Nearly a year after U.S. agencies identified one of the most severe cyber breaches of U.S. telecommunications companies, domestic cybersecurity is weaker, not stronger. In September 2024, media reports confirmed that Salt Typhoon, a People’s Republic of China (PRC) state-backed cyber group, infiltrated nine major telecommunications providers, compromising data from thousands of users, including U.S. President Donald Trump, Vice President JD Vance, and associates of former Vice President Kamala Harris.
To date, there is no indication that the intrusion has been fully mitigated. Worse, Homeland Security Secretary Kristi Noem recently testified that the administration “still [does not] necessarily know how to stop the next Salt Typhoon.” As Washington dithers, Beijing is wasting no time probing weaknesses in U.S. critical infrastructure. The Trump administration urgently needs a comprehensive cyber defense strategy to raise the cost of intrusions by PRC-backed hackers.
Undermining U.S. Cyber Defenses
The Trump administration claims it is addressing the PRC cyber threat, even as it moves to implement policies that undermine cyber defenses. In January 2025, the Trump administration dismissed all members of the Cyber Safety Review Board (CSRB) before it completed its investigation into Salt Typhoon, hindering the government’s ability to address systemic cybersecurity vulnerabilities that led to the breaches. The CSRB previously consisted of multi-agency and multi-sectoral experts and was established by a 2021 executive order to investigate major cybersecurity incidents. As of July 2025, there is no indication the Trump administration has reconstituted the members of the CSRB. While the Federal Communications Commission announced in March that its new Council on National Security will launch an investigation into PRC-backed hackers, it will not consist of multi-agency or industry experts, and is not expected to release a public after-action report. Similarly, the FBI’s April 2025 announcement of a $10 million reward for information on individuals linked to Salt Typhoon is a welcome but insufficient step to ensure both the government and public understand the factors that led to the large-scale compromises in the telecommunications sector.
These institutional setbacks are now being compounded by proposed budget cuts that would further erode the federal government’s cyber defense capabilities. On May 30, the Trump administration proposed a 17 percent reduction in the Cybersecurity and Infrastructure Security Agency’s (CISA) budget, including nearly 30 percent of the agency’s positions. The White House claims these cuts will remove duplicative efforts and reduce CISA’s role in combating mis- and disinformation, which many Republicans perceive as “off mission.” However, the budget is proposing to cut substantially beyond these areas, jeopardizing core cybersecurity functions of the agency at the front lines of defending against PRC threat actors in civilian critical infrastructure. The FY26 budget request, for example, proposes a $177.4 million cut to CISA’s “Cyber Operations,” including its Threat Hunting team which provides technical support to local governments and critical infrastructure operators facing sophisticated state-backed cyber threats from China, Russia, and Iran. In 2024, the Chairman of the House Homeland Security Committee praised CISA’s Threat Hunting team for saving “millions of Americans” from a series of cyberattacks carried out by Volt Typhoon that sought to compromise critical infrastructure in the communications, energy, transportation systems, and water and wastewater systems sectors.
The proposed budget also reduces CISA’s cyber threat analytical programs that help the United States stay ahead of state-backed cyber groups as their tactics, techniques, and procedures (TTPs) evolve. This includes a $14 million cut to the Joint Cyber Defense Collaborative (JCDC), a hub for cyber threat intelligence and coordinating public-private cyber incident response. The JCDC has helped analyze and share information to identify PRC-backed hacking campaigns that impacted multiple state, local, and tribal territories. The JCDC also helps update the Known Exploited Vulnerabilities catalog, a national cyber vulnerabilities database, and contributes to cybersecurity advisories. Since 2017, CISA has published 23 alerts and advisories that dissect the TTPs of PRC-backed groups like Volt Typhoon and Salt Typhoon. This enables critical infrastructure providers to quickly identify malicious activity and patch vulnerabilities in their networks, even as the capabilities of sophisticated hacking groups change. Cuts to CISA’s threat hunting operations and cyber threat intelligence programs like JCDC will not streamline cybersecurity. Instead, they will dismantle the capabilities most essential to detecting, analyzing, and responding to the PRC’s most dangerous cyber threats.
In addition to budget cuts, several of the Trump administration’s executive orders roll back important cybersecurity measures. A June 6 executive order removed requirements for federal software vendors to submit proof that their products met secure development standards, and eliminated government mechanisms to verify those claims. Without these guardrails, the government will be more vulnerable to state-backed hackers who could exploit insecure software to steal sensitive information or sabotage critical systems at a time of their choosing.
Similarly, the administration’s March 19 executive order calling to review and revise key federal cybersecurity policies with the intent of empowering “state, local, and individual preparedness” risks harming U.S. cyber resilience. While empowering local authorities is important, this order fails to address the fundamental reasons why states and local governments struggle to implement strong cybersecurity: a lack of resources and qualified personnel. The executive order does not propose new federal grant programs or investments to close this gap. Delegating responsibility to under-resourced states without sufficient support will only deepen the disparity in cyber readiness across the country. It will also undermine comprehensive federal responses to national threats like Salt Typhoon that cross state borders.
