FCC Dismantles Cybersecurity Regulations for Telcos, Ignoring State-Sponsored Hacking Threats

The Federal Communications Commission (FCC) has recently reversed a decision that mandated U.S. telecom carriers to enforce stringent cybersecurity protocols following a significant breach by the Chinese threat group, Salt Typhoon.

This ruling, issued in January 2025, was promptly enacted under the Communications Assistance for Law Enforcement Act (CALEA) in response to Salt Typhoon’s infiltration of multiple carriers for the purpose of monitoring private communications.

As part of the CALEA Section 105 ruling, telecom companies were required to create and implement cybersecurity risk-management plans, submit annual FCC certifications to demonstrate compliance, and regard network cybersecurity as a legal obligation.

• Develop and execute cybersecurity risk-management strategies
• Provide annual FCC certifications to validate compliance
• Recognize general network cybersecurity as a legal responsibility

Following lobbying efforts by telecommunication companies, citing operational challenges, the FCC has rescinded the previous rule due to its perceived inflexibility.

The FCC’s announcement stated, “The Federal Communications Commission today took action to correct course and rescind an unlawful and ineffective prior Declaratory Ruling misconstruing the Communications Assistance for Law Enforcement Act (CALEA).”

“The Order also withdraws an NPRM that accompanied that Declaratory Ruling, which was based in part on the Declaratory Ruling’s flawed legal analysis and proposed ineffective cybersecurity requirements.”

Under new leadership, the FCC acknowledged that communications service providers have enhanced their cybersecurity defenses in response to the Salt Typhoon incidents, committing to ongoing improvement to mitigate national security risks.

Uncovered in October 2024, the Salt Typhoon attacks were attributed to a Chinese espionage operation affecting various companies, including Verizon, AT&T, Lumen Technologies, T-Mobile, Charter Communications, Consolidated Communications, and Windstream.

The breach allowed hackers to infiltrate core systems utilized by the U.S. federal government for authorized network surveillance requests, potentially compromising sensitive information, including data of government officials.

FCC’s Decision Criticized

Despite persistent cybersecurity threats, the FCC’s recent decision has faced criticism.

Commissioner Anna M. Gomez, the sole dissenting vote, expressed concerns about the reliance on telecom providers for self-assessing their cybersecurity posture and the efficacy of protective measures.

Gomez remarked, “Its [FCC’s] proposed rollback is not a cybersecurity strategy. It is a hope and a dream that will leave Americans less protected than they were the day the Salt Typhoon breach was discovered.”

She further warned, “Salt Typhoon was not an isolated incident but part of an extensive campaign by state-sponsored actors to infiltrate telecommunications networks over prolonged periods.”

“Federal officials have publicly acknowledged ongoing reconnaissance and exploitation attempts by foreign adversaries targeting telecommunications networks,” Gomez emphasized.

Sens. Maria Cantwell and Gary Peters had urged the FCC to uphold cybersecurity safeguards in letters prior to the decision.

BleepingComputer has reached out to the FCC for a statement and will update the article accordingly.