hack-back operations do not remove vulnerabilities, the PRC could respond with further attacks on domestic networks. If domestic networks remain vulnerable, the U.S. government cannot make a credible deterrent threat of hacking the PRC back. As Anne Neuberger explains, U.S. presidents cannot “make persuasive deterrent threats because they lack enough confidence that U.S. defenses could withstand a potentially escalatory tit-for-tat battle in cyberspace.” While strengthening the U.S. government’s offensive cyber posture can help deter future attacks, improving defensive capabilities is a prerequisite to any escalatory threats.

Prior to launching an offensive cyber operation, the U.S. government should consider the trade-off between covert intelligence collection and a deterrent show of force. As Erica Lonergan and Shawn Lonergan explain in their book “Escalation Dynamics in Cyberspace,” “the intelligence value associated with having penetrated an adversary network may, in many cases, far outweigh the value of an offensive cyber operation.” An explicit offensive cyber operation would exploit a vulnerability in the PRC’s networks, revealing the vulnerability and making it ineffective for covert intelligence operations. Prior to formal attribution, Salt Typhoon was a covert intelligence operation rather than a public cyberattack, as the operation seeks to secretly exfiltrate data rather than disrupt critical infrastructure. When deciding what constitutes a proportionate response, the U.S. government ought to weigh its intelligence collection priorities against its demand for deterrence.

If deployed, offensive cyber operations should signal the U.S. government’s resolve to protect domestic networks. If offensive cyber operations are consistent with deterrent messaging, these operations could prevent future cyberattacks. If offensive cyber operations are inconsistent with the government’s messaging, these operations could lead to escalation and heightened cyber conflict. The U.S. government has been inconsistent in its response to foreign cyberattacks, allowing threat actors to benefit from this ambiguity. For example, after the PRC’s 2015 Office of Personnel Management breach compromised data on 21.5 million people, the Obama administration chose not to retaliate with cyber operations, instead pursuing a diplomatic agreement without any real effect. President Obama’s director of national intelligence remarked that “you have to kind of salute the Chinese for what they did,” reflecting a tolerance toward state-backed espionage operations. While PRC cyber operations temporarily subsided in 2015, this temporary lull was contemporaneous with a planned integration of the PLA’s former General Staff 3^rd Department (3PLA)—responsible for intelligence and cyber reconnaissance—into the newly formed Strategic Support Force (战略支援部队). By 2017, PRC-backed cyber operations increased, including the Equifax breach, which stole data on approximately 145 million Americans. The Obama administration’s approach of diplomatic reconciliation is opposite to current congressional support for offensive cyber operations to deter state-backed cyber espionage. Rather than deciding retaliatory measures on a case-by-case basis, the U.S. government should set a clearer and more consistent standard that infiltrating domestic networks warrants a proportionate response. 

To strengthen deterrence, the U.S. government should set clear escalation thresholds that threaten a proportional offensive response to a cyberattack. As Thomas Schelling describes in “The Strategy of Conflict,” “the power to constrain an adversary may depend on the power to bind oneself.” Relinquishing discretion over how the U.S. government responds to an adversary’s transgression can make its deterrent threats appear more credible and resolute, leaving it with no choice but to follow through if those threats are triggered. Binding the U.S. government to a proportionate response to cyberattacks makes deterrent threats more credible and decreases an adversary’s incentive to launch a cyberattack. 

Congressional legislation requiring the president to launch a proportional response to cyberattacks could bolster deterrence and strengthen the executive’s negotiating position. Such statutory limits could make U.S. responses more predictable and credible, providing a firm position that adversaries must factor into their decision-making. Congressional legislation could include precise thresholds for expected offensive responses to cyber operations that disrupt critical infrastructure or compromise sensitive national security data. By aligning strategy, messaging, and operational practice, the U.S. can establish a credible deterrent posture and reduce the ambiguity that threat actors exploit.

A successful deterrent threat reshapes an adversary’s behavior, preventing the threat from materializing. Therefore, deterrent threats can only avert future cyberattacks, as responding to an adversary’s ongoing operations with a newly formulated threat causes arbitrary retaliation. As the severity and scale of cyberattacks continue to rise, credible deterrent strategies can realign the incentives of adversaries, shifting the calculus in cyberspace to prioritize defense over aggression. By establishing clear and binding thresholds for escalation, any hack-back operations that occur serve as deliberate, measured, and strategic demonstrations of deterrence. The strength of U.S. cyber strategy lies not in how often it strikes, but in how firmly its red lines hold.