Cybersecurity experts told lawmakers on Wednesday that the recent Salt Typhoon hacks should serve as a “wake-up call,” while urging them to focus on bigger, looming cybersecurity threats such as AI and quantum.
Salt Typhoon – a threat actor affiliated with the People’s Republic of China (PRC) – is one of the most significant U.S. breaches to date. The China-linked hacking group compromised networks at multiple telecommunications companies to target President Donald Trump, Vice President JD Vance, and associates of former Vice President Kamala Harris.
Cybersecurity experts testified before the House Oversight and Government Reform Subcommittee on Military and Foreign Affairs on Wednesday to say that Salt Typhoon must serve as a turning point for the United States.
They urged the Federal government to pivot to a “bold” national investment in AI-driven cybersecurity, noting that AI and quantum computers could change cybersecurity as we know it.
“We need to be thinking about the next problem,” said Edward Amaroso, a research professor at New York University (NYU) and the CEO of TAG Infosphere, Inc. Notably, Amaroso also spent 31 years at AT&T, most recently as senior vice president and chief security officer.
“A metaphor comes to mind that I often think about when asked about this topic. It’s as if we were driving on a road hitting a bunch of potholes, and then you ask us to come and talk about the potholes. We don’t want to ignore the potholes, but it’s scarier when there’s gigantic sinkholes ahead of us,” Amaroso said, adding, “And those sinkholes will come from an adversary that increasingly is using AI.”
During the hearing, Democrats on the subcommittee frequently brought up the recent Signal group chat controversy in which top Trump administration officials discussed military strikes on the messaging app and added a journalist to the group chat.
Republicans downplayed the Signal controversy, with Subcommittee Chairman William Timmons, R-S.C., saying that the Cybersecurity and Infrastructure Security Agency has “encouraged” the use of Signal for its end-to-end encryption.
Nevertheless, when asked by Rep. Michael Cloud, R-Texas, if the Signal messages would be susceptible to exposure by the Salt Typhoon hack, Amaroso offered a grave warning.
“It’s using a type of cryptography called public key cryptography … it turns out that’s actually something that is susceptible to quantum computers, and it’s entirely possible that the PRC could have a bunch of those in the basement,” Amaroso said. “So, I could imagine that even Signal is vulnerable to nation state surveillance in real-time.”
“What we’ve learned is, in our own intelligence community, we’ve always been 10 to 15 years ahead of where we all think cryptography is. So, chances are – it’s kind of scary – Russia, China, and so on, are probably a lot further along than we think they are in crypto,” he said.
Amaroso explained that China is a better threat actor at this point than a lot of the cybersecurity community expected, adding that Salt Typhoon should be a “wake-up call.”
“Whether it would be good enough to break Signal, whether Salt Typhoon connects, you know, we can sit and debate that, but I think if you push the puck forward on the ice a little bit, it gets pretty scary where things [are going],” he warned. “Even Signal … even things you might depend on now are probably not going to be things we can depend on soon. So, all of us need to think through how we fix that.”
Matt Blaze, a professor of law at Georgetown Law and professor of computer science at Georgetown University, explained that the attack surface is larger than ever before. He also warned that “we don’t know if any of this encryption is perfect.”
“What effective end-to-end encryption does is essentially removes attacks against the infrastructure – such as we saw in the Salt Typhoon attacks that have been made public so far – from the equation,” Blaze said. “Essentially, Signal’s encryption, we don’t know that it’s perfect.”
Blaze said that the offensive side has an advantage because computer systems, personal devices, and servers are all vulnerable to cyberattacks – “some of which have not yet been discovered and some of which have not yet even come into existence.” Therefore, he said having an active defense to identify and fix these vulnerabilities is “essential.”
“To put it bluntly, something like Salt Typhoon was inevitable and will likely happen again unless significant changes are made to our infrastructure and our approach to protecting it,” Blaze said.