July 15, 2025

What It Takes to Stop the Next Salt Typhoon

This article was originally published on Just Security.

Nearly a year after U.S. agencies identified one of the most severe cyber breaches of U.S. telecommunications companies, domestic cybersecurity is weaker, not stronger. In September 2024, media reports confirmed that Salt Typhoon, a People’s Republic of China (PRC) state-backed cyber group, infiltrated nine major telecommunications providers, compromising data from thousands of users, including U.S. President Donald Trump, Vice President JD Vance, and associates of former Vice President Kamala Harris.

To date, there is no indication that the intrusion has been fully mitigated. Worse, Homeland Security Secretary Kristi Noem recently testified that the administration “still [does not] necessarily know how to stop the next Salt Typhoon.” As Washington dithers, Beijing is wasting no time probing weaknesses in U.S. critical infrastructure. The Trump administration urgently needs a comprehensive cyber defense strategy to raise the cost of intrusions by PRC-backed hackers.

To correct course, the administration must adopt an integrated defense strategy, just as the military uses integrated air and missile defenses.

The Trump administration claims it is addressing the PRC cyber threat, even as it moves to implement policies that undermine cyber defenses. In January 2025, the Trump administration dismissed all members of the Cyber Safety Review Board (CSRB) before it completed its investigation into Salt Typhoon, hindering the government’s ability to address systemic cybersecurity vulnerabilities that led to the breaches. The CSRB previously consisted of multi-agency and multi-sectoral experts and was established by a 2021 executive order to investigate major cybersecurity incidents. As of July 2025, there is no indication the Trump administration has reconstituted the members of the CSRB. While the Federal Communications Commission announced in March that its new Council on National Security will launch an investigation into PRC-backed hackers, it will not consist of multi-agency or industry experts, and is not expected to release a public after-action report. Similarly, the FBI’s April 2025 announcement of a $10 million reward for information on individuals linked to Salt Typhoon is a welcome but insufficient step to ensure both the government and public understand the factors that led to the large-scale compromises in the telecommunications sector.

Read the full article on Just Security.

Commentary

Indo-Pacific Security
Congressional Support Key for Sustaining Momentum of U.S., UK, Australia Partnership
This article was originally published on The Hill. The fiscal 2026 defense appropriations bill which will be voted on by the House this week allocates $27.2 billion for naval ...

By Lisa Curtis & Ryan Claffey
- February 2, 2026
Video

Indo-Pacific Security
India-EU Trade Deal: A New Superpower Pact | PM Modi Holds Talks With EU Leaders
Lisa Curtis, Director of the Indo-Pacific Security Program at the Center for a New American Security, joined CNN News18 to discuss the recent India-EU trade deal. Watch the f...

By Lisa Curtis
- January 27, 2026
Commentary

Indo-Pacific Security
Japan Wants Calm, China Not So Much
This article was originally published in Asian Military Review. One of the most serious China-Japan diplomatic crises in recent years unfolded in November after Chinese offici...

By Derek Grossman
- Asian Military Review
- January 26, 2026
Commentary

Technology & National Security
The Rise of the Answer Machines
This article was originally published in Financial Times. Every spring, I take red-eyes from Austin, Texas, to Oxford, England, to teach a graduate seminar on AI and philosoph...

By Brendan McCord
- Financial Times
- January 24, 2026