Trade Deals Won’t Save You: AI for Cyber Resilience

A sobering detail got lost in the political chatter around US–China trade: the Salt Typhoon telecom intrusions have now been linked to a victim set reported at 200+ organizations across 80 countries. That’s not a “headline breach.” That’s industrial-scale access.

Reports that the US may have backed away from additional sanctions tied to Salt Typhoon—while also signaling flexibility on certain AI chip exports—triggered an understandable reaction: are trade negotiations being prioritized over cybersecurity? My take: even if sanctions come and go, your threat exposure doesn’t. Nation-state operators don’t pause because a negotiating table gets crowded.

This post is part of our AI in Defense & National Security series, where we focus on what actually reduces risk in the real world. Here’s the practical lesson behind the trade-policy noise: if your security strategy depends on consistent geopolitical pressure, it’s fragile. If it’s built on deterrence by denial—and reinforced with AI-driven cybersecurity—it’s far harder to shake.

Trade politics are unpredictable; adversaries aren’t

Answer first: Trade policy shifts create ambiguity, but China, Russia, Iran, and other major operators maintain persistent cyber programs regardless of sanctions.

The idea that sanctions will deter cyber intrusion sounds good because it fits how we wish the world worked: do bad things, face consequences, stop doing bad things. In practice, the incentives are different. For a nation-state group, the upside of long-term espionage—access to telecom infrastructure, visibility into routing, metadata, and communications—can outweigh financial penalties placed on individuals who may never travel or touch Western banking.

That’s why “sanctions as cyber strategy” often fails to deliver the one thing executives want: predictable risk reduction. Sanctions can help set norms and impose costs. They can support diplomacy. But they do not automatically:

• remove access an actor already has n- harden telecom networks
• patch edge devices
• improve detection inside your environment

In other words, sanctions don’t do the unglamorous work. Your teams do.

The specific problem Salt Typhoon exposed

Answer first: The Salt Typhoon activity highlights how telecom and critical infrastructure intrusions scale quickly once an actor finds repeatable paths into complex, interconnected environments.

Telecommunications environments are attractive because they sit at the intersection of national security and enterprise risk. When attackers can persist in telecom ecosystems, the impact isn’t limited to one company’s data loss. It can become:

• surveillance enablement
• downstream compromise of connected enterprises
• interception or mapping of communications patterns
• a springboard into government, defense, and regulated sectors

This is exactly where AI in national security discussions stop being theoretical. When access is persistent and distributed, speed matters more than press releases.

Sanctions aren’t a control; “deterrence by denial” is

Answer first: The only consistently reliable deterrent is making intrusions costly to execute and hard to sustain—through instrumentation, identity controls, segmentation, and fast detection/response.

A useful phrase from practitioners is deterrence by denial: the attacker decides the operation isn’t worth it because staying inside your environment is too difficult, too noisy, or too likely to be discovered.

That requires operational security excellence, not just policy.

What “denial” looks like in enterprise terms

Answer first: Denial is built with boring fundamentals executed well—and verified continuously.

If you’re a CISO or security leader, here are the pillars that actually change outcomes:

1. Identity hardening

   • Require phishing-resistant MFA for privileged access
   • Reduce standing privileges (just-in-time access)
   • Treat non-human identities (service accounts, API keys) as first-class risk

2. Attack-surface control

   • Reduce exposed services (especially remote management)
   • Maintain a real-time asset inventory (cloud and on-prem)
   • Enforce configuration baselines

3. Segmentation and blast-radius reduction

   • Separate telecom/OT-like sensitive segments from corporate IT
   • Use tight egress controls for critical systems

4. Detection and response that keeps pace

   • Centralize logs that matter (identity, DNS, proxy, EDR, cloud)
   • Practice containment (not just tabletop exercises)

The challenge: most teams can describe these, but they can’t execute them fast enough—especially when the environment is sprawling.

That’s where AI helps when it’s used with discipline.

Where AI-driven cybersecurity actually helps (and where it doesn’t)

Answer first: AI helps most when it reduces analyst toil and speeds up decisions in detection, triage, and response—not when it’s treated as a magic prediction engine.

A lot of “AI security” messaging is either hype or fear. The reality is simpler: security operations fail at the seams—too many alerts, too little context, too many disconnected systems.

Used well, AI closes those seams.

1) Faster triage: turn alert floods into a short list

Answer first: AI can summarize, correlate, and rank events so humans focus on the handful that matter.

