Trade talks shift. Intrusions don’t. Learn how AI-driven cybersecurity helps telecoms and critical infrastructure reduce dwell time and defend supply chains.
Trade negotiations don’t stop intrusions.
That’s the uncomfortable lesson from the latest reporting that the US may have backed off planned sanctions tied to China’s alleged role in the Salt Typhoon compromises of telecom providers—while also signaling flexibility on high-end AI chip exports. You can debate the diplomatic rationale. But if you run security for a telecom, a cloud provider, a defense contractor, or any company with sensitive communications metadata, the operational message is clearer: geopolitics is noisy, but attackers are consistent.
This post is part of our “AI in Defense & National Security” series, and I’m going to take a stance: treating cyber response as a trade bargaining chip is strategically risky, because it encourages adversaries to believe consequences are negotiable. More importantly, it distracts from what actually reduces harm—deterrence by denial, where you make intrusions harder, shorter-lived, and more expensive.
AI belongs in the center of that strategy. Not as a buzzword. As a practical way to detect anomalies at machine speed, harden supply chains, and continuously validate security controls across sprawling infrastructure.
Sanctions are negotiable; compromises aren’t
Diplomacy can change overnight. Your exposure can’t.
The Salt Typhoon story highlights a recurring pattern: sanctions and export controls get mixed into broader negotiations (trade balances, industrial policy, even non-cyber issues). That’s not new in Washington, and it won’t be the last time. The problem is the implied incentive structure for adversaries: if economic penalties are bargaining chips, then cyber operations become a low-risk, high-reward tool.
There’s also a practical limitation: sanctions rarely remove an attacker’s capability. A well-resourced intelligence service doesn’t stop because a few accounts are frozen or certain entities are listed. Even when sanctions create friction, they don’t automatically translate into fewer exploits, fewer implants, or fewer stolen credentials.
What actually changes outcomes is boring—and effective:
- Faster discovery of anomalous activity
- Better identity hygiene (especially for admins and service accounts)
- Segmented networks with measurable choke points
- Repeatable incident response playbooks
- Verified software and hardware supply chain controls
Those are engineering problems. AI helps solve engineering problems at scale.
“Deterrence by denial” is the only dependable cyber strategy
If you want a single sentence you can use in a board meeting, it’s this:
You can’t negotiate your way out of a supply chain compromise—you can only prevent it, detect it quickly, and contain it.
Deterrence by denial means the attacker’s expected payoff drops because:
- Getting initial access is harder
- Lateral movement is constrained
- Persistence is fragile (implants get discovered)
- Exfiltration is noisy and blocked
- Recovery is fast enough that disruption doesn’t create leverage
Telecom environments make this harder. They’re heterogeneous, always-on, and full of legacy components and vendor integrations. That’s exactly where modern AI-driven security earns its keep.
Why telecoms are a top-tier target
Telecom networks sit at an awkward intersection of national security and commercial operations:
- They route traffic for governments, enterprises, and critical infrastructure
- They contain high-value metadata (who contacted whom, when, and from where)
- They are integral to emergency services and continuity operations
An adversary doesn’t always need your crown jewels. Sometimes traffic visibility and selective access are enough.
How AI-driven cybersecurity actually helps (and where it doesn’t)
AI won’t “solve” nation-state cyber operations. But it can measurably reduce dwell time and blast radius—two metrics that directly translate into fewer operational and legal headaches.
Here’s where I’ve seen AI deliver real value in complex environments.
1) Real-time anomaly detection across messy networks
Most companies still rely too heavily on brittle rules: “If X happens, alert Y.” That fails in telecom-scale environments where “normal” is constantly shifting.
Behavioral models can detect:
- Unusual authentication paths (impossible travel, new device posture, odd MFA patterns)
- Abnormal east-west movement between network segments
- Rare process execution chains on bastion hosts and jump servers
- Unexpected DNS patterns and beaconing-like timing
This matters because sophisticated actors try to look routine. AI doesn’t need a known indicator of compromise to flag activity that deviates from historical baselines.
2) Prioritizing the alerts that humans can’t keep up with
Most SOCs aren’t short on alerts. They’re short on time.
AI helps by:
- Correlating weak signals into a higher-confidence incident narrative
- Ranking alerts by business impact (assets, identities, data sensitivity)
- Summarizing context for faster triage (what changed, what’s connected)
The lead-generation angle is straightforward: if your SOC is drowning, you don’t need more logs—you need better decisions per analyst hour.
