Cybersecurity and national security collided in significant ways in 2024, with governments and private-sector entities grappling with the legal, technical, and policy challenges of a rapidly evolving cyber landscape. Offensive cyber operations, questions of foreign ownership of social media companies, and the balance of power between the Executive and Legislative branches are just a few of the pressing issues shaping the modern landscape. OAs governments and private entities grapple with these challenges, the legal frameworks governing cybersecurity are evolving rapidly, offering both opportunities and risks for practitioners.

Spotlight: The Salt Typhoon Hacking Campaign

One of the most concerning developments of 2024 was the Salt Typhoon hacking campaign. This state-backed operation underscores the persistent threats posed by cyber actors and the vulnerabilities they exploit. Allegedly backed by China, Salt Typhoon compromised several U.S. telecommunications providers, targeting senior political figures, including President-elect Donald Trump and Vice President-elect JD Vance. The hackers reportedly had access to phone records and, in some cases, may have been able to intercept communications data. While no classified information should have been discussed on unsecure lines, the campaign represents a significant breach of national security.

The compromise came to light shortly after U.S. cybersecurity agencies, including CISA, NSA, and FBI, along with international partners, released guidance on protecting telecommunications networks from PRC-affiliated cyber espionage. Federal agencies and telecom providers, including Verizon and AT&T, are working to evict the intruders, but no clear timeline for resolution exists. Meanwhile, the Biden administration has warned of ongoing risks as the hackers remain embedded in networks. This campaign, spanning dozens of countries, underscores the persistent challenges in safeguarding critical infrastructure against foreign cyber threats.

Salt Typhoon’s impact extends beyond the immediate breach, highlighting vulnerabilities in critical infrastructure that adversaries can exploit. These challenges underline the pressing need for ensuring the security of sensitive communications and enhanced cyber defenses and international cooperation, themes that will play a central role as we look forward to 2025 and beyond. The campaign also raises questions about the effectiveness of existing cybersecurity frameworks and the need for enhanced collaboration between public and private sectors. Future efforts must focus on preemptive measures, including robust threat detection systems and international agreements to deter state-backed cyber campaigns.

Cyber Operations in Armed Conflicts

The role of cyber operations in armed conflicts underscores how technology is reshaping warfare. Campaigns like Salt Typhoon highlight how cyber tools are used not only for espionage but also to undermine national security, demonstrating the critical importance of robust cyber defenses. Militaries worldwide have adopted offensive cyber capabilities to disrupt adversary networks and critical infrastructure. For example, the United States has used cyberattacks to degrade communications and disrupt financial systems during its campaigns against ISIS, while Russia has conducted cyber operations to disable Ukraine’s power grid and target government systems during its ongoing invasion. These operations, whether used alongside traditional weapons or as stand-alone efforts, demonstrate how cyber tools are becoming indispensable in achieving strategic military objectives. However, their use also raises critical legal questions about the applicability of international law in cyberspace.

One of the most pressing issues in international law is determining when a cyberattack constitutes a “use of force.” The Salt Typhoon hacking campaign illustrates this legal gray area, as its extensive compromise of telecommunications networks and sensitive data demonstrates the disruptive potential of cyber operations without crossing clear boundaries of physical harm. While treaties such as the U.N. Charter prohibit the use of force except in self-defense or with Security Council authorization, cyberattacks often fall into a legal gray area. An emerging consensus suggests that cyberattacks causing significant physical damage or widespread disruption to critical infrastructure—such as energy grids or financial systems—may meet the threshold for a “use of force.” This interpretation aligns with international humanitarian law, which seeks to limit harm to civilians during armed conflicts.

Practitioners seeking to navigate this space may rely on key resources like the U.S. Department of Defense’s Law of War Manual and the NATO-supported Tallinn Manual. These documents provide guidance on applying international law to cyber conflict. The Law of War Manual reflects the U.S. government’s perspective, while the Tallinn Manual offers broader interpretations developed by international scholars. While valuable, both have limitations: the former is U.S.-centric, and the latter lacks official status. Practitioners must critically assess these resources and remain mindful of their differing approaches when advising clients on cyber operations.

Presidential Powers and Cybersecurity

The President’s constitutional powers under Article II provide significant authority to address cybersecurity threats, especially in the context of national security. As Commander in Chief and chief diplomat, the President has broad discretion to act during emergencies involving foreign adversaries. Courts have historically deferred to the Executive Branch on these matters, recognizing the need for swift decision-making in times of crisis. The landmark Supreme Court case Youngstown Sheet & Tube Co. v. Sawyer offers a framework for evaluating presidential power, categorizing actions into three tiers: maximum authority when the President acts with Congressional approval, a “zone of twilight” when Congress is silent, and the lowest ebb when the President acts against Congressional intent. This framework remains critical for analyzing Executive actions in cybersecurity, particularly in contentious scenarios like the debated “internet kill switch,” where the extent of presidential authority is unclear.

Statutory tools further empower the President to address foreign cyber threats. The International Emergency Economic Powers Act (“IEEPA”) enables the President to impose sanctions, block transactions, and regulate supply chains in response to malicious cyber activities. The Export Controls Act restricts the export of sensitive technologies, including cybersecurity tools, to prevent their misuse by adversaries. The Committee on Foreign Investment in the United States (“CFIUS”), under Section 721 of the Defense Production Act, reviews foreign investments that may threaten national security, particularly in critical technologies, infrastructure, or data. Similarly, Section 310(b) of the Communications Act, administered by the Federal Communications Commission (“FCC”), regulates foreign ownership in U.S. telecommunications companies to mitigate national security risks. These statutes provide a robust legal framework for addressing cybersecurity challenges, though they also impose significant compliance burdens on businesses engaging in international transactions.

Looking Forward to 2025

As the digital landscape continues to evolve, the interplay between cybersecurity and national security will remain a critical concern in 2025. Emerging technologies like artificial intelligence, quantum computing, and 5G networks promise transformative advancements but also introduce new vulnerabilities that adversaries can exploit. Cyber threats are no longer confined to isolated breaches; they now have the potential to disrupt critical infrastructure, undermine democratic institutions, and compromise sensitive personal and national security data.

In the coming year, governments and industries will face growing pressure to bolster their cyber defenses, particularly as cyberattacks become increasingly sophisticated and state-backed actors expand their reach. Legislative frameworks, such as those addressing foreign-owned applications and supply chain security, are likely to be revisited and strengthened. Efforts to secure telecommunications networks, protect critical technologies, and prevent the misuse of personal data will intensify, with a strong focus on international cooperation to address global threats.

The role of the private sector in national security will also be more pronounced. Companies managing critical infrastructure or holding vast amounts of user data must proactively engage with regulators and implement robust cybersecurity measures to mitigate risks. Cybersecurity will continue to be a central theme in policymaking, litigation, and international relations, emphasizing the need for a collective response to safeguard national interests.

For more information on these topics, consult the second edition of our PLI treatise: Cybersecurity: A Practical Guide to the Law of Cyber Risk.