The Federal Communications Commission (FCC) has rolled back a previous ruling that required U.S. telecom carriers to implement stricter cybersecurity measures following the massive hack from the Chinese threat group known as Salt Typhoon.
The ruling came in January 2025 and took effect immediately under the Communications Assistance for Law Enforcement Act (CALEA), in response to Salt Typhoon’s breaching multiple carriers to spy on private communications.
Along with Section 105 of the CALEA, the declaratory ruling included a Notice of Proposed Rulemaking (NPRM) for telecom companies to:
- Create and implement cybersecurity risk-management plans
- Submit annual FCC certifications proving they were doing so
- Treat general network cybersecurity as a legal obligation
Following lobbying from telecommunication firms – according to a letter from Senator Maria Cantwell, that found the new framework too cumbersome and taxing for their operations, the FCC has now deemed the prior rule inflexible, retracting it.
“The Federal Communications Commission today took action to correct course and rescind an unlawful and ineffective prior Declaratory Ruling misconstruing the Communications Assistance for Law Enforcement Act (CALEA),” reads the FCC announcement.
“The Order also withdraws an NPRM that accompanied that Declaratory Ruling, which was based in part on the Declaratory Ruling’s flawed legal analysis and proposed ineffective cybersecurity requirements.”
The FCC, which is now under new leadership, noted that communications service providers have taken important steps to strengthen their cybersecurity posture following the Salt Typhoon incidents, and have agreed to continue along this path in a coordinated manner, reducing risks to national security.
Disclosed in October 2024, the Salt Typhoon attacks were linked to a Chinese espionage campaign that impacted several companies, including Verizon, AT&T, Lumen Technologies [1], T-Mobile [2], Charter Communications, Consolidated Communications [3], and Windstream [4].
The hackers accessed core systems that U.S. federal government used for court-authorized network wiretapping requests, and potentially intercepted extremely sensitive information, up to the level of government officials.
FCC’s plan met with criticism
Given that the risk for similar hacker operations remains unchanged, the FCC’s latest decision was met with criticism.
Commissioner Anna M. Gomez, the only one voting against the current decision, expressed frustration about the reliance on telecom providers for self-evaluating their cybersecurity stance and the effectiveness of the protective measures.
“Its [FCCs] proposed rollback is not a cybersecurity strategy,” stated Gomez. “It is a hope and a dream that will leave Americans less protected than they were the day the Salt Typhoon breach was discovered.”
“Salt Typhoon was not a one-off event but part of a broader campaign by state-sponsored actors to infiltrate telecommunications networks over long periods of time,” Gomez warned in her statement.
“Federal officials have stated publicly that similar reconnaissance and exploitation attempts are ongoing today, and that telecommunications networks remain high-value targets for foreign adversaries,” the official said.
Senators Maria Cantwell and Gary Peters have also sent letters to the FCC before the vote to urge the agency to maintain the cybersecurity safeguards.
BleepingComputer has emailed the FCC for a statement and will update the article when we get a reply.
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.