FCC eases cybersecurity rules for US telecom companies and why it may be 'Big' problem for Americans
The Federal Communications Commission (FCC) has reportedly voted to eliminate rules that mandated US phone and internet companies to meet minimum cybersecurity requirements. The repealed regulations required telecommunications carriers to “secure their networks from unlawful access or interception of communications.” A letter from Senator Maria Cantwell noted that lobbying by telecommunication companies pushed back against the framework, saying it was too difficult and costly for their operations. In response, the FCC said the earlier rule was not flexible enough and has now withdrawn it. The official announcement said that the rule included "flawed legal analysis and proposed ineffective cybersecurity requirements"
while the latest action "follows months-long engagement with communications service providers where they have demonstrated a strengthened cybersecurity posture following Salt Typhoon."
The hacking campaign, attributed to the China-backed group Salt Typhoon cybercrime group, involved exposing over 200 US phone and internet companies, including AT&T, Verizon and Lumen. The multi-year hacking operation conducted broad-scale surveillance of American officials. In some instances, the hackers targeted wiretap systems that telcos were required to install for law enforcement access.
The FCC announcement explained: "Since January, the Commission has taken a series of actions to harden communications networks and improve their security posture to enhance the agency’s investigative process into communications networks outages that result from cyber incidents. The Commission established a Council on National Security to facilitate the Commission’s engagement with national security partners and mitigate America’s vulnerabilities to cyberattacks, espionage, and surveillance by foreign adversaries. It has also adopted targeted rules to address the greatest cybersecurity risks to critical communications infrastructure without imposing inflexible and ambiguous requirements, for example requiring submarine cable licensees to create and implement cybersecurity risk management plans. The FCC has also adopted rules to ban 'bad labs' in the FCC’s equipment authorization program to ensure no such entities are subject to untrustworthy actors that pose a risk to national security."
What some US lawmakers are 'not happy' with FCC’s decision
According to a report by TechCrunch, the rules implemented by the Biden administration in January were withdrawn by the FCC after two commissioners appointed by US President Donald Trump , Chairman Brendan Carr and Olivia Trusty, voted to eliminate them. However, FCC Commissioner Anna Gomez criticised the decision, calling the rules the “only meaningful effort this agency has advanced” since the discovery of a sweeping hacking campaign, the report added. Gomez also noted that cooperation with the telecommunications industry is valuable for cybersecurity, but it is not enough on its own.
“Handshake agreements without teeth will not stop state-sponsored hackers in their quest to infiltrate our networks. They won’t prevent the next breach. They do not ensure that the weakest link in the chain is strengthened. If voluntary cooperation were enough, we would not be sitting here today in the wake of Salt Typhoon,”Gomez said criticising the decision.
The report also notes that the FCC’s decision to revise the rules drew criticism from senior US lawmakers, including Sen. Gary Peters (D-MI), the ranking member of the Senate Homeland Security Committee. Peters said he was “disturbed” by the FCC’s attempt to undo “basic cybersecurity safeguards” and cautioned that the change will “leave the American people exposed.”
In a statement, Sen. Mark Warner (D-VA), the ranking member of the Senate Intelligence Committee, said the rule change “leaves us without a credible plan” to address the fundamental security weaknesses exploited by Salt Typhoon and similar threats.
Meanwhile, the NCTA, which represents the telecommunications industry, supported the removal of the rules and described them as “prescriptive and counterproductive regulations.”
The hacking campaign, attributed to the China-backed group Salt Typhoon cybercrime group, involved exposing over 200 US phone and internet companies, including AT&T, Verizon and Lumen. The multi-year hacking operation conducted broad-scale surveillance of American officials. In some instances, the hackers targeted wiretap systems that telcos were required to install for law enforcement access.
The FCC announcement explained: "Since January, the Commission has taken a series of actions to harden communications networks and improve their security posture to enhance the agency’s investigative process into communications networks outages that result from cyber incidents. The Commission established a Council on National Security to facilitate the Commission’s engagement with national security partners and mitigate America’s vulnerabilities to cyberattacks, espionage, and surveillance by foreign adversaries. It has also adopted targeted rules to address the greatest cybersecurity risks to critical communications infrastructure without imposing inflexible and ambiguous requirements, for example requiring submarine cable licensees to create and implement cybersecurity risk management plans. The FCC has also adopted rules to ban 'bad labs' in the FCC’s equipment authorization program to ensure no such entities are subject to untrustworthy actors that pose a risk to national security."
What some US lawmakers are 'not happy' with FCC’s decision
According to a report by TechCrunch, the rules implemented by the Biden administration in January were withdrawn by the FCC after two commissioners appointed by US President Donald Trump , Chairman Brendan Carr and Olivia Trusty, voted to eliminate them. However, FCC Commissioner Anna Gomez criticised the decision, calling the rules the “only meaningful effort this agency has advanced”
“Handshake agreements without teeth will not stop state-sponsored hackers in their quest to infiltrate our networks. They won’t prevent the next breach. They do not ensure that the weakest link in the chain is strengthened. If voluntary cooperation were enough, we would not be sitting here today in the wake of Salt Typhoon,”
The report also notes that the FCC’s decision to revise the rules drew criticism from senior US lawmakers, including Sen. Gary Peters (D-MI), the ranking member of the Senate Homeland Security Committee. Peters said he was “disturbed” by the FCC’s attempt to undo “basic cybersecurity safeguards” and cautioned that the change will “leave the American people exposed.”
In a statement, Sen. Mark Warner (D-VA), the ranking member of the Senate Intelligence Committee, said the rule change “leaves us without a credible plan” to address the fundamental security weaknesses exploited by Salt Typhoon and similar threats.
Meanwhile, the NCTA, which represents the telecommunications industry, supported the removal of the rules and described them as “prescriptive and counterproductive regulations.”
Next Story