Defence, not more assertive cyber activity, is the right response to Salt Typhoon
The ongoing Salt Typhoon cyberattack, affecting some of the United States’ largest telecoms companies, has galvanised a trend toward more assertive US engagement in the cyber domain.
This is the wrong lesson to take.
Instead, the US should prioritise investments in cyber defence and reconsider its commitment to persistent engagement, a strategic move away from earlier US approaches based on restraint and deterrence. The attack underscores the risks of an increasingly permissive cyber environment: one in which large-scale cyber operations are normalised, restraint is eroded and investments in cyber defence are insufficient.
In November 2024, reports began spreading that the Salt Typhoon group had penetrated several major US telecommunications networks. These operations compromised sensitive data, including call metadata of US citizens and communications vital to national security agencies. The US government says the Chinese government is behind the attack.
What makes it so concerning is that it exploited long-standing vulnerabilities in obsolete and unpatched network infrastructures. Telecommunications companies, including Verizon, AT&T and T-Mobile, failed to secure network devices, with some systems still operating without multi-factor authentication. Active for more than a year before its detection, the breach highlights the need for additional investments in cyber defence, while also demonstrating the potential consequences of underestimating evolving digital espionage.
While public analyses of the incident are correct in pointing out its significance, they risk missing broader context. The attack is part of a pattern of cyber operations between the US and China.
The US has adopted a cyber persistence strategy, increasing the scale and frequency of operations against adversaries. National Security Agency and Cyber Command activities have expanded, with the US aiming to demonstrate its ability to persistently counter Chinese cyber campaigns while continuing its own efforts to compromise similar systems in China and other countries. The theory underlying this approach is that over time, US adversaries will learn norms of appropriate behaviour in the cyber domain as a result of the US imposing costs through its extensive cyber capabilities. This approach, however, can have unintended risks.
Specifically, it may help to create a permissive environment, where large-scale cyber intrusions are not only expected, but accepted as part of international competition. As the US intensifies its cyber responses, the boundaries of acceptable state behaviour in cyberspace erode, making it harder to establish norms that could minimise future conflicts. China and other countries could view these persistent operations as a justification for their own cyber campaigns, entrenching norms that explicitly authorise large-scale cyber operations.
This does not mean that greater US restraint would fundamentally change China’s or other adversaries’ cyber behaviour, at least in the short term. It is unlikely that most active states in the cyber domain could be quickly induced to curtail operations.
Rather, the continued expansion of US offensive cyber operations, whether in response to the Salt Typhoon attack or more generally, will probably provide opposite lessons to what the proponents of the policy intend.
Cyber operations are unlikely to lead to military escalation. But it does not follow that increased offensive cyber operations will lead to the diffusion of norms of restraint. Rather than sparking tit-for-tat escalation dynamics, the danger is that adversaries and third-party states may conclude that these sorts of attacks are fair on the international stage. This would make the cyber domain a more dangerous place even without escalation to full military conflict. Even if this particular horse is already halfway out of the barn, states should resist the urge to chase it over the horizon.
As the cyber domain becomes increasingly permissive, states are continuing to underinvest in cyber defence. This leaves critical infrastructure vulnerable to prolonged breaches like Salt Typhoon and heightens the probability of those breaches occurring. Despite the US having one of the most advanced cybersecurity systems in the world, the attack remained undetected for more than a year. This prolonged response time underscores a failure: a reactive, rather than preventative, approach to cybersecurity.
The US and its allies should prioritise cyber defence. This would certainly involve technical research and development, which should be supported by increased public research spending. But it would also go beyond that. To respond to the Salt Typhoon attack, the US should develop legal and policy frameworks to channel public and private investment toward cyber defence.
Stricter regulations and cybersecurity standards for telecom providers are also essential, as voluntary measures are failing to counter persistent threats. Revisiting broad liability shields for software firms, at least in some critical infrastructure sectors, could help to ensure better overall levels of security by providing incentives to bring more secure software to market and maintain its security over time. Additionally, states should continue enhancing global cooperation on cyber threat intelligence-sharing and collective defence initiatives.
The Salt Typhoon attack reminds us of vulnerabilities inherent in global telecommunications and cybersecurity frameworks. As state-sponsored cyber activities increase, states should resist the urge to respond by normalising and legitimising large-scale cyber operations. They should instead prioritise defence mechanisms, resilience and the establishment of norms that discourage offensive operations.