Congress Must Strengthen Cyber Oversight to Counter China’s Aggressive Intrusions
In January 2026, reports emerged detailing a significant cyber espionage campaign by the People’s Republic of China (PRC), known as Salt Typhoon, which compromised the email systems of House of Representatives staffers. This breach affected committees responsible for monitoring and countering China’s influence, including the China, Foreign Affairs, Intelligence, and Armed Services committees. The incident underscores an urgent need for enhanced congressional leadership in cyber policy to address the growing threats posed by foreign adversaries.
Congress’s Responsibility in Cybersecurity
Congress holds a constitutional obligation to ensure that the nation’s cyber laws and budgets are adequate to support robust cyber defenses. This responsibility extends to transparency regarding its own cybersecurity challenges. The anticipated cybersecurity strategy from the executive branch emphasizes the necessity for stronger congressional oversight, particularly in countering China’s persistent intrusions into U.S. infrastructure.
Federal agencies are mandated by law to report major cyber incidents to Congress within seven days of identification. Similarly, private businesses face incident disclosure requirements, including data breach notifications and critical infrastructure incident reporting. Congress must establish a formal incident reporting and disclosure policy that includes public transparency, while safeguarding national security interests.
Evaluating IT Infrastructure
In light of the recent breach, Congress should critically assess its own IT infrastructure. Although details on how the PRC accessed congressional emails remain limited, prior experiences with cyber incidents suggest that security vulnerabilities in IT products, such as Microsoft 365, may have contributed to the breach. If this is the case, Congress should engage with vendors to address these security shortcomings and demand improved service. A credible threat to switch vendors may be necessary if current providers fail to meet security standards.
The Challenge of Vendor Lock-In
The year 2025 highlighted significant security issues for legacy federal IT contractors. For instance, Microsoft was found to be utilizing engineers based in China, subject to laws compelling them to assist in PRC surveillance, to support the Defense Department’s networks. Although this program was terminated, it raised concerns about the extent of vendor lock-in within federal agencies.
To enhance cybersecurity, Congress must evaluate the degree to which it is locked into existing vendor relationships. High switching costs can deter competition and diminish the incentive for vendors to improve security measures. Some IT vendors actively cultivate lock-in as part of their sales strategies. Congress must determine the extent of its dependency on current vendors and whether this dependency hinders better cybersecurity practices.
Implications for the Executive Branch
The challenges faced by Congress are mirrored in executive branch agencies. Insights gained from Congress’s examination of its vendor relationships are likely applicable to the executive branch as well. Modernizing IT infrastructure is a key component of the forthcoming cybersecurity strategy, but congressional support will be essential to drive this modernization. Incumbent IT providers often have favorable arrangements with federal agencies, which can lead to inflated costs and inadequate service quality.
Addressing the Cyber Threat from China
Congress should convene hearings focused on the cyber threats posed by China and explore ways to support the administration’s efforts to counter these threats. The National Cyber Director has noted that current U.S. policy does not sufficiently deter adversaries’ malicious cyber activities. To address this, the U.S. must find ways to impose tangible costs on adversaries, potentially through offensive cyber operations and other punitive measures.
The uneven state of cyber defenses across critical infrastructure and government networks further complicates the situation. Strengthening these defenses could alter adversaries’ cost-benefit analysis regarding cyberattacks. With the White House’s upcoming cyber strategy expected to emphasize shaping adversary behavior and enhancing critical infrastructure resilience, these efforts represent a crucial step forward.
Andrew Grotto, who co-directs the Program on Geopolitics, Technology, and Governance at Stanford University, emphasizes the need for comprehensive cybersecurity strategies. His experience as the Senior Director for Cyber Policy on the National Security Council during both the Obama and Trump administrations informs his perspective on the importance of robust cybersecurity measures.
As reported by federalnewsnetwork.com, the urgency for congressional action in cybersecurity has never been more pronounced. The evolving landscape of cyber threats necessitates a proactive approach to safeguarding national interests and ensuring the integrity of U.S. infrastructure.
