Introduction
The intrusion campaign attributed to the Chinese state-sponsored threat actor known as Salt Typhoon — which compromised the networks of at least nine major U.S. telecommunications carriers and reportedly accessed the lawful intercept systems used by U.S. law enforcement — stands as one of the most consequential cyber-espionage operations ever disclosed against American infrastructure. First publicly confirmed by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation in late 2024, and continuing to generate legal and policy debate well into 2025, the campaign has forced a reckoning with a long-standing truth in public international law: traditional legal frameworks offer surprisingly limited remedies for state-sponsored cyber espionage, even at massive scale.
This article examines the international law dimensions of the Salt Typhoon operation, analyzes why existing frameworks struggle to address it, and considers what the episode reveals about the adequacy of the current international legal order as applied to cyber conflict.
The Operation and Its Scope
Salt Typhoon, designated as a People's Republic of China (PRC)-linked advanced persistent threat (APT) group, reportedly maintained persistent access to U.S. carrier networks for potentially more than a year. The intrusion gave the actors access not only to general communications metadata but also to the systems telecommunications companies maintain under the Communications Assistance for Law Enforcement Act (CALEA) — specifically designed to facilitate court-authorized surveillance. The irony is precise: infrastructure built to enable lawful domestic surveillance became a vector for foreign intelligence collection at massive scale.
Senior U.S. officials described the breach as an "ongoing" threat as recently as early 2025, with the actors maintaining the ability to geolocate individuals and access lawful intercept data across carriers serving hundreds of millions of subscribers — a scale that makes this operation qualitatively different from ordinary diplomatic espionage.
The International Law Problem: Espionage's Legal Ambiguity
Here lies the core legal problem that makes the Salt Typhoon operation so analytically challenging: customary international law does not prohibit espionage per se. States have engaged in intelligence collection against one another since the inception of the international system, and no treaty norm has emerged to outlaw peacetime espionage as such. The Tallinn Manual 2.0, the authoritative non-binding restatement of international law applicable to cyber operations prepared by a NATO-convened group of experts, acknowledges in Rule 32 that international law neither expressly prohibits nor expressly permits cyber espionage — the matter is simply unregulated at the level of primary prohibition.
This creates an acute gap. Even assuming perfect attribution — a significant assumption — the United States would face the challenge of identifying a legal basis under which to characterize the Salt Typhoon intrusions as internationally wrongful acts. Several candidate frameworks have been advanced in legal scholarship and policy commentary, none of which is fully satisfactory.
**Sovereignty violation.** The most promising theory, developed in part by scholars such as Michael Schmitt and debated extensively in the Tallinn Manual process, is that intrusions into a state's cyber infrastructure constitute violations of its territorial sovereignty — a primary norm of international law — where the intrusion causes effects in the target state. The difficulty is that, while a bare majority of the Tallinn Manual experts concluded that sovereignty applies in cyberspace, a significant minority disagreed, and major cyber powers including the United Kingdom and the United States have not formally endorsed the view that every unauthorized intrusion into foreign government or critical infrastructure systems constitutes a per se sovereignty violation.
**Non-intervention.** The prohibition on intervention in the internal affairs of states requires, under the standard Nicaragua formulation, an element of coercion over matters within the domaine réservé of the target state. Passive intelligence collection — even at vast scale — is difficult to characterize as coercive in the legal sense required. Salt Typhoon appears to have been a collection operation, not an attempt to dictate or compel U.S. governmental policy, which means the non-intervention doctrine does not provide a clean legal hook.
**Due diligence.** Some scholars argue that states have an obligation under the due diligence principle — acknowledged in Trail Smelter and elaborated in cyber contexts — to ensure their territory is not used for cyber operations that cause serious harm to other states. If the PRC government directed or knowingly permitted Salt Typhoon actors to operate from Chinese territory or infrastructure, an argument runs that China violated a due diligence obligation. The weakness of this theory is that the due diligence norm in cyber contexts remains contested, its precise threshold of harm is undefined, and proof of direction or knowing permission is practically and evidentially difficult to establish.
