donate EXPLORE
donate
Commentary

Congressional Oversight on Salt Typhoon: Missing An Opportunity

By Nicholas Leiserson on May 6, 2025

A nation-state has pulled off an extraordinary heist of sensitive U.S. information. Senior officials’ communications have been compromised, as have those of other Americans. The sophistication of the intrusion is unparalleled, lying undetected until some of the smartest minds in the public and private sectors worked together. While the malicious code is being used to steal data, there’s also fear it could be leveraged for disruptive or destructive attacks.

How would we want government to respond to such an incident? We would expect  an intense flurry of activity. Cyber defenders link arms to understand what has happened—and to root out the bad actors. The Administration sends Congress a $10 billion supplemental funding request to upgrade cybersecurity capabilities, modernize outdated systems, and Congress exercises its oversight responsibility. Two Committees begin investigations within days of the compromise going public. Within two months, senior executives are called up to testify before the House and Senate. Within three, accountable government officials are summoned to hearings as well.

If this seems incongruous with the government’s response to Salt Typhoon, it should. With the exception of an abortive attempt to have the Cyber Safety Review Board look into the incident (while it was still ongoing), the Administration has not led a concerted effort to understand what happened and how to prevent similar incidents in the future. Congress has failed to conduct effective oversight, having brought neither government witnesses nor telecommunication executives to the Hill to understand what actually happened. The few Salt Typhoon related committee activities that have occurred have been populated by outside witnesses who, while doing their best, have been unable to answer Member questions about what happened, because they’re not from entities on the front lines trying to evict PRC spies from the networks.

Do things have to be this way? Certainly not. It was only four years ago when the Administration and Congress took on the SolarWinds hack with admirable alacrity. The scenario outlined above is exactly what happened in the aftermath of SolarWinds. The Administration’s response culminated with the far-reaching Executive Order 14028, which turns four next week. And Congress used what it learned from its oversight to appropriate more money for cyber defense and create a new incident reporting requirement for critical infrastructure.

In the limited oversight activity to date, Members of Congress have been admonished not to “blame the victim.” They’ve been assured that the U.S. government bears significant responsibility for the wholesale compromise of our privately owned telecommunications infrastructure.

It’s certainly true that responsibility will not lie with any one entity. And blaming companies—or government agencies—does not help us find solutions to improve our cybersecurity posture. In fact, responsibility will break along three lines:

  • Government, for failing to connect the dots soon enough to alert defenders and to better forewarn them of the scope of the compromise.
  • Industry, for designing networks that were not appropriately segmented such that they could be compromised at scale and not being able to swiftly evict the adversaries once they were found.
  • Both government, for requiring telcos to maintain legacy systems that are inherently difficult to defend and companies, for acceding to this state of affairs rather than raising the alarm.

This is, obviously, an incomplete list. But the point of a Congressional investigation is precisely to better understand what went wrong and then adjust policy to ensure it never happens again. We are already watching a golden opportunity to modernize systems slip away, as proceeds from a spectrum auction are used to offset spending through the tax code rather than being used to recapitalize the vital networks that power our economy.

It’s not too late to conduct meaningful oversight focused not on laying blame, but on developing new strategies to counter one of the greatest intelligence operations ever conducted against the United States. While Congress has left some opportunities on the table, if committees work together, as they did during SolarWinds, and call witnesses from the telcos, the cybersecurity community, and the Federal government, the legislative branch can lead the development of new policy to strengthen our cybersecurity posture. Because it’s not a question of if the PRC will be back. It’s when.

Related Content

NEWS

The NatSpecs Blog

Back to Blog
Artificial Intelligence

Bridging the Policy, Military, and Technology Fields: IST Hosts Critical Workshop on AI in Nuclear Command, Control, and Communication Systems

On April 10, 2025, the Institute for Security and Technology’s (IST) Innovation and Catastrophic Risk team hosted a scenario-driven workshop titled “The Risks and Opportunities of AI in NC3: Finding Common Ground,” with cross-sector experts in Washington, DC.

Read More
Future of Digital Security

Q&A: Defending Our Lifeline Sectors

We are too dependent on undependable things. What can we do about it? In this month’s edition of the TechnologIST, we sat down with IST Executive in Residence for Public Safety & Resilience Joshua Corman to learn more about #UnDisruptable27.

Read More
Future of Digital Security

Delivering results requires a critical action think tank

Happy Giving Tuesday from the Institute for Security and Technology! Our role as a 501(c)(3) critical action think tank has never been more crucial. As technology empowers us, it also brings incredible challenges. We help accelerate its benefits while keeping individuals, businesses, governments, and society safe from harm. 

Read More