In a significant shift in policy, the Federal Communications Commission (FCC) plans to vote in November on the repeal of a key ruling that mandates telecom providers to bolster the security of their networks. This move responds to lobbying efforts from major Internet service providers, raising concerns among cybersecurity experts and stakeholders.
FCC Chairman Brendan Carr stated that the original ruling, enacted in January shortly before the Republican majority took control, “exceeded the agency’s authority” and was ineffective in addressing the pressing cybersecurity threats of our time. The anticipated vote on November 20 follows what Carr described as “extensive engagement” between the FCC and telecom carriers, who he claims have already taken “substantial steps” to enhance their cybersecurity measures.
The January 2025 declaratory ruling emerged in the aftermath of several attacks attributed to Chinese state actors, including the high-profile Salt Typhoon campaign, which targeted major telecom providers like Verizon and AT&T. This ruling indicated that the Communications Assistance for Law Enforcement Act (CALEA) requires telecom companies to safeguard their networks against unauthorized access and eavesdropping.
The January order articulated that CALEA imposes an obligation on telecommunications carriers to prevent potential misuse of untrusted equipment that could lead to illegal surveillance. It underscored that the responsibilities outlined in Section 105 of CALEA extend not only to the equipment utilized in network infrastructures but also to the overall management of those networks.
This declaratory ruling was coupled with a Notice of Proposed Rulemaking, which aimed to implement stricter regulations mandating specific cybersecurity practices. Carr opposed the previous decision at that time, acknowledging the challenges involved in ensuring compliance without definitive rules.
While the declaratory ruling itself lacked concrete directives, it was viewed as a significant framework with substantial implications. The FCC previously noted that telecommunications providers could struggle to meet their statutory obligations under CALEA without adopting foundational cybersecurity practices. Essential measures such as implementing role-based access controls, regularly updating passwords, and employing multi-factor authentication were highlighted as critical to securing sensitive systems. A failure to address known vulnerabilities or adhere to established best practices may not fulfill statutory responsibilities.
As the FCC prepares for its upcoming vote, the implications for telecom providers and their vulnerability to cyber threats are increasingly alarming. Business owners in the tech sector should remain vigilant about the evolving cybersecurity landscape, given the potential for rising incidents stemming from weakened regulatory oversight. The repeal of such regulations could align with adversary strategies outlined in the MITRE ATT&CK framework, particularly in areas such as initial access and persistence, further exacerbating risks.
The forthcoming decision by the FCC may signal a pivotal moment in the ongoing battle against cyber threats, necessitating a proactive approach from industry leaders to safeguard their digital environments. The balance between regulatory oversight and corporate autonomy will be crucial in shaping the future of network security in the United States.