Attribution, Countermeasures, and the Accountability Gap
Even setting aside the question of substantive prohibition, the attribution problem looms large. Formal legal attribution of a cyber operation to a state requires not merely technical attribution — demonstrating that the intrusion originated from a particular threat actor — but also legal attribution under Articles 4–8 of the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA). The relevant tests — whether actors were organs of the state, or were acting under state direction or control — are notoriously difficult to satisfy with publicly releasable evidence.
The United States attributed the Salt Typhoon campaign to the PRC with high confidence, and in December 2024 levied Treasury Department sanctions against a Shanghai-based company assessed to have links to the operation. But formal state-responsibility attribution remains a more demanding standard than political attribution, and the evidentiary basis is inevitably constrained by intelligence sensitivities — creating what Lawfare contributors and Tallinn Manual scholars have described as a persistent accountability gap.
If the operation were ultimately characterized as an internationally wrongful act, international law would in principle permit the United States to take countermeasures under ARSIWA Articles 49–54: non-forcible responsive actions calibrated to induce cessation of the wrongful conduct. In practice, Washington has been reluctant to invoke that framework, since doing so would require both publicly asserting the antecedent legal claim that China's conduct was wrongful and acknowledging the nature of any reciprocal cyber operations. Public reporting indicates that the FBI obtained authority to conduct a domestic remediation operation against malicious infrastructure — a notable domestic legal development — but this falls well short of a comprehensive international legal response.
Policy Implications: Toward a Norm Against Targeting Civilian Communications Infrastructure
Perhaps the most productive international law avenue lies not in retrofitting existing doctrines but in arguing for the crystallization of new customary norms or negotiating targeted treaty rules. The Salt Typhoon intrusions, by specifically targeting CALEA intercept systems and the backbone communications infrastructure that hundreds of millions of civilians depend upon, arguably cross a qualitatively different threshold than routine diplomatic intelligence collection.
Analysts and legal scholars have increasingly argued that operations targeting civilian communications infrastructure at population scale should be subject to distinct rules analogous to those protecting civilian objects under international humanitarian law — adapted, of course, to the peacetime context. The potential breadth of harm, both to privacy at scale and to the integrity of critical systems, may justify a category of prohibition that does not depend on demonstrating coercion or kinetic effect.
The CISA's post-Salt Typhoon guidance — emphasizing end-to-end encrypted communications and network hardening — reflects a defensive posture that, while operationally sound, underscores the absence of any credible legal deterrent. States are, in effect, being advised to protect themselves because the law cannot reliably do it for them.
Conclusion
Salt Typhoon is a mirror held up to the international legal order's cyber-specific shortcomings. The operation's scale, its targeting of civilian telecommunications infrastructure and law enforcement intercept systems, and the difficulty of identifying a clean legal basis for international accountability collectively illuminate how poorly the existing framework — built on sovereignty, non-intervention, and countermeasures doctrines developed in a pre-cyber era — maps onto sophisticated state-sponsored espionage campaigns. The episode argues powerfully for renewed multilateral engagement on norms prohibiting the targeting of critical civilian communications infrastructure in peacetime, even absent the kinetic harm thresholds that trigger more robust legal protections under the law of armed conflict. Whether states with competing intelligence interests can reach such agreement remains, of course, the defining political obstacle.
Sources
- *Salt Typhoon and U.S. Telecommunications: What We Know* — https://www.lawfaremedia.org/article/salt-typhoon-and-u-s-telecommunications-what-we-know
- *Cyber Espionage and International Law* — https://www.lawfaremedia.org/article/cyber-espionage-and-international-law
- *The Tallinn Manual on the International Law Applicable to Cyber Warfare* (Schmitt, ed.) — https://scholar.google.com/scholar?q=Tallinn+Manual+cyber+warfare+international+law+Schmitt
- *State Responsibility for Cyber Operations: International Law Issues* — https://scholar.google.com/scholar?q=state+responsibility+cyber+operations+international+law
- *CISA Advisory: People's Republic of China Compromises U.S. Telecommunications Infrastructure* — https://www.lawfaremedia.org/article/cisa-fbi-advisory-prc-telecom-compromise
Cite as
JLCW Research Desk, Salt Typhoon and the Law of Cyber Espionage: Sovereignty, Attribution, and the Limits of International Law, J.L. & Cyber Warfare (2026), https://www.jlcw.org/articles/salt-typhoon-cyber-espionage-sovereignty-attribution-international-law.