5 hours ago
3
After one of the biggest telecom hacks in US history, the Federal Communications Commission (FCC) moved to enforce strict standards on carriers’ cybersecurity measures. On Thursday, the agency is set to vote to roll back those requirements, arguing they were an unnecessary overstep of its authority.
The China-linked Salt Typhoon hack revealed last year impacted telecom companies including AT&T, Verizon, T-Mobile, and Lumen Technologies, The Wall Street Journal reported. The issue was so bad that US officials urged consumers in late 2024 to only communicate via encrypted apps, fearing adversaries may still be lurking in their carriers’ networks.
In response, the FCC, then led by Democratic Chair Jessica Rosenworcel, issued a declaratory ruling that imposed stronger security requirements on telecommunications providers, and issued a Notice of Proposed Rulemaking (NPRM) inviting public comment on how else the communications providers should secure their systems. Now, the FCC under Republican Chair Brendan Carr is seeking to roll back those actions amid a broader deregulation push.
Do you have a tip about the FCC or cybersecurity? Reach out securely and anonymously from a non-work device to Lauren Feiner via Signal at laurenfeiner.64.
The original ruling misinterpreted the FCC’s authority and was rushed into effect just before the change in administration, the fact sheet describing the order to rescind the rule says. Beyond that, it argues, its “vague and amorphous standard risks imposing costly new burdens on many providers that are either not relevant to the potential threats they face, or which are redundant because those providers may already employ sufficient cybersecurity practices to reasonably reduce the risk of successful exploits by the most sophisticated threat actors.” Telecom industry associations have called for the actions to be revoked, saying the FCC overstepped, and noting that service providers have already taken steps since the hack to harden their networks, and would continue to do so voluntarily.
“We are going to reverse the only meaningful effort this agency has advanced in response to that hack.”
Democratic Commissioner Anna Gomez, however, is not convinced that’s enough. The Salt Typhoon hack “was importantly a wake-up call, and it showed us how few incentives exist to force companies to address vulnerabilities that allowed that attack to happen,” she told The Verge in an interview. A White House national security adviser for the Biden administration said at the time that companies’ lack of some basic cybersecurity protections contributed to the hack. “When I received this draft order, it was very disappointing because we are going to reverse the only meaningful effort this agency has advanced in response to that hack,” Gomez said.
The vote comes at a time when US cyber defenses are already under strain, amid a draining of the federal workforce and ongoing political attacks against the federal government’s central cyber coordinator. Even if the post-Salt Typhoon actions are rescinded, Gomez said she hopes the FCC continues to collaborate with other agencies to address national security issues, but fears the Trump administration “is weakening our cyber defenses and our agencies that are focused on cyber. And I think we need an all-hands-on-deck strategy in order to address these vulnerabilities.”
Carr has framed the order to rescind as a course correction. But Gomez worries it’s taking away important tools and replacing them with nothing. “My fear is Americans will be less secure from the day this hack was discovered a little over a year ago,” she said. “And our adversaries will see this as an invitation, and will continue to prod our networks.”
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
