FCC axes cybersecurity rules for telecoms amid hacking threats
▼ Summary
– The FCC has rescinded a 2025 ruling that required U.S. telecom carriers to implement stricter cybersecurity measures under CALEA in response to the Salt Typhoon hack.
– The original ruling mandated that telecom companies create cybersecurity risk-management plans, submit annual certifications, and treat network security as a legal obligation.
– The rollback followed lobbying from telecom firms who found the rules too burdensome, with the FCC now deeming the prior rule inflexible and based on flawed legal analysis.
– The Salt Typhoon attacks, disclosed in October 2024, were a Chinese espionage campaign that breached major carriers and potentially intercepted sensitive government communications.
– The decision faced criticism from FCC Commissioner Anna M. Gomez and senators, who argued it leaves Americans less protected against ongoing threats from state-sponsored actors.
In a move that has ignited significant debate, the Federal Communications Commission has officially rescinded cybersecurity regulations that previously mandated U.S. telecommunications carriers adopt enhanced protective measures. This reversal comes despite the persistent threat posed by sophisticated hacking groups, notably the Chinese state-sponsored collective identified as Salt Typhoon. The original ruling, enacted in January 2025 under the authority of the Communications Assistance for Law Enforcement Act (CALEA), was designed to compel carriers to fortify their digital defenses following Salt Typhoon’s successful infiltration of multiple networks to surveil private communications.
The now-defunct framework required providers to develop and put into practice comprehensive cybersecurity risk-management plans. It also obligated them to file yearly certifications with the FCC as proof of their compliance and to treat the security of their general network infrastructure as a binding legal duty. The impetus for the rollback stemmed from substantial lobbying by telecommunications companies. These firms argued that the regulatory demands were overly burdensome and complex for their day-to-day operations. A letter from Senator Maria Cantwell highlighted these industry concerns, which ultimately influenced the FCC’s decision.
An official announcement from the commission characterized the prior ruling as “unlawful and ineffective,” stating the action was taken to “correct course.” The FCC, now under fresh leadership, also withdrew a related Notice of Proposed Rulemaking, asserting it was founded on a flawed legal interpretation. The agency contends that service providers have already made considerable, voluntary strides in strengthening their cybersecurity postures since the Salt Typhoon incidents. It expressed confidence that these companies will persist in their coordinated efforts to mitigate risks to national security.
The Salt Typhoon campaign, publicly disclosed in October 2024, was a widespread Chinese espionage operation that compromised major carriers including Verizon, AT&T, and T-Mobile. The hackers gained access to core systems utilized by the U.S. federal government for executing court-approved wiretaps, potentially enabling the interception of highly sensitive communications involving government personnel.
This regulatory reversal has not been met without strong opposition. FCC Commissioner Anna M. Gomez cast the sole dissenting vote, voicing profound concern over the decision to rely on telecom providers to self-assess and manage their cybersecurity. Commissioner Gomez criticized the move as an inadequate strategy, declaring, “It is a hope and a dream that will leave Americans less protected than they were the day the Salt Typhoon breach was discovered.” She emphasized that Salt Typhoon was not an isolated incident but part of a sustained campaign by state-backed actors, warning that telecommunications networks continue to be prime targets for foreign adversaries, with similar exploitation attempts ongoing.
Prior to the FCC’s vote, Senators Maria Cantwell and Gary Peters also submitted letters urging the agency to maintain the established cybersecurity safeguards, underscoring the ongoing and serious nature of the threat. The commission’s decision places the onus for robust cybersecurity squarely on the telecommunications industry itself, a shift that critics argue could leave critical infrastructure and national security vulnerable.
(Source: Bleeping Computer)
