As the United States intensifies efforts to eliminate Chinese influence from its telecommunications networks, Jessica Rosenworcel, the outgoing Democratic chair of the Federal Communications Commission (FCC), emphasizes the necessity for robust oversight in the telecommunications sector. This call for vigilance comes in light of the recent “Salt Typhoon” hacking campaign, which successfully infiltrated at least nine U.S. telecom companies, enabling unauthorized access to American communications and law enforcement wiretap systems. The breach has underscored significant cyber vulnerabilities within U.S. carriers, including a crucial lapse where an AT&T administrator account operated without basic security measures.
In response to this unprecedented incursion, Rosenworcel used her final days in office to propose enhanced cybersecurity requirements for telecom operators. The FCC narrowly approved her proposal, yet its future remains uncertain as control of the commission shifts to Brendan Carr, a Republican ally of president-elect Donald Trump, who opposed the regulatory framework. This transition raises concerns about a potential rollback of the proposed measures aimed at fortifying telecom infrastructure.
In a recent interview, Rosenworcel reaffirmed the importance of regulation in addressing the national security challenges posed by telecom cybersecurity gaps. She expressed her frustration with any Republican inclination to allow telecom companies to self-regulate during a time when the industry is grappling with what has been labeled the most significant telecom hack in U.S. history.
Her proposed regulatory approach consists of two main actions: asserting that the 1994 Communications Assistance for Law Enforcement Act necessitates implementing basic cybersecurity defenses alongside compliance with wiretap requirements, and mandating that a broader array of telecom companies develop comprehensive cyber risk management strategies, coupled with annual confirmations of their adherence to these plans. She characterizes these measures as a rational and necessary step in the wake of a significant cyber threat.
Rosenworcel’s insistence that American networks must adopt minimum cybersecurity standards stands in stark contrast to the prevailing resistance among Republican lawmakers, who traditionally align with telecom industry interests against regulatory expansions. For instance, Senator Ted Cruz, now chairing the Commerce Committee, referred to Rosenworcel’s initiatives as insufficient, labeling them a temporary fix to a deeper systemic issue.
Brendan Carr’s opposition to the new regulations further signals potential challenges ahead. Although he has previously acknowledged the gravity of the Salt Typhoon incidents, he, alongside fellow Republican commissioner Nathan Simington, voted against the proposal, indicating a likely continuation of a hands-off approach to telecom regulation should he assume a more influential role post-inauguration.
Analyzing the tactics employed in the Salt Typhoon campaign reveals potential connections to various MITRE ATT&CK adversary techniques, including initial access, where vulnerabilities in telecom infrastructure were exploited, and persistence, allowing hackers to maintain access over extended periods. These tactics raise alarms about the preparedness of U.S. telecommunications in safeguarding against future nation-state threats, emphasizing the growing need for strengthened regulatory frameworks and security protocols.
In conclusion, while Rosenworcel’s proposals represent a critical step toward addressing vulnerabilities within the telecommunications sector, the impending political landscape poses significant hurdles to their implementation, underscoring an urgent need for proactive industry governance to counteract sophisticated cyber threats.
