The US federal government is rolling back mandates intended to protect critical infrastructure following the widespread Salt Typhoon attacks.
The Federal Communication Commission (FCC) has reversed a January 2025 Declaratory Ruling requiring US telecom providers to adopt and certify stricter cybersecurity measures. The ruling took effect under the Communications Assistance for Law Enforcement Act (CALEA), which requires telecom providers and manufacturers to design their services and equipment in a way that allows for surveillance when legally requested by law enforcement.
But the reversal has been slammed by the FCC’s own commissioner, and security experts are looking askance.
“This is the cyber equivalent of hanging a ‘come kick me’ sign on critical infrastructure and national cyber security,” said David Shipley, CEO of Beauceron Security.
FCC: Declaratory Ruling ‘unlawful and ineffective’
The Salt Typhoon attacks, disclosed in October 2024, have impacted some of the largest US communication companies, and countless others, with hackers accessing core systems used by the US government and potentially intercepting highly-sensitive information related to high-ranking officials.
The January Declaratory Ruling established legal obligations for telecom carriers to secure their networks against “unlawful access and interception,” underscoring that they are responsible for not only their equipment, but how they manage their networks.
The decision included a Notice of Proposed Rulemaking (NPRM) requiring telecom companies to create, update, and implement cybersecurity risk management plans, and certify them annually.
However, this week the FCC claimed that the Declaratory Ruling “misconstrued” CALEA, calling it “flawed,” and “unlawful and ineffective.”
According to the agency, their action follows “months-long engagement with communications service providers” in which they have demonstrated a “strengthened cybersecurity posture” following Salt Typhoon.
These providers have agreed to undertake “extensive, urgent, and coordinated efforts” to protect their networks against cyberattacks, mitigate operational risks, protect consumers, and preserve national security interests, according to the FCC.
The Commission added that it has taken “a series of actions” to harden communication networks and improve security. This includes establishing a Council on National Security that engages with security partners, and adopting targeted rules for critical infrastructure that don’t impose “inflexible and ambiguous requirements,” such as a mandate that submarine cable licenses only be granted after risk management plans are in place.
Further, the FCC has banned “bad labs,” equipment-testing companies owned or controlled by foreign adversaries (notably China), from its equipment authorization program to ensure “no such entities are subject to untrustworthy actors that pose a risk to national security.”
Salt Typhoon still reverberating
Salt Typhoon impacted major carriers including AT&T, Charter Communications, Consolidated Communications, Lumen Technologies, T-Mobile, Verizon, and Windstream. But law enforcement and intelligence agencies caution that its impact is far more widespread, exposing at least 200 US organizations, plus entities in 80 other countries.
According to federal investigations, the attack allowed the Chinese government to record phone calls, geolocate millions of individuals, and target specific individuals including the US president and vice president. The group initially exploited the routers of telecom providers, using the devices and trusted connections to move into other networks and, among other actions, access information on wiretap systems used by federal law enforcement.
Salt Typhoon is “one of the worst cyberattacks in history,” said US Senator Maria Cantwell, ranking member of the Senate Committee on Commerce, Science and Transportation, who strongly opposed the ruling’s reversal.
FCC Commissioner Anna M. Gomez, the only FCC member who voted against the decision, noted that the move “will leave Americans less protected than they were the day the Salt Typhoon breach was discovered.”
Reversal ‘leaves the country less secure’
The January Declaratory Ruling was the “only concrete federal regulatory action” taken in response to the Salt Typhoon attack, she noted. The attempt by the Chinese-backed group will not be the last, she emphasized; in fact, without stronger security controls, it will also “not be the last successful one.”
“The FCC leaves the country less secure at the very moment when these threats are increasing,” said Gomez.
Senator Cantwell pointed out that the reversal has come after “heavy lobbying” to reverse it from the very telecom providers targeted by Salt Typhoon. She had previously demanded that CEOs at Verizon and AT&T document how they were remediating exploits that “deeply penetrated their networks,” but they have failed to provide this information.
“I am concerned that [the FCC] move to drop cybersecurity requirements on carriers is part of a pattern of weakness on national security issues,” Cantwell argued.
Beauceron’s Shipley was less measured in his criticism of the reversal. He called it “shockingly incompetent,” particularly in light of how much damage Chinese nation state hackers have done in the telecommunication sector over the past two years. Hopefully, Congress will step in, he said.
Ultimately, he said, “I would struggle to find a dumber idea than rolling back the cyber security standards for telecommunications providers.”
No Responses