Washington's Cybersecurity Storm of Complacency

If the government truly wants to protect the US's most vital assets, it must rethink its cybersecurity policies and prioritize proactive, coordinated, and enforceable measures.

Jeffrey Wells, Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

November 14, 2024

6 Min Read
Capitol Building in Washington, DC, against a blue sky
Source: Sergey Borisov via Alamy Stock Photo

COMMENTARY

The recent revelations about the Salt Typhoon cyber-espionage group breaching major US telecommunications companies, including Verizon, AT&T, and Lumen Technologies, lay bare a systemic vulnerability in America's approach to cybersecurity. This incident is not just an isolated attack; it's an indictment of the US government's inadequate response to the increasing cyber threats posed by state-backed entities like China. Despite years of warnings and multiple high-profile breaches, the government's cybersecurity posture remains reactionary, fragmented, and underwhelming.  

The Critical Failures in US Cybersecurity Strategy

Salt Typhoon's targeting of systems used for government intelligence collection, including those integral to surveillance and wiretapping capabilities, is a brazen assault on America's most sensitive digital infrastructure. It exposes a critical flaw: the lack of robust, proactive measures to secure such vital systems. How did a foreign state-backed group infiltrate and potentially remain undetected in these systems for months? The answer lies in insufficient federal oversight, underinvestment in cutting-edge defenses, and an overreliance on private companies to self-police. 

US telecom giants have historically enjoyed light regulatory oversight, often lobbying for fewer obligations and responsibilities. The government, in turn, has adopted a laissez-faire approach, trusting these corporations to manage their cybersecurity. This model is fundamentally flawed. When private entities prioritize profits over robust security measures, it opens the door for adversaries like Salt Typhoon to exploit weak points. The compromised systems at Verizon, AT&T, and Lumen Technologies illustrate the risks of letting corporations with such immense national security implications operate without stringent and enforceable cybersecurity standards. 

Lawmakers' Outrage: Too Little, Too Late

In the wake of the Salt Typhoon breach, US lawmakers have begun demanding answers from the affected companies, calling for greater accountability and urging federal regulators to impose stricter standards. While this post-breach outrage may seem like a strong response, it's another chapter in the reactive cycle that defines American cybersecurity policy. Rather than addressing systemic vulnerabilities before they are exploited, federal agencies and lawmakers are again playing catch-up. 

The reality is that sophisticated state-backed actors like Salt Typhoon have likely been probing and compromising critical US infrastructure for years, undetected and unchallenged. The question is not just why this breach happened but why the US government consistently finds itself responding after the fact. The issue goes beyond the individual companies breached — this pattern reflects a more significant failure in Washington to develop a proactive, cohesive, well-resourced cybersecurity strategy.

The Illusion of Federal Oversight

Federal authorities, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), are reportedly investigating the extent of these breaches. However, these investigations often lack the teeth and reach necessary to effect real change. Despite the resources and expertise within agencies like CISA, they are limited in their power to enforce compliance or impose significant penalties on corporations that fail to meet cybersecurity benchmarks. This hands-off approach only emboldens adversaries who know that American companies are not adequately protected and that the government's response mechanisms are limited. 

Further, the fragmented nature of federal oversight complicates a comprehensive defense strategy. With multiple agencies sharing responsibility — yet lacking a unified and coordinated approach — gaps in response capabilities are inevitable. The breaches at Verizon, AT&T, and Lumen Technologies should serve as a wake-up call: The current oversight model is failing to keep pace with the sophistication of state-backed cyber threats. 

The Need for a Paradigm Shift

The US must abandon its outdated and ineffective approach to cybersecurity regulation to address these vulnerabilities. Here are key steps the government should take: 

  • Mandatory federal standards and penalties: Telecom companies are critical to national security. They must be held to federal standards that are not just recommendations but legal obligations, with meaningful penalties for non-compliance. The government cannot leave the protection of such vital infrastructure to the discretion of profit-driven entities. 

  • A unified cyber defense agency: The United States must streamline its response by creating a centralized agency with the power and authority to coordinate and enforce cybersecurity measures across the public and private sectors. The current patchwork of agencies is insufficient in an era where cyber threats know no borders or jurisdictions. 

  • Investment in advanced detection and response capabilities: The government must invest heavily in advanced technologies that provide real-time monitoring and automated response capabilities. Relying on companies to detect and report breaches months after they occur is unacceptable when adversaries can inflict catastrophic damage in seconds. 

  • Active cyber deterrence: The US must adopt a more aggressive cyber-deterrence strategy. The current approach of merely investigating breaches after the fact does not dissuade adversaries. It's time for the government to develop and deploy offensive cyber capabilities that signal a clear and present cost for any attempt to infiltrate US systems. 

The Cost of Complacency

The Salt Typhoon breach is just the latest chapter in a series of cyber-espionage incidents that have exposed the inadequacies of the US cybersecurity framework. If this pattern of complacency and reactionary policy continues, it won't be long before another attack not only compromises intelligence-gathering capabilities but potentially cripples critical infrastructure. The stakes are too high for lawmakers and federal agencies to continue operating with the exact amount of inertia and neglect. 

If Washington truly wants to protect the nation's most vital assets, it must rethink its cybersecurity policies and prioritize proactive, coordinated, and enforceable measures. Otherwise, the US will continue to react to — rather than prevent — attacks that undermine its national security and global standing. 

Don't miss the free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

About the Author

Jeffrey Wells

Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

Jeffrey Wells is a distinguished cybersecurity, technology, and geopolitical risk leader with over 35 years of experience. His expertise is crucial in addressing cyber threats with significant geopolitical and security implications. Wells is a Visiting Fellow at George Mason University's Cyber and Tech Center (CTC) and a Truman National Security Project Defense Council Fellow.

He has extensive experience helping organizations design and operationalize cyber resiliency strategies, programs, incident response, and instituting business continuity worldwide.

As a founding partner of the NIST's National Cybersecurity Center of Excellence and a Visiting Fellow at the National Security Institute, Jeffrey is proficient in deploying and operationalizing cybersecurity standards and best practices in the full spectrum of IT/OT and infrastructure ecosystems.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights