The United States is at an encryption inflection point. The Salt Typhoon intrusions disclosed in late 2024 — in which a Chinese state-linked actor reportedly compromised the networks of multiple major US telecommunications carriers, including the very lawful-intercept systems built to comply with US wiretap law — should settle a debate Washington has been having for three decades. Mandated access mechanisms are not safe. They are attack surfaces. And as America's adversaries get more capable, the only proportionate response is to make encryption stronger, more ubiquitous, and harder to bypass.
The Going Dark debate has gone stale
For years, parts of the US law-enforcement establishment have argued that end-to-end encryption is creating a "warrant-proof" environment. The argument animates the recurring EARN IT Act (S. 1207 in the 118th Congress) and earlier bills like the Lawful Access to Encrypted Data Act. The framing is intuitive: if a court issues a warrant, the government should be able to read the message.
The trouble is that this framing imagines a backdoor that only the good guys can walk through. No such door exists. CALEA, the 1994 Communications Assistance for Law Enforcement Act, mandated that US carriers build standardized interception capabilities into their networks. Salt Typhoon reportedly exploited precisely those capabilities. According to reports in the Wall Street Journal and others, the intruders gained access to systems used to service US wiretap requests — meaning a regulatory mandate intended to help American law enforcement was instead used by a foreign adversary to surveil Americans, including officials.
This is not a hypothetical "nobody-but-us" risk. It is the realised version of the warning cryptographers have given for thirty years.
CISA's quiet pivot tells the story
The most telling response to Salt Typhoon came not from Congress but from the Cybersecurity and Infrastructure Security Agency. In its December 2024 Mobile Communications Best Practice Guidance, CISA urged Americans — and particularly senior officials — to use end-to-end encrypted messaging applications and to enable encryption-by-default protections on their devices. In other words, the federal cyber-defence agency told citizens that the safest way to communicate over US telecom infrastructure was to assume the underlying network is hostile and encrypt around it.
That is a remarkable, even revolutionary, public posture for the US government. It is also the correct one. If the lesson of Salt Typhoon is "the network is not trustworthy," then policy must follow that lesson into law.
What proportionate encryption policy looks like
A pro-innovation, pro-security US encryption policy in 2026 would do the following:
- Affirm that end-to-end encryption is lawful and protected. Codify a clear statutory presumption that providing strong encryption — including E2EE messaging, encrypted backups, and full-disk encryption — is not by itself evidence of intent to facilitate crime. The EARN IT Act's conditioning of Section 230 protections on "best practices" that could be read to require client-side scanning chills exactly the engineering choices CISA is now begging companies to make.
- Modernise CALEA, don't extend it. Any CALEA reform should narrow, not widen, mandated interception surfaces, and should require independent security review of any retained capabilities. Salt Typhoon is a warning that legacy intercept architectures are themselves a national-security liability.
- Accelerate the post-quantum transition. In August 2024 NIST released the first three finalized post-quantum encryption standards (FIPS 203, 204, and 205). Federal procurement, critical-infrastructure mandates, and CISA's secure-by-design programme should set aggressive migration timelines, especially for systems with long data-confidentiality lifetimes.
- Protect researchers and tool-builders. Cryptographic research, open-source security tooling, and vulnerability disclosure remain partially exposed under the Computer Fraud and Abuse Act and aging export-control interpretations. A modern policy would reaffirm the First-Amendment-protected status of code, simplify export rules for mass-market cryptography, and create durable safe harbours for good-faith security research.
The international stakes
The US is not making this choice in a vacuum. The UK's Online Safety Act and Investigatory Powers Act amendments continue to flirt with notice-and-takedown style obligations that pressure E2EE; the EU's Chat Control proposal has been repeatedly revived; Australia's TOLA framework remains on the books; and India's IT Rules contain traceability obligations that are difficult to reconcile with E2EE. If Washington wavers, it weakens the global democratic baseline. If Washington leads with a confident pro-encryption position, it gives like-minded governments cover to resist the worst proposals at home.
A think-tank verdict
Law enforcement's legitimate concerns about access to evidence are real and deserve serious engagement. But the answer is not to mandate weaknesses in the cryptography that protects 330 million Americans, US businesses, and the public officials whose communications were reportedly swept up by Salt Typhoon. The answer is better metadata analysis under judicial oversight, better lawful-process cooperation between platforms and police, more investment in the FBI's and HSI's digital forensics capacity, and a clear-eyed admission that some investigative trade-offs are worth making to keep the broader system secure.
America has built the most productive digital economy on earth on a foundation of strong, ubiquitous cryptography. Salt Typhoon is a reminder of what that foundation is for. The proportionate response is not to drill holes in it. It is to pour more concrete.