US Telecoms Reject Regulation as Answer to Chinese Hacking

U.S. telecommunications networks are still vulnerable to foreign intrusion, national security and industry panelists told senators during a Tuesday hearing, warning that China and other adversaries are refining long-term access into American infrastructure. They disagreed over whether the telecoms sector should be forced to do anything about it.

The panel described a threat environment in which foreign nation-state hackers pair credential theft, persistent access and artificial intelligence-assisted reconnaissance to target major telecoms, identity systems and satellite networks.

A hands-off regulatory approach will not fix the problem, argued Debra Jordan, a former chief of the FCC’s public-safety bureau who helped the agency establish first-ever mandatory cybersecurity regulations for telecoms, a move that Republican commission leadership rolled back in November (see: US FCC Scraps CALEA Move, Raising Telecom Security Fears).

“Hope is not a strategy to secure our networks,” she said. “Without some sort of an accountability regime, we don’t really know what they’re doing, how effective it is, how widespread those measures will be,” she said, referring to carriers and cybersecurity risk management.

Industry representatives rejected any possibility of regulation. “Regulation is a prescriptive, bureaucratic, static approach to a problem,” asserted Robert Mayer, senior vice president of cybersecurity and innovation at industry lobbying association USTelecom.

The debate over cybersecurity regulation predates by at least a decade a wave of Chinese nation-state hacks uncovered in 2024 that were conducted by a threat actor commonly tracked as Salt Typhoon (see: Feds Identify Ninth Telecom Victim in Salt Typhoon Hack).

In 2014, the FCC initiated a “new regulatory paradigm” that “relies on industry and the market” to bolster cybersecurity, as then-Chairman Tom Wheeler described it. Despite pledges from telecoms to hew to the “paradigm” of voluntary cybersecurity cooperation with the agency and with each other, Salt Typhoon penetrated nine major U.S. carriers and more than 200 other organizations while exfiltrating sensitive communications tied to political figures.

Analysts have since warned that Salt Typhoon and earlier operations such as Volt Typhoon should be understood as strategic footholds across critical infrastructure. Jamil Jaffer, founder and executive director of the National Security Institute, told senators there is now a “significant effort afoot” among China, Russia, Iran, North Korea and allied proxy actors to expand those models. He cited recent incidents in which Chinese operators used commercial AI infrastructure to run semi-autonomous hacks against dozens of global networks, describing a shift toward faster and more scalable reconnaissance operations.

Jaffer also didn’t support regulation. “The better way is with a partnership between the public and private sector,” he said.

Daniel Gizinski, president of the satellite and space division at satellite ground system provider Comtech, detailed alarming vulnerabilities – including unencrypted satellite traffic, outdated protocols, disabled-by-default encryption in modems – but still urged Congress to prioritize voluntary information sharing and collaborative frameworks.

Telecom representatives told lawmakers that recent state-backed campaigns have already pushed carriers to begin improving patch cycles, tightening administrative access, expanding threat hunting and engaging in more frequent classified briefings with the Cybersecurity and Infrastructure Security Agency and intelligence agencies.

Sen. Deb Fischer, R-Neb., who chairs the telecommunications and media subcommittee, warned that adversaries are “stepping up their efforts to infiltrate and disrupt America’s communications networks,” pointing to the use of advanced tooling and AI to target customers and critical infrastructure.