Eighteen months after the Salt Typhoon intrusions exposed deep vulnerabilities in America's communications infrastructure, the United States remains caught between two contradictory impulses on encryption policy. On one hand, Congress continues to entertain proposals that would weaken end-to-end encryption in the name of child safety or law enforcement access. On the other, the same federal agencies tasked with national security are now affirmatively recommending that ordinary Americans use encrypted messaging applications.
This contradiction is no longer sustainable. The case for treating strong encryption as critical national infrastructure — not a regulatory inconvenience — has become overwhelming.
What Salt Typhoon Taught Us
When the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the National Security Agency, and counterparts in Australia, Canada, and New Zealand issued joint guidance in December 2024 urging the use of end-to-end encrypted communications, it marked a watershed moment. The guidance came in the wake of revelations that PRC-affiliated actors known as Salt Typhoon had compromised at least nine major US telecommunications providers, exploiting infrastructure that had been built, in part, to comply with the Communications Assistance for Law Enforcement Act (CALEA).
The lesson was unambiguous: lawful-access architectures designed to enable government surveillance can — and will — be exploited by adversaries. Then-Deputy National Security Advisor Anne Neuberger publicly described the breach as among the most significant cyber-espionage campaigns in US history. The 'back door for the good guys' turned out to be a front door for Beijing.
Legislative Pressure Hasn't Caught Up
Despite this context, Congress has continued to advance proposals that pull in the opposite direction. The EARN IT Act, reintroduced repeatedly since 2020, would expose providers of encrypted services to a patchwork of state-level liability, creating powerful incentives to scan or weaken communications. The STOP CSAM Act similarly threatens the legal foundation of end-to-end encrypted services. The Lawful Access to Encrypted Data Act, while dormant, set a template that periodically resurfaces.
These proposals share a flawed premise: that encryption can be selectively bypassed without systemic harm. The cryptographic consensus, articulated in the landmark 2015 Keys Under Doormats report by Abelson, Anderson, Bellovin, Blaze, Diffie, Rivest, Schneier, and others, is that exceptional access mechanisms cannot be engineered without introducing exploitable weaknesses. A decade later, no peer-reviewed proposal has overturned that finding.
The International Cautionary Tale
In February 2025, Apple withdrew its Advanced Data Protection (ADP) feature for users in the United Kingdom rather than comply with a Technical Capability Notice issued under the UK's Investigatory Powers Act. The decision left UK iCloud users with weaker default protections than their counterparts in the US, EU, and elsewhere — a striking demonstration of how anti-encryption mandates produce worse security outcomes for the very citizens they purport to protect.
The European Union's so-called 'Chat Control' regulation has faced similar resistance, repeatedly stalling in the Council amid pushback from member states including Germany, the Netherlands, and Poland. The pattern is clear: where lawmakers have attempted to mandate client-side scanning or backdoors, technologists, civil society, and increasingly even security agencies have pushed back.
The Quantum Horizon
While the policy debate has focused on access, the cryptographic ground itself is shifting. In August 2024, the National Institute of Standards and Technology finalized three post-quantum cryptography standards — FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) — the foundation for protecting communications against future quantum-capable adversaries. The migration to quantum-resistant encryption is itself a generation-defining infrastructure project, requiring stable legal foundations and clear federal guidance.
Mandating backdoors today, while simultaneously asking the private sector to undertake one of the most complex cryptographic transitions in computing history, sends incoherent signals to industry.
A Pro-Innovation Path Forward
A proportionate, evidence-based US encryption policy would rest on four pillars:
- Codify the federal position. Congress should affirm in statute that providers cannot be compelled to weaken end-to-end encryption or build exceptional-access mechanisms — aligning law with the operational guidance already issued by CISA and the FBI.
- Invest in lawful-access alternatives. Targeted, court-supervised techniques — lawful hacking under proper oversight, metadata analysis, and traditional investigative methods — have repeatedly proven effective without compromising the security of billions.
- Accelerate the post-quantum transition. Federal procurement and grant programs should reward early adoption of NIST-standardized PQC algorithms, particularly in critical infrastructure sectors.
- Reject scope creep in child-safety legislation. Provider liability frameworks should be narrowly drawn to address known harms without functioning as a de facto encryption ban.
The Stakes
Encryption is not a niche concern of cryptographers and civil liberties advocates. It is the substrate on which trillions of dollars of digital commerce, the privacy of journalists and dissidents, and the resilience of national infrastructure depend. The bipartisan instinct to 'do something' about online harms is understandable, but the something proposed must not be the very thing — weakened encryption — that has already cost the United States dearly.
The Salt Typhoon intrusions should mark the end of the 'going dark' framing in American policy debate. The lights are not going out; they are going strong. The task of regulators is to keep them that way — and to recognize that, in the encryption arena, the most pro-security position is also the most pro-innovation one.
Strong encryption is not a loophole to be closed. It is the load-bearing wall of the modern digital economy.