Senator Maria Cantwell (D-WA), Ranking Member of the Senate Commerce, Science, and Transportation Committee, has formally requested that Verizon Communications Inc. and AT&T Inc. provide concrete evidence that they have fully eradicated the cyber espionage group known as Salt Typhoon from their networks.  This follows both companies’ public assurances in late 2024 that the Salt Typhoon threat had been contained.  

Notably, the other nationwide wireless carrier, T-Mobile, headquartered in Seattle, Washington, did not receive a formal request from Senator Cantwell.  But this is likely due to the fact that in November 2024, T-Mobile stated that it was not impacted by the Salt Typhoon intrusion.

In letters sent to Verizon CEO Hans Vestberg and AT&T CEO John Stankey, Senator Cantwell expressed concern over ongoing doubts from cybersecurity experts regarding the completeness of the carriers’ remediation efforts.  She cited reports indicating that Salt Typhoon may still be active within U.S. telecommunications infrastructure, exploiting complex network vulnerabilities to maintain or regain access and questioned whether the companies have implemented the guidance issued by federal agencies, including the FBI, NSA, CISA, and FCC, relating to the Salt Typhoon incursion. Senator Cantwell emphasized that the scale and complexity of telecom networks require extensive forensic analysis of tens of thousands of endpoints to identify all potential compromises.  

Senator Cantwell requested that the companies respond to a series of inquiries with supporting documentation and information by June 26, 2025, based on the timeframe from September 1, 2024, to the present.  Specifically, the companies were asked to provide: 

1. A copy of their remediation plan in response to the Salt Typhoon attack;
2. All threat assessments related to the security risk of nation-state actors hacking their systems, which in AT&T’s case includes its FirstNet network; 
3. A list of all vulnerabilities they have identified that allowed nation-state actors to gain broad, full access to their networks, and the extent those vulnerabilities have been mitigated or remediated;
4. All documents relating to their determination that the Salt Typhoon threat, or threat of other nation-state actors, had been contained; 
5. All records related to the costs they have incurred to secure their network, including any third-party audits; and
6. All policies and best practices relating to encryption of customer data.

This formal request from Senator Cantwell highlights the increased scrutiny that telecom providers are under to demonstrate cybersecurity resilience and transparency in light of the ongoing Salt Typhoon attacks.  As the Ranking Member of Senate Commerce, she cannot compel the companies to produce these documents. However, they will likely face public and political pressure to comply, at least in part. But it remains to be seen whether documents and information submitted by Verizon and AT&T will be made available to the public.