The Salt Typhoon breach, also known as the Telco breach, has sent Congress, the Senate, CISA, and the FBI scrambling. This cyberattack compromised sensitive telecommunications systems, including the federal wiretap system, communications of President-elect Trump and his staffers, and other high-ranking officials. It serves as a stark example of the consequences of regulatory inertia.

Despite a plethora of cybersecurity laws already in place, the lack of enforcement, coordination, and timely updates left critical systems vulnerable to exploitation. Companies operated without sufficient oversight and accountability. As a cybersecurity practitioner, I believe the U.S. urgently needs a comprehensive, centralized approach to cybersecurity. The Cybersecurity and Infrastructure Security Agency (CISA) should take the lead in safeguarding critical infrastructure, including the telecommunications sector—a mandate that the Federal Communications Commission (FCC) has struggled to enforce effectively.

Fragmented Cybersecurity Oversight

Currently, cybersecurity responsibilities are fragmented across various federal agencies, many of which lack the expertise to address modern cyber threats. For example, the Transportation Security Administration (TSA) oversees pipeline and train security, while the Department of Energy manages cybersecurity for energy infrastructure. This scattered approach dilutes accountability and effectiveness.

Cybersecurity Laws: Intentions vs. Reality

Communications Assistance for Law Enforcement Act (CALEA, 1994)

CALEA aimed to modernize law enforcement’s access to communications systems by requiring telecommunications providers to build lawful surveillance capabilities into their networks. However, this focus on surveillance introduced unintended security gaps, as the law did not prioritize defending these systems against external cyber threats. The FCC’s oversight of CALEA compliance has historically lacked mechanisms to enforce broader cybersecurity measures, leaving telcos vulnerable to sophisticated attacks.