FCC to Roll Back ISP Cybersecurity Mandate
▼ Summary
– The FCC will vote in November to repeal a January 2025 ruling that required telecom providers to secure their networks, following requests from major ISP lobby groups.
– FCC Chairman Brendan Carr argued the ruling exceeded the agency’s authority and was ineffective against cybersecurity threats, citing carrier engagement and improved defenses.
– The original ruling was prompted by Chinese cyberattacks like Salt Typhoon and cited the 1994 CALEA law as requiring carriers to protect networks from unlawful access.
– The January order clarified that carriers’ security duties under CALEA extend to both their equipment choices and network management practices.
– Although the declaratory ruling lacked specific rules, the FCC stated carriers must adopt basic cybersecurity practices like access controls and patching vulnerabilities to meet statutory obligations.
This November, the Federal Communications Commission is set to reverse a cybersecurity mandate for internet service providers, following pressure from major industry lobbyists. FCC Chairman Brendan Carr announced the upcoming vote, arguing the original ruling overstepped the agency’s legal authority and failed to offer a nimble defense against evolving digital threats. He emphasized that telecom companies have already made significant voluntary improvements to their network security protocols.
The initial declaratory ruling, passed in January 2025, was a direct reaction to state-sponsored cyber intrusions, including the Salt Typhoon campaign linked to China that targeted major carriers like Verizon and AT&T. The ruling interpreted the 1994 Communications Assistance for Law Enforcement Act (CALEA) as imposing a clear duty on providers to safeguard their networks from illegal access and surveillance. It clarified that this responsibility covers not just the physical equipment used but also the overall management and operational security of the network infrastructure.
Internet service providers have actively sought this regulatory rollback. The original ruling was accompanied by a Notice of Proposed Rulemaking that would have eventually established specific, enforceable security standards. Carr dissented from that earlier decision, and the new Republican-led commission majority is now moving to nullify it.
Although the declaratory ruling did not yet impose detailed regulations, the FCC had indicated it carried substantial weight. The agency contended that even without formal rules, providers would struggle to meet their statutory obligations under CALEA without adopting fundamental cybersecurity measures. These essential practices included implementing role-based access controls, eliminating default passwords, enforcing strong password policies, and deploying multi-factor authentication. The commission also highlighted that neglecting to patch known software vulnerabilities or to follow established best practices in response to specific threats would likely constitute a failure to fulfill these legal duties.
(Source: Ars Technica)
