Experts tell House panel SALT Typhoon exposed deep telecom vulnerabilities; call for infrastructure redesign
Get AI-powered insights, summaries, and transcripts
Subscribe
Summary
Witnesses at a House Oversight subcommittee hearing said the SALT Typhoon campaign exploited long‑standing design and operational weaknesses in U.S. telecommunications systems and urged Congress and federal agencies to build next‑generation infrastructure rather than rely on incremental fixes.
At a hearing of the House Oversight and Reform Committee’s Subcommittee on Military and Foreign Affairs, cybersecurity experts told members on March 27 that the SALT Typhoon espionage campaign exposed systemic weaknesses in U.S. telecommunications infrastructure and argued the nation needs a coordinated, large‑scale program to replace legacy systems.
The witnesses cited decades‑old rules and architectural choices that created the conditions for mass surveillance. “In 1994, Congress enacted something called the Communications Assistance for Law Enforcement Act or CALEA,” said Professor Matt Blaze of Georgetown Law, adding that CALEA “required virtually all switching equipment in the public telephone network must be designed with explicit backdoor capabilities to wiretap traffic.” Blaze said those requirements, combined with the virtualized, remotely‑managed nature of modern networks, expanded the attack surface and made large‑scale unauthorized surveillance more likely.
Why it matters: Committee members were told that SALT Typhoon’s operators used weaknesses in telecommunications backhaul and management systems to collect voice and message data at scale. Joshua Steinman, CEO of Galvanic, said the problem is not limited to telecoms but extends across multiple critical infrastructure sectors, including power, water and transportation, and that foreign actors have “sitting on American critical infrastructure” in ways that create the possibility of “an attack, at a time and place of their choosing.” Dr. Edward Amoroso, CEO of Tag Infosphere and a former AT&T chief information security officer, urged planning for future threats driven by artificial intelligence and said current intrusions may be “child’s play” compared with what could come.
The witnesses described how technical and policy legacies intersected. Blaze explained that when CALEA was adopted it shifted the burden for lawful intercept from law enforcement to network operators and mandated features that effectively left every relevant switch “wiretap ready,” creating potential backdoors. Over time, Blaze said, telecom equipment moved from physically secured switches to remotely managed data‑center style systems managed over the Internet, removing a human check that once limited large‑scale tampering.
Amoroso used a roadway metaphor to describe the scale of the risk: lawmakers have been patching “potholes” — individual vulnerabilities — while larger “sinkholes” enabled by automation and new attack techniques loom ahead. He and Steinman argued that identifying and fixing discrete gaps is insufficient; instead, they urged congressional support for designing and transitioning to “next‑generation infrastructure” that presumes hostile state actors will attempt to exploit built‑in lawful‑access mechanisms.
Committee members also pressed witnesses on policy responses. Several members discussed deterrence and the balance between defensive investment and more aggressive responses. Amoroso said the “best defense is a good defense,” and that deterrence can help but does not substitute for stronger technical protections. Steinman and others recommended improved information sharing, clarified liability protections to encourage cooperation between government and industry, and sustained investment in both workforce and technology.
The panel repeatedly flagged endpoint security and human factors as limitations of any encryption or infrastructure fix: Professor Blaze noted that end‑to‑end encryption can protect in‑transit data but does not protect a compromised device, and that large‑scale legal mandates that introduce “lawful access” capabilities can preload systemic vulnerabilities. The witnesses also warned about quantum and AI‑driven risks to current cryptographic assumptions and urged a coordinated national effort to anticipate those future threats.
The hearing produced no formal votes or legislation. Members said they would pursue additional oversight, information sharing improvements and potential statutory responses to strengthen U.S. defenses against state‑sponsored espionage.
The subcommittee hearing brought technical background and policy choices into sharp relief: specialists told members that SALT Typhoon exploited design decisions stretching back decades and that the country faces both an immediate remediation challenge and a longer‑term modernization task.