Secure Overlay/Mvno Approach To Operate Over Potentially Compromised Carrier Infrastructure

Issue 85 Edition 2026-03-26 7 min read

General

Sources: 1 • Confidence: Medium • Updated: 2026-03-27 10:09

Key takeaways

CAPE was founded in 2022 to address vulnerabilities in commercial cellular networks that its founder reports observing through prior work.
The Navy CTO function described emphasizes identifying capability gaps by listening to sailors and Marines and connecting them with external innovators who can deliver improvements or breakthroughs.
Telcos must respond to lawful intercept requests under CALEA and typically outsource administration to a small set of specialized vendors interfacing via an X1 interface.
Awareness of the Salt Typhoon incident was low even among cyber practitioners at Davos.
CAPE operates a live commercial MVNO cellular network with service in 190 countries.

CAPE was founded in 2022 to address vulnerabilities in commercial cellular networks that its founder reports observing through prior work.
CAPE operates a live commercial MVNO cellular network with service in 190 countries.
An independent third-party penetration test for the Guam work produced a 50-page report that DIU funded and made unclassified and shareable.
a16z invested in CAPE from the beginning, roughly four years before this conversation.
CAPE improves privacy by rotating multiple device or network identifiers, in a manner compared to iPhone MAC address rotation.
CAPE’s resilience model relies on stitching together multiple carriers’ physical networks as an MVNO so subscribers can fail over when a host carrier has an outage.

The Navy CTO function described emphasizes identifying capability gaps by listening to sailors and Marines and connecting them with external innovators who can deliver improvements or breakthroughs.
The Navy ran a boot camp for program managers and contracting officers to teach commercial-style procurement, aiming to reduce some acquisition timelines from roughly 18 months to about 3 months.
The Navy pushed an organization from running about 2 pilots per year toward a target of 25 pilots per year to build a larger adoption funnel.
Structured Challenges from the Innovation Adoption Kit are incorporated into the U.S. Defense Authorization Act, creating a formal requirement to run them.
Effective Structured Challenges should be sourced close to operational pain and prioritized by severity.
Fanelli’s organization shut down a system in the past year that had resisted shutdown attempts for roughly a decade.

Telcos must respond to lawful intercept requests under CALEA and typically outsource administration to a small set of specialized vendors interfacing via an X1 interface.
Chinese hackers infiltrated every major American cellular carrier and accessed lawful-intercept systems and live phone calls, including communications of senior U.S. government officials.
Attackers infiltrated major U.S. telecommunications carriers such that they could access lawful-intercept plug-in points and enable call listening on demand.
The compromise enabled attackers to identify who was under lawful interception.
In a pilot with a CALEA vendor, CAPE’s SRE team found an unencrypted text file containing usernames and passwords for every client of that vendor in the installer package.
Compromising major carriers’ X1 lawful intercept interfaces was likely not difficult given observed vendor security practices.

Awareness of the Salt Typhoon incident was low even among cyber practitioners at Davos.

What authoritative, publicly citable sources confirm the scope and technical details of the Salt Typhoon telecom compromise described here (e.g., breadth across carriers, lawful-intercept access, live call access)?
Which CALEA service vendors and X1 implementations are implicated by the asserted weak-security practices, and what remediation/audit evidence exists?
Does the unclassified third-party penetration test report for the Guam work exist, and what were its specific findings, scope, and limitations?
What objective measurements validate CAPE’s claimed privacy properties (which identifiers rotate, how often, and what correlation attacks still work)?
What objective measurements validate CAPE’s claimed resilience properties (automatic failover behavior during outages, time-to-reconnect, and conditions where failover fails)?

If lawful intercept is viewed as a systemic choke point, telecom operators and governments may increase spending on hardening intercept workflows, credentialing, auditing, and secure service delivery, benefiting niche compliance and security vendors tied to CALEA operations.
If defense procurement is shifting toward faster, outcome-oriented pilots with clear success metrics, vendors offering deployable secure connectivity overlays and managed cellular services could see higher pilot volume and improved transition-to-scale probability.
If an MVNO overlay can credibly deliver privacy and resilience over potentially compromised carrier infrastructure, demand could expand for multi-carrier failover and identifier-rotation services in defense, critical infrastructure, and high-risk enterprise mobility use cases.

Authoritative public reporting or government statements that corroborate the described telecom compromise scope and mechanics, including whether lawful-intercept systems or interfaces were involved and the practical access achieved.
Disclosure of which CALEA service vendors and X1 implementations are implicated, followed by independent audits, remediation evidence, or procurement actions that validate the lawful-intercept security weakness narrative.
Release or credible summaries of independent testing for the Guam work and objective measurements for CAPE, including identifier rotation details, correlation attack limits, failover behavior, and time-to-reconnect under real outage conditions.

Credible public information indicating the asserted telecom compromise details are materially overstated or unrelated to lawful-intercept systems, reducing urgency for intercept security spend and secure-overlay adoption.
Independent evaluation showing privacy claims do not hold under practical correlation attacks, or resilience claims fail in common outage scenarios, undermining differentiation versus standard MVNO and encryption approaches.
Evidence that the described faster defense adoption mechanisms do not persist in practice, with pilots failing to transition to scale or acquisition cycle times not improving, limiting near-term commercialization pathways.