In a large SOC, the problem isn’t that you have zero detection. It’s that you have more detection than you can process. Modern AI approaches can:

• group related alerts into incidents (deduplication + correlation)
• generate a natural-language incident narrative
• extract entities: users, hosts, IPs, domains, processes
• assign confidence based on historical baselines and known patterns

This matters because nation-state intrusions are often “low and slow.” If your team can’t see the thread across days or weeks, you’re fighting with one hand tied.

2) Threat detection that adapts when playbooks don’t

Answer first: AI-powered detection can identify anomalies and behavior patterns that signature rules miss, especially in identity and cloud activity.

Salt Typhoon-style campaigns often involve persistence, credential abuse, and living-off-the-land behavior. That’s where behavioral analytics can outperform static rules—if the system has good telemetry.

High-value use cases I’ve seen work in practice:

• Impossible travel + session risk for privileged identities
• Unusual data movement patterns (volume, destination, time)
• New administrative actions in cloud control planes
• Rare process + network combinations on critical hosts

AI won’t compensate for missing logs or weak identity controls. But with solid inputs, it can detect subtle pivots earlier.

3) Automated response that’s safe enough to trust

Answer first: The most practical automation is constrained automation—actions that are reversible, audited, and triggered at high confidence.

Organizations hesitate to automate because they fear taking down production systems. That fear is valid. The answer isn’t “no automation.” It’s automation with guardrails:

• quarantine endpoints only when multiple signals align
• disable tokens or sessions before disabling the user account
• block outbound connections for a process hash rather than an entire subnet
• require human approval for destructive actions

This is where AI-assisted SOAR can shine: propose actions, show evidence, and execute only within policy.

A good standard: if the action is hard to roll back, it shouldn’t be fully automated.

4) Governance: AI as the “glue” when policy is fragmented

Answer first: When regulations and enforcement shift, AI can help maintain consistent internal governance by continuously measuring control health.

One under-discussed benefit: AI can keep your program coherent when the external world isn’t.

If telecom cybersecurity regulations change, or enforcement priorities shift, your internal risk obligations (to customers, boards, insurers, and auditors) remain. AI can continuously answer:

• Which critical assets drifted from baseline this week?
• Which business units are not logging what they promised?
• Where are we over-privileged, and what’s the exposure?
• What controls have degraded since last quarter?

That’s the difference between “we think we’re compliant” and “we can prove we’re hardened.”

A practical 30-day plan: AI-assisted denial for real teams

Answer first: You don’t need a moonshot program. You need a focused sprint that improves visibility, triage speed, and containment.

If you’re trying to build resilience while the geopolitical environment stays noisy, here’s a 30-day plan that works even for lean teams.

Week 1: Define the assets and identities that matter

• Pick your top 25 critical systems (telecom-adjacent, identity, billing, customer data, admin consoles)
• List top 20 privileged roles and service accounts
• Set minimum logging requirements for those systems (identity, EDR, DNS/proxy, cloud audit logs)

Week 2: Implement AI-assisted triage on a narrow scope

• Route telemetry for that scope into a central platform
• Configure incident grouping and entity extraction
• Create 5–10 “must-page” detections tied to privileged abuse and persistence

Week 3: Add two containment automations with guardrails

Pick actions that are low-risk and high-impact:

• revoke sessions/tokens for high-confidence identity incidents
• isolate endpoints when EDR + identity + network signals match

Track outcomes: false positives, time-to-contain, business disruption.

Week 4: Prove control health to leadership

Create a one-page operational scorecard:

• Mean time to acknowledge (MTTA)
• Mean time to contain (MTTC)
• % of critical assets meeting logging baseline

• of privileged identities with phishing-resistant MFA

• of drift exceptions open > 14 days

Boards and federal stakeholders respond well to measures that show denial is improving, not just “threats are increasing.”

What this means for AI in Defense & National Security

Answer first: National security depends on commercial infrastructure, and commercial infrastructure depends on security operations that can keep up—AI is now part of that capacity.

Telecom, cloud, and identity providers sit in the blast radius of geopolitical conflict. Whether sanctions are tightened, loosened, or traded for diplomatic concessions, attackers still operate. So the durable strategy is operational:

• assume persistent pressure
• reduce attacker dwell time
• minimize blast radius
• instrument systems like you expect to be tested

If your organization supports government missions, critical infrastructure, or defense supply chains, this isn’t “extra security.” It’s baseline readiness.

The forward-looking question is blunt: if policy signals get noisy again next quarter, will your defenses get quieter—or stronger?

If you want help mapping an AI-driven cybersecurity approach to your environment—starting with the critical assets and identity pathways that matter most—reach out. The best time to build deterrence by denial is before the next negotiation headline tries to distract your roadmap.