These decisions undermine essential cyber defenses at a time when critical infrastructure is increasingly vulnerable. Many U.S. critical infrastructure providers struggle to implement basic cyber defense measures due to outdated IT systems, resource constraints, supply chain issues, and a shortage of cybersecurity professionals. Similarly, state and local governments lack the funds, technical expertise, and operational capacity to address sophisticated state-backed cyber threats on their own. The administration’s cuts to federal cyber defense capabilities risk exacerbating these problems as the PRC cyber threat grows.
Building an Integrated Cyber Defense Strategy
To correct course, the administration must adopt an integrated defense strategy, just as the military uses integrated air and missile defenses. This approach should rest on four pillars:
First, the Trump administration should support congressional efforts to set baseline cybersecurity measures across critical infrastructure sectors. The United States lacks a national law mandating minimum cybersecurity defenses for critical infrastructure, as Congress prefers to leave such regulation to the states. On a national level, there is only the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which mandates cyber incident reporting requirements, and voluntary guidelines such as the NIST Cybersecurity Framework.
This decentralized system has led to uneven cybersecurity readiness across critical infrastructure sectors. While the finance sector has stronger federal cybersecurity requirements, the only federal law addressing the water systems sector is a 2018 Act requiring providers to submit cybersecurity plans, rather than mandate specific cybersecurity measures. Unsurprisingly, a 2024 Environmental Protection Agency assessment found nearly 100 drinking water systems had critical or high-risk cybersecurity vulnerabilities. The PRC is actively exploiting these weaknesses for the purpose of future sabotage, underscored by a March 2025 breach by Volt Typhoon of Littleton Electric Light and Water Department in Massachusetts.
Mandating basic cybersecurity practices like multi-factor authentication (MFA), prompt vulnerability patching, and network segmentation could have significantly blunted Salt Typhoon’s 2024 intrusions. MFA would have blocked PRC access to high-level management accounts, while applying software patches would have forced the PRC hackers to develop new malware. Network segmentation would have restricted lateral movement within the telecommunications systems, limiting the attack’s scope.
Second, the Trump administration can strengthen U.S. cybersecurity by improving federal coordination. Experts note the United States lacks a unified federal operational strategy to respond to cybersecurity incidents in critical infrastructure. While CISA created the JCDC to improve interagency coordination through collaboration, it lacks clear powers to direct interagency response efforts. And while Congress created the Office of the National Cyber Director (ONCD) in the White House in 2021 to improve interagency coordination for cyber incident response, it lacks the operational capacity to respond to threats. As a result, the deployment of federal cyber defense capabilities remains “split between national labs, private industry, and federal entities,” according to congressional testimony by a chief power grid scientist. To address federal coordination challenges, the Trump administration should work with Congress to bolster CISA’s incident response authorities or direct ONCD to reduce overlapping mandates among federal agencies.
Third, the Trump administration should bolster public-private partnerships to move beyond information sharing to focus on operational collaboration in response to cyber threats. While CISA’s Threat Hunt teams and JCDC have improved public-private operational collaboration and have successfully eradicated numerous PRC-backed intrusions, these efforts have not matched the unrelenting tempo of the PRC’s cyber campaigns. More can be done to scale up public-private operational planning, intelligence sharing, capacity-building training, and the deployment of federal incident response resources. The 2023 National Cybersecurity Strategy and its Implementation Plan highlighted public-private operational collaboration as a national priority, tasking ONCD with identifying policies that support it. As the Trump administration fills leadership roles at ONCD, it should ensure this objective remains a central focus.
Finally, one of the most effective steps the Trump administration can take for U.S. cyber defenses is to apply the same principles used in national air and missile defense to cyberspace: assume attackers will get through the first line of defense and focus on mitigating damage. This is the concept behind Zero-Trust Architecture (ZTA)—a cybersecurity framework that verifies every user and device trying to access sensitive information, rather than trusting them just because they are inside the network. On top of a firewall, which defends the perimeter of the network, the framework calls for encryption of traffic, network sensors, as well as data segmentation. While a Biden administration executive order required agencies to adopt ZTA by September 2024, several have not yet completed adoption. Meanwhile, the Defense Department is expected to have implemented about 60 percent of ZTA requirements by 2027. The Trump administration should accelerate efforts to adopt ZTA across the federal government.
Rather than dismantling U.S. cyber defenses, the Trump administration must pursue a robust, forward-looking strategy to counter increasingly sophisticated threats like Salt Typhoon. Failing to do so will leave the United States vulnerable, ceding strategic ground to countries like China that are actively exploiting weaknesses in critical infrastructure.
FEATURED IMAGE: Visualization of cybersecurity (via Getty Images)
