Senator says CEOs must come before the Committee

WASHINGTON, D.C. – U.S. Senator Maria Cantwell (D-Wash.), Ranking Member of the Committee on Commerce, Science and Transportation called on Committee Chairman Ted Cruz (R-Texas) to hold a hearing with AT&T CEO John Stankey and Verizon CEO Dan Schulman to demand answers about the current security of their telecommunications networks after they refused to be transparent about their responses to the Salt Typhoon cyberattack.

“For months, I have sought specific documentation from AT&T and Verizon that would purportedly corroborate their claims that their networks are now secure from this attack,” wrote Sen. Cantwell. “Unfortunately, both AT&T and Verizon have chosen not to cooperate, which raises serious questions about the extent to which Americans who use these networks remain exposed to unacceptable risk. Since then, expert witnesses warned this Committee about the ongoing security risks posed by Salt Typhoon,  while reports indicate that Salt Typhoon hackers are likely still inside U.S. telecommunications networks and may have even breached email accounts used by congressional staff.”

Sen. Cantwell cited a number of recent developments underscoring the ongoing risks posed by the Salt Typhoon attack, including recent testimony from an expert witness who warned that telecommunications providers like AT&T and Verizon were not doing enough to protect Americans’ security. Experts believe the Salt Typhoon attack has not been fully remediated from telecommunications networks, and there is increasing evidence that companies like AT&T and Verizon are not taking the actions necessary to protect their 265 million customers.   

“[I]n December the former Chief of the Federal Communications Commission’s Public Safety and Homeland Security Bureau testified before the Telecommunications Subcommittee, ‘I’m not convinced that providers will take sufficient and sustained actions in the wake of Volt and Salt Typhoon without a strong verification regime’ and further stated: ‘if the providers are not doing basic hygiene across their networks consistently, then yes, they should be held accountable,’” continued Sen. Cantwell.

Sen. Cantwell previously wrote to both AT&T and Verizon requesting key documents that would provide crucial information on companies’ efforts to recover from the hack and to prevent a similar breach from happening again. However, neither company has provided key security assessments that they both acknowledge exist, impeding Congress’s ability to fully evaluate the status of their responses and their claims that their networks are now secure. Sen. Cantwell also wrote to Mandiant, the company hired by both AT&T and Verizon to conduct comprehensive network security assessments after the hack. Mandiant also failed to provide the requested documents, apparently at the direction of AT&T and Verizon.

“If AT&T and Verizon are not going to provide Congress key documentation voluntarily, then I believe this Committee must promptly convene a hearing with their CEOs so they can explain why Americans should have confidence in the security of their networks amid mounting evidence that the Salt Typhoon hackers remain active and undeterred,” concluded Sen. Cantwell. “The American public deserves transparency and certainty that our nation’s major telecommunications networks are not currently exposed to unacceptable risks. This oversight hearing would be an opportunity to provide precisely that.”

In November, Sen. Cantwell wrote to Federal Communications Commission (FCC) Chairman Brendan Carr strongly opposing an effort by the FCC’s Republican majority to roll back rules put in place after the Salt Typhoon hack to better protect U.S. data networks from future attacks. Two days later, the FCC voted along party lines to rescind the rules, leaving the nation’s telecommunications networks more at risk.

The full text of the letter to Chairman Cruz is available HERE and below. 

February 3, 2026

Mr. Chairman:

I am requesting the Senate Committee on Commerce, Science, and Transportation hold an oversight hearing with the CEOs of AT&T and Verizon to examine the security of their telecommunications networks following the deep penetration by Chinese state-sponsored hackers “Salt Typhoon”—widely regarded as one of the worst cyberattacks in our nation’s history.  For months, I have sought specific documentation from AT&T and Verizon that would purportedly corroborate their claims that their networks are now secure from this attack.  Unfortunately, both AT&T and Verizon have chosen not to cooperate, which raises serious questions about the extent to which Americans who use these networks remain exposed to unacceptable risk. Since then, expert witnesses warned this Committee about the ongoing security risks posed by Salt Typhoon,  while reports indicate that Salt Typhoon hackers are likely still inside U.S. telecommunications networks and may have even breached email accounts used by congressional staff.  Given these mounting concerns, I believe we must hear directly from the CEOs of AT&T and Verizon so Americans have clarity and confidence about the security of their communications.

In the past several months, we learned that the scope of the Salt Typhoon attack was greater than previously believed. According to the Federal Bureau of Investigations (FBI), the Salt Typhoon hackers targeted more than 200 U.S. organizations and 80 countries —allowing Chinese intelligence officers to potentially surveil Americans’ private communications abroad and use their cellphone geolocation data to track their movements across the globe.  In August 2025, the FBI’s top cyber official, Assistant Director Brett Leatherman, called Salt Typhoon “one of the more consequential cyber espionage breaches we have seen here in the United States.”  The FBI and other federal agencies have urged Americans to use only encrypted messaging applications due to vulnerabilities from Salt Typhoon.  In September 2025, a Joint Cybersecurity Advisory issued by a collection of U.S. and international intelligence and cybersecurity agencies warned that Chinese state-sponsored cyber threat actors, including Salt Typhoon, target “large backbone routers of major telecommunications providers” like AT&T and Verizon and then “modify routers to maintain persistent, long-term access to networks.” 

The agencies detailed guidance on how to mitigate the risk from Advanced Persistent Threat actors like Salt Typhoon and urged potential targets like telecommunications providers to “hunt for malicious activity and to apply the mitigations” called for in the Advisory.  However, reports indicate the telecommunications providers have taken few protective actions thus far due to the costs involved in securing their networks while experts have expressed skepticism that industry is taking the necessary mitigation steps.  For example, in December the former Chief of the Federal Communications Commission’s Public Safety and Homeland Security Bureau testified before the Telecommunications Subcommittee, “I’m not convinced that providers will take sufficient and sustained actions in the wake of Volt and Salt Typhoon without a strong verification regime” and further stated: “if the providers are not doing basic hygiene across their networks consistently, then yes, they should be held accountable.”  I agree.

That is why I sent letters to AT&T CEO John Stankey and then-Verizon CEO Hans Vestberg requesting documents and information that would shed light on the actions they took to secure their networks following the Salt Typhoon attack and help Congress evaluate the current security risks posed to the 265 million Americans who use their services.  In response, both companies confirmed the existence of security assessments conducted by Mandiant, a digital forensics and incident response provider, that would presumably document the vulnerabilities identified and detail what corrective actions the telecommunications providers need to take to protect Americans’ privacy and security.  However, both AT&T and Verizon have refused to make these key reports available without any compelling reason to keep them hidden from Congress. 

As a result, I wrote to Mandiant requesting copies of these reports and other relevant documentation. But AT&T and Verizon apparently intervened to block Mandiant from cooperating with my requests.  I believe this course of engagement raises serious questions about AT&T’s and Verizon’s current security posture, as they are either unwilling or unable to provide specific documentation that would show their networks are secure.

If AT&T and Verizon are not going to provide Congress key documentation voluntarily, then I believe this Committee must promptly convene a hearing with their CEOs so they can explain why Americans should have confidence in the security of their networks amid mounting evidence that the Salt Typhoon hackers remain active and undeterred. The American public deserves transparency and certainty that our nation’s major telecommunications networks are not currently exposed to unacceptable risks. This oversight hearing would be an opportunity to provide precisely that.

Sincerely,

###