{"id":5914,"date":"2025-11-22T00:46:12","date_gmt":"2025-11-22T00:46:12","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5914"},"modified":"2025-11-22T00:46:12","modified_gmt":"2025-11-22T00:46:12","slug":"fcc-reversal-removes-federal-cyber-safeguards-targeting-telecom-weaknesses-post-salt-typhoon-attacks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5914","title":{"rendered":"FCC reversal removes federal cyber safeguards targeting telecom weaknesses post-Salt Typhoon attacks"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The US federal government is rolling back mandates intended to protect critical infrastructure following the widespread Salt Typhoon<\/a> attacks.<\/p>\n

The Federal Communication Commission (FCC) has reversed<\/a> a January 2025 Declaratory Ruling requiring US telecom providers to adopt and certify stricter cybersecurity measures. The ruling took effect under the Communications Assistance for Law Enforcement Act (CALEA), which requires telecom providers and manufacturers to design their services and equipment in a way that allows for surveillance when legally requested by law enforcement.<\/p>\n

But the reversal has been slammed by the FCC\u2019s own commissioner, and security experts are looking askance.<\/p>\n

\u201cThis is the cyber equivalent of hanging a \u2018come kick me\u2019 sign on critical infrastructure and national cyber security,\u201d said David Shipley<\/a>, CEO of Beauceron Security.<\/p>\n

FCC: Declaratory Ruling \u2018unlawful and ineffective\u2019<\/h2>\n

The Salt Typhoon attacks<\/a>, disclosed in October 2024, have impacted some of the largest US communication companies, and countless others, with hackers accessing core systems used by the US government and potentially intercepting highly-sensitive information related to high-ranking officials.<\/p>\n

The January <\/a>Declaratory Ruling<\/a> established legal obligations for telecom carriers to secure their networks against \u201cunlawful access and interception,\u201d underscoring that they are responsible for not only their equipment, but how they manage their networks.<\/p>\n

The decision included a Notice of Proposed Rulemaking<\/a> (NPRM) requiring telecom companies to create, update, and implement cybersecurity risk management plans, and certify them annually.<\/p>\n

However, this week the FCC claimed that the Declaratory Ruling \u201cmisconstrued\u201d CALEA, calling it \u201cflawed,\u201d and \u201cunlawful and ineffective.\u201d<\/p>\n

According to the agency, their action follows \u201cmonths-long engagement with communications service providers\u201d in which they have demonstrated a \u201cstrengthened cybersecurity posture\u201d following Salt Typhoon.<\/p>\n

These providers have agreed to undertake \u201cextensive, urgent, and coordinated efforts\u201d to protect their networks against cyberattacks, mitigate operational risks, protect consumers, and preserve national security interests, according to the FCC.<\/p>\n

The Commission added that it has taken \u201ca series of actions\u201d to harden communication networks and improve security. This includes establishing a Council on National Security<\/a> that engages with security partners, and adopting targeted rules for critical infrastructure that don\u2019t impose \u201cinflexible and ambiguous requirements,\u201d such as a mandate that submarine cable licenses only be granted after risk management plans are in place.<\/p>\n

Further, the FCC has banned \u201cbad labs,\u201d equipment-testing companies owned or controlled by foreign adversaries (notably China), from its equipment authorization program to ensure \u201cno such entities are subject to untrustworthy actors that pose a risk to national security.\u201d<\/p>\n

Salt Typhoon still reverberating<\/h2>\n

Salt Typhoon impacted major carriers including AT&T, Charter Communications, Consolidated Communications, Lumen Technologies, T-Mobile, Verizon, and Windstream. But law enforcement and intelligence agencies caution that its impact is far more widespread, exposing at least 200 US organizations, plus entities in 80 other countries.<\/p>\n

According to federal investigations, the attack allowed the Chinese government to record phone calls, geolocate millions of individuals, and target specific individuals including the US president and vice president. The group initially exploited the routers of telecom providers, using the devices and trusted connections to move into other networks and, among other actions, access information on wiretap systems used by federal law enforcement.<\/p>\n

Salt Typhoon is \u201cone of the worst cyberattacks in history,\u201d said US Senator Maria Cantwell<\/a>, ranking member of the Senate Committee on Commerce, Science and Transportation, who strongly opposed the ruling\u2019s reversal.<\/p>\n

FCC Commissioner Anna M. Gomez<\/a>, the only FCC member who voted against the decision, noted that the move<\/a> \u201cwill leave Americans less protected than they were the day the Salt Typhoon breach was discovered.\u201d<\/p>\n

Reversal \u2018leaves the country less secure\u2019<\/h2>\n

The January Declaratory Ruling was the \u201conly concrete federal regulatory action\u201d taken in response to the Salt Typhoon attack, she noted. The attempt by the Chinese-backed group will not be the last, she emphasized; in fact, without stronger security controls, it will also \u201cnot be the last successful one.\u201d<\/p>\n

\u201cThe FCC leaves the country less secure at the very moment when these threats are increasing,\u201d said Gomez.<\/p>\n

Senator Cantwell pointed out that the reversal has come after \u201cheavy lobbying\u201d to reverse it from the very telecom providers targeted by Salt Typhoon. She had previously demanded that CEOs at Verizon and AT&T document how they were remediating exploits that \u201cdeeply penetrated their networks,\u201d but they have failed to provide this information.<\/p>\n

\u201cI am concerned that [the FCC] move to drop cybersecurity requirements on carriers is part of a pattern of weakness on national security issues,\u201d Cantwell argued.<\/p>\n

Beauceron\u2019s Shipley was less measured in his criticism of the reversal. He called it \u201cshockingly incompetent,\u201d particularly in light of how much damage Chinese nation state hackers have done in the telecommunication sector over the past two years. Hopefully, Congress will step in, he said.<\/p>\n

Ultimately, he said, \u201cI would struggle to find a dumber idea than rolling back the cyber security standards for telecommunications providers.\u201d\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The US federal government is rolling back mandates intended to protect critical infrastructure following the widespread Salt Typhoon attacks. The Federal Communication Commission (FCC) has reversed a January 2025 Declaratory Ruling requiring US telecom providers to adopt and certify stricter cybersecurity measures. The ruling took effect under the Communications Assistance for Law Enforcement Act (CALEA), […]<\/p>\n","protected":false},"author":0,"featured_media":5915,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5914","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5914"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5914"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5914\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5915"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5914"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5914"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5914"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}