For more than a year, hackers linked to China’s Ministry of State Security moved quietly through the networks of nine US telecommunications carriers, reading call records and, in some cases, listening in on senior officials. The campaign, known as Salt Typhoon, has hacked at least 200 American companies, according to the FBI, with victims spread across 80 countries — and the US government’s own advice to its people was telling. Officials told Americans to use end-to-end encrypted apps because the phone network itself could not be trusted.
Arnd Baranowski has spent more than two decades watching that erosion up close. The founder and CEO of Oculeus, a German software company that has protected telecom operators from fraud since 2004, believes the lesson of the past two years is bigger than any single breach. The tools enterprises call “secure,” he argues, mostly are not, because the industry keeps treating security as a feature rather than a foundation.
Encryption is not a strategy
The most common mistake, Baranowski explains, is equating encryption with safety. “Encryption is an important element of security. But it is only one element of securing a system,” he says, noting that baseline encryption can be hacked or bypassed in ways many organizations never consider.
True security, in his telling, has to run through every layer at once — the communication network, the server and app architecture, and the applications themselves, all deployed in hardened environments. He points to RKE2, a security-focused version of Kubernetes, the system most modern software runs on, as the current standard for that foundation. The details are technical, but the principle is simple. A locked message traveling through an unlocked house is not protected.
Salt Typhoon proved the point on a national scale. The attackers did not break encryption. They went around it, compromising the routers, edge devices, and infrastructure the traffic flowed through.
The security people will actually use
Baranowski’s second argument is that even well-built systems can fail if people will not use them. Most security failures, he suggests, begin not with broken code, but with frustrated users. When protected tools are clumsy or degrade the quality users expect, employees “have the tendency to simply ignore security recommendations,” he says — falling back to whatever works, safe or not.
That is why he treats usability as a security requirement rather than a design preference. The systems that matter most — voice and video, messaging and email — have to work the way people already expect them to, he says, while limiting the damage a single mistake can cause, such as an employee falling for a phishing attack. Security that fights its users, in other words, eventually loses to them.
A crowded market and room to move
The secure communications market is not short of players, and Baranowski does not pretend otherwise. His answer to the crowding is experience. “There is always space for solutions that are comprehensive and focus on usability,” he says, “and it doesn’t matter when these solutions enter the market.”
His conviction about the opportunity’s size rests on a structural shift. Standard telephony, with what he calls its flaws and outdated technology, is steadily losing ground to modern voice, video, messaging, and email systems that can carry sensitive conversations without leaking them. Oculeus has been positioning for that shift from the fraud-prevention side. In February, the company launched a framework that lets carriers verify caller identity in real time and block spoofed traffic before it connects.
The bigger wager is that the Salt Typhoon era has changed what buyers ask for. For decades, enterprises assumed the network beneath their conversations was safe and bolted protection on top. That assumption is now demonstrably dead. Encryption alone will not decide who wins that market, Baranowski believes. That prize belongs to the company that can make security so seamless that people forget they are being protected.





