If you don’t know what the Salt Typhoon hack was, read a brief on it here: What is Salt Typhoon and why should I care? – Paul Bergman
The perception that U.S. telecom carriers “don’t care” about the Salt Typhoon hack is understandable—but the full answer is more complex. Here are the key reasons why their response has seemed indifferent or inadequate:
???? 1. Lack of Regulation
- Telecoms are not held to the same cybersecurity standards as financial institutions or utilities.
- The FCC has historically been slow to impose mandatory controls—many best practices are voluntary.
- Without strong oversight, carriers are more likely to underinvest in security, especially in areas that don’t directly impact customers’ bills or service quality.
???? 2. Profit over protection
- Carrier executives are incentivized to cut costs, and security infrastructure is expensive and hard to monetize.
- One telecom insider put it bluntly: “No one gets promoted for preventing a breach that no one knows about.”
???? 3. Outdated infrastructure
- Much of the core telecom infrastructure (routers, edge devices, CALEA intercept systems) is decades old, unpatched, or built without modern security in mind.
- Some systems can’t be updated without full replacement, and that comes with service risks and massive costs.
- Carriers may choose to tolerate known compromises rather than risk downtime.
????️ 4. Stealth of the breach
- Salt Typhoon was exceptionally quiet. They used valid credentials, erased logs, and didn’t disrupt operations—so detection was difficult.
- Some carriers may not have known they were compromised for years—or chose not to acknowledge the full scope.
???? 5. Reputation management
- Admitting that state-sponsored actors accessed wiretap systems and call metadata is a PR disaster.
- Many telecoms have chosen to downplay the breach, hoping regulators don’t dig deeper.
- AT&T, for example, was publicly silent for months while investigators privately confirmed the scope.
???? 6. No clear consequences (yet)
- Until the FCC, DOJ, or Congress imposes financial or legal penalties, there’s little incentive to change.
- So far, the consequences have been mostly reputational and not enforced through regulation or fines.
???? In Summary:
Telecom carriers aren’t entirely indifferent—they’re operating in a system that:
- Doesn’t require strong cybersecurity,
- Doesn’t reward proactive investment,
- And doesn’t penalize major breaches unless customers or lawmakers force change.
CEO at Tracc Development, Inc.
Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He is CEO of AMRAD. He also leads a mentoring non-profit in San Diego, Lamp of Learning. He writes on cybersecurity and board management for both corporate and nonprofit boards.
Latest posts by Paul Bergman (see all)
- Would You Ignore a 1-in-3 Chance of a $250,000 Loss? – October 23, 2025
- The cybersecurity reality for SMBs – October 21, 2025
- Protecting Yourself from FinTech Fraud: Five Common Scams and How to Stay Safe – October 14, 2025