The Federal Communications Commission will vote next month on whether to eliminate cybersecurity requirements for telecom carriers that the commission enacted under its previous leadership following sweeping Chinese government cyberattacks on telecoms.
In a blog post published on Wednesday, FCC Chair Brendan Carr said the commission’s November agenda would include a vote to undo its Jan. 15 declaration that the 1994 Communications Assistance for Law Enforcement Act (CALEA) “affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications.”
Carr, who voted against that declaration at the time, described it on Wednesday as an “eleventh hour” ruling that “both exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats.”
“We’re correcting course,” he said of the plan to eliminate the CALEA declaration.
When the FCC issued the declaration, it proposed implementing the mandate by requiring telecoms to adopt cybersecurity plans with reasonable measures to prevent network intrusions and service disruptions and mitigate supply-chain threats. Carr’s blog post did not explicitly address those proposed rules, but discarding their legal basis would effectively mean abandoning them.
An FCC spokesperson was unavailable for comment because of the ongoing government shutdown.
Discarding the CALEA declaration and proposed rules would eliminate the U.S. government’s most substantial response to the widespread cybersecurity failures in the U.S. telecom industry that China’s Salt Typhoon hacking campaign exposed in late 2024. In an espionage operation widely considered one of the most damaging cyber incidents in U.S. history, China-linked hackers penetrated U.S. telecom networks and accessed information about federal wiretaps, the call recordings of high-profile Americans and more than a million other people’s call and text metadata.
There are effectively no federal cybersecurity requirements for U.S. telecom operators, which have repeatedly experienced major breaches as hackers target their out-of-date, poorly managed infrastructure. In an interview after the FCC issued the January declaration, then-chair Jessica Rosenworcel argued that the commission was filling a dangerous void. “Either you take serious action or you don’t,” she said.
With Carr moving to undo Rosenworcel’s actions, it is unclear how the FCC plans to continue to exercise cybersecurity oversight of telecom carriers. In his blog post, Carr alluded to “extensive FCC engagement with carriers” and said the commission would soon describe “the substantial steps that providers have taken to strengthen their cybersecurity defenses.”
Hours after Carr announced his plan, news organizations reported that suspected nation-state operatives had hacked a backbone technology provider for U.S. and international telecom operators and remained undetected in its networks for nearly a year.