3) Hardening supply chains with continuous verification
When the source article talks about sanctions and export controls being mixed into negotiation, it exposes a deeper truth: global supply chains are politically fragile.
Security teams should assume:
- Vendor risk will swing with geopolitics
- Component provenance will be harder to validate in some regions
- Third-party access paths will remain a favorite intrusion route
AI can support supply chain security by:
- Detecting anomalous behavior from vendor accounts and remote tooling
- Mapping software dependencies and highlighting risky transitive components
- Monitoring changes in build pipelines and artifact repositories
The win isn’t theoretical. It’s operational: fewer blind spots when something upstream changes.
4) Enforcing “minimum privilege” for non-human identities
Telecom and critical infrastructure environments depend heavily on automation: scripts, service accounts, certificates, tokens, APIs. These non-human identities are a quiet goldmine for attackers.
AI-assisted identity analytics can:
- Flag service accounts with privilege creep
- Detect abnormal token use across regions or time windows
- Identify unused credentials that should be rotated or removed
If your org is adopting more automation (or more AI), non-human identity governance becomes a national-security-grade concern.
Where AI doesn’t help (unless you fix the basics)
AI can’t compensate for:
- Flat networks with broad trust
- Unpatched edge systems exposed to the internet
- Weak asset inventory (“we don’t know what we run”)
- Shared admin accounts and unmanaged privileged access
If your telemetry is incomplete or your identity architecture is chaotic, AI will mostly produce expensive confusion.
A practical AI security blueprint for critical infrastructure teams
You don’t need a moonshot program. You need a sequence that creates value in 90 days, then compounds.
Step 1: Define the “national impact” assets and routes
Answer this clearly: Which systems, if compromised, create national-scale harm or regulated exposure?
For telecoms and adjacent providers, that typically includes:
- Core network management and orchestration systems
- Identity providers and privileged access tooling
- Customer data platforms and call detail record systems
- Interconnect infrastructure and lawful intercept interfaces
- Software update channels and build systems
If you can’t list them, you’re not ready for “AI security.” You’re still in asset discovery.
Step 2: Instrument identity and network telemetry first
AI thrives on high-signal data. Prioritize:
- Authentication logs (interactive and non-interactive)
- Privileged session telemetry
- Egress DNS/HTTP(S) metadata
- East-west flow logs between key segments
Then set measurable goals: reduce mean time to detect (MTTD), mean time to respond (MTTR), and dwell time.
Step 3: Deploy AI where it reduces time-to-decision
Start with use cases that pay off fast:
- AI-driven anomaly detection for identity and lateral movement
- AI triage summaries for incident queues
- AI-assisted threat hunting over high-value network segments
Be opinionated about outcomes. If it doesn’t change analyst behavior, it’s a science project.
Step 4: Add “deterrence by denial” controls that AI can verify
Controls should be both strong and testable.
Examples:
- Segmentation policies that are continuously validated against flows
- Privileged access workflows with enforced JIT (just-in-time) elevation
- Device posture checks that block risky endpoints from sensitive systems
AI can help confirm whether these controls are working in the real world, not just in audit screenshots.
People also ask: “Should governments prioritize trade over cybersecurity?”
They shouldn’t treat them as competing priorities.
Cybersecurity is a trade enabler. If telecom networks and industrial ecosystems are persistently compromised, you don’t have “healthy trade”—you have systemic IP loss, coercive leverage, and fragile continuity.
A more realistic framing is: assume diplomacy will fluctuate and build security that holds anyway. That’s why AI-driven cybersecurity matters. It scales defense when the geopolitical climate is unpredictable.
What to do next if you’re responsible for security outcomes
If you’re a CISO, SOC leader, or critical infrastructure security engineer, here are the next steps I’d actually recommend this quarter:
- Run an identity exposure review focused on privileged and non-human identities.
- Measure your dwell time assumptions (how long would an intruder realistically remain unnoticed in your environment?).
- Pilot AI anomaly detection on a single high-value segment (telecom core management, build pipeline, or IAM).
- Write an escalation playbook for geopolitically-linked intrusions (who decides what, when, and how you coordinate).
Trade policy will keep shifting. Attackers won’t.
If you want a forward-looking question to bring to your next leadership meeting, make it this: If sanctions and diplomacy fail to deter the next telecom intrusion, is our “deterrence by denial” strong enough to make it not worth the effort?