The Federal Communications Commission on Thursday abandoned an effort to require telecommunications companies to meet minimum cybersecurity standards.
Commissioners voted 2-1 to undo the agency’s previous declaration that the 1994 Communications Assistance for Law Enforcement Act (CALEA) “affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications,” and to eliminate proposed standards for meeting that requirement.
FCC Chairman Brendan Carr and his Republican colleague Olivia Trusty voted for the measure, while Democratic commissioner Anna Gomez voted against it.
“The Declaratory Ruling that we reconsider today was neither lawful nor effective,” Carr said before the commissioners voted during their monthly meeting on Thursday. “For these reasons, the commission votes today to reverse that rushed and 11th-hour approach to cybersecurity. In its place, we will continue our work to strengthen and harden the nation’s communications networks and infrastructure.”
Carr’s plan to undo the cybersecurity requirements — which the FCC adopted at the end of the Biden administration — drew criticism from prominent Democrats, who said telecoms should face higher security standards in the wake of China’s Salt Typhoon espionage campaign. That operation penetrated the telecoms’ poorly protected networks and gave Beijing access to a wide range of sensitive information.
Eliminating the security requirements “will leave the American people exposed and erode efforts to harden our national security against attacks like these in the future,” Senate Homeland Security Committee ranking member Gary Peters, D-Mich., said in a statement on Wednesday. Peters had urged the FCC to preserve the rules, saying “strong and commonsense cybersecurity standards are essential to consumer trust and national security.”
Senate Commerce Committee ranking member Maria Cantwell, D-Wash., also implored the FCC to preserve the rules. After Salt Typhoon, she wrote in a letter to Carr on Tuesday, “our efforts should be focused on further enhancing the cybersecurity of our critical infrastructure networks, not rolling back existing protections.” She said eliminating the security requirements “would undermine the FCC’s ability to hold carriers accountable for protecting our nation’s critical communications infrastructure.”
Gomez, too, savaged Carr’s plan. In comments before the vote, she accused the FCC of leaving the country “less safe at the very moment when these threats are increasing.” In a statement on Wednesday, she said the move would “leave Americans less protected than they were the day the Salt Typhoon breach was discovered.”
Carr rejected those criticisms on Thursday. “Doing anything just so we can say we did something is not the answer,” he said.
The FCC’s vote represents a victory for the telecom industry, which had argued that the rules were overly burdensome and unnecessary. The industry has said that its members have significantly improved both their network security and their collaboration practices since the discovery of Salt Typhoon.
Carr endorsed the industry’s progress in his statement before the vote. Telecom companies “have agreed to make extensive, coordinated efforts to harden their networks against a range of cyber intrusions,” he said, including speeding up their patching processes, disabling unnecessary network connections, improving their threat-hunting activities and sharing more information with each other and the government.
But Gomez warned on Thursday that telecoms would not harden their networks enough to block nation-state hackers unless the government required them to do so.
“If voluntary cooperation were enough, we would not be sitting here today in the wake of Salt Typhoon,” she said. “Partnership and collaboration that carry no enforceable accountability are insufficient by design. Simply trusting industry to police itself is an invitation for the next breach.”