FCC Rescinds Rules Requiring Telecoms to Secure Their Networks to Prevent Hacks

The Federal Communications Commission is rescinding an effort meant to protect US telecom networks from Chinese hackers at a time when the breaches have been described as perhaps the worst in US history.

In a Thursday meeting, the FCC voted 2-1 to withdraw a January ruling approved by the Biden administration to require telecommunications carriers to bolster their cybersecurity defenses.

At the time, the FCC invoked Section 105 of Communications Assistance for Law Enforcement Act, paving a way for the regulator to pursue fines or even criminal charges against companies that failed to secure their networks. This came after a Chinese state-sponsored hacking group, dubbed Salt Typhoon, had been found collecting data and snooping on calls from White House officials and politicians, including President Trump.

Salt Typhoon continues to exploit known vulnerabilities in telecom networks, according to the FCC’s own report. But even so, Trump‘s pick for FCC chair, Brendan Carr, says the January ruling is unlawful and ineffective.

It “offers no guidance about which particular vulnerabilities to prioritize or which at-risk information to protect, leaving carriers with a burdensome and inchoate compliance standard that does little to secure communications networks and protect national security,” Carr says.

In Thursday’s meeting, Carr acknowledged that Salt Typhoon infiltrated at least eight US telecom companies. But he said he’s focused on collaborating with the private sector to try and stamp out the threat while working within the bounds of existing US law.

“The FCC has worked directly with carriers who’ve agreed to make extensive, coordinated efforts to harden their networks against a range of cyberintrusions,” he said. “These have included accelerating patching of outdated or vulnerable equipment, updating or reviewing access controls, disabling unnecessary outbound connections, improving their threat hunting efforts, and increasing cybersecurity information sharing.”

Carr also noted that he voted against the original January ruling, which happened before he was named chair, claiming it was hastily constructed and that no US intelligence officials had encouraged him to vote for it.

Recommended by Our Editors

However, Democratic Commissioner Anna Gomez dissented from Thursday’s vote, saying the Salt Typhoon breaches underscore “how few incentives exist” for telecoms to address the IT flaws that enabled the wide-scale spying campaign. “Sadly, the Commission today reverses the only meaningful effort this agency has advanced in response to that attack,” she said.

“Collaboration is not a substitution for obligation. Handshake agreements without teeth will not stop state-sponsored hackers from their quest to infiltrate our networks,” Gomez later added. “If voluntary cooperation were enough, we would not be sitting here today in the wake of Salt Typhoon.”

Meanwhile, US Senator Maria Cantwell (D-Wash.) has accused Carr of bowing to the telecom industry. “You have now proposed to reverse this requirement after heavy lobbying from the very telecommunications carriers whose networks were breached by Chinese hackers,” she wrote to Carr earlier this week. “Your proposal to rescind this ruling would undermine the FCC’s ability to hold carriers accountable for protecting our nation’s critical communications infrastructure.”