FCC rolls back telecom cybersecurity rules
Add Axios as your preferred source to
see more of our stories on Google.
Brendan Carr, commissioner at the Federal Communications Commission (FCC), at an open commission meeting in September. Photo: Kent Nishimura/Bloomberg via Getty Images
The Federal Communications Commission voted to rescind cybersecurity rules for telecommunications providers a year after the U.S. government discovered a wide-reaching, China-backed hack of their networks.
Why it matters: The agency is now relying on industry collaboration to ensure that major telcos can prevent another nation-state cyberattack.
Driving the news: The FCC voted 2-1 on Thursday to revoke a ruling the commission approved in the last days of the Biden administration that required telecommunications providers to secure their networks under Section 105 of the Communications Assistance for Law Enforcement Act (CALEA).
- FCC Chair Brendan Carr argued that the commission's initial efforts were "neither lawful nor effective," arguing that CALEA was not the right vehicle for these regulations.
- "It would neither respond to the nature of the relevant cybersecurity threats, nor was it consistent with the agile and collaborative approach to cybersecurity that has proven successful," Carr said at the meeting.
Catch up quick: The Biden FCC approved using CALEA authorities for telecom cybersecurity in response to the China-backed Salt Typhoon hack, which officials now estimate impacted at least 600 organizations in more than 80 countries.
- The rule required telecom providers to attest each year they had created, updated and implemented a cybersecurity risk management plan.
- The agency was also collecting comments to inform official requirements for what telcos needed to include in those plans.
The intrigue: Executives at these telecommunications firms have agreed to implement additional cybersecurity controls, including accelerated patching, reviewing access controls, improving threat-hunting efforts and disabling any unnecessary outbound connections, according to the order that commissioners voted on Thursday.
- The companies have also agreed to increase the level of information-sharing they do with the federal government, Carr said.
- Leon Kenworthy, chief of the FCC's cybersecurity division, said during the meeting that the rules were "redundant" because of the steps industry has taken on its own.
The other side: Sen. Maria Cantwell (D-Wash.), ranking member of the Senate Commerce Committee, said "our efforts should be focused on further enhancing the cybersecurity of our critical infrastructure networks, not rolling back existing protections."
- Sen. Gary Peters (D-Mich.), ranking member of the Senate Homeland Security Committee, said he was "disturbed by the FCC's efforts to roll back these basic cybersecurity safeguards."
- Democratic Commissioner Anna Gomez said at Thursday's meeting that the rules sought to create accountability and an enforceable framework that would harden networks against future attempted cyberattacks.
- "Simply trusting industry to police itself is an invitation for the next breach," Gomez said.
The big picture: The Trump administration has yet to publicly respond to the Salt Typhoon hack. Hackers reportedly broke into phones belonging to President Trump, VP J.D. Vance and other high-profile politicians.
What to watch: The House of Representatives passed a bill that would require the administration to establish an interagency group, led by the Cybersecurity and Infrastructure Security Agency, to respond to recent China-backed hacks.
Go deeper: China's hacking machine wants your data and knows how to get it
