The U.S. government is still assessing the fallout from the Salt Typhoon hacks, and the White House has identified a significant factor behind the breach: inadequate cybersecurity measures across telecom companies’ IT infrastructure.
On Friday, Anne Neuberger, Deputy National Security Adviser for Cyber and Emerging Technology, emphasized the need for improvement in this sector, citing shared guides and threat-hunting instructions as a step forward in hardening these systems. These efforts recently uncovered a new victim, bringing the total number of affected companies to nine.
During a previous briefing, Neuberger noted that while the impacted telecom providers are actively working to remove the hackers, vulnerabilities in their networks leave the door open for future breaches. On Friday, she elaborated on some of the security lapses that facilitated the attack. In one case, attackers—believed to be state-affiliated actors from China—gained access to an administrator account linked to over 100,000 routers. They also deleted logs of their activities, leaving insufficient data to assess the breach’s scope fully.
“The reality is that the current level of cybersecurity in the telecom sector falls short of what’s needed to defend against a well-funded and capable adversary like China,” Neuberger said. She further highlighted that while fewer than 100 individuals were directly impacted, the attackers focused on those in the Washington, D.C. area. Their intent appeared to be identifying targets for follow-up espionage and intelligence gathering, potentially involving high-profile individuals.
In response, the White House has outlined four key areas for telecom companies to strengthen: configuration management, vulnerability management, network segmentation, and sector-wide information sharing. Neuberger also voiced support for proposed Federal Communications Commission (FCC) regulations aimed at bolstering telecom cybersecurity, following models from countries like Australia and the U.K.
“When I spoke with colleagues in the U.K., they shared that their regulations might not have prevented the attack but would have allowed for quicker detection and containment,” Neuberger said. “That’s a powerful lesson in the importance of robust cybersecurity standards.”
