FCC proposes stringent security rules for US telecoms following major breaches
In response to mounting cybersecurity threats, the Federal Communications Commission (FCC) is pushing for new regulations aimed at tightening security across the telecommunications sector. The move follows revelations of the Salt Typhoon campaign, a sophisticated cyberattack that compromised critical telecom infrastructure in the US and beyond.
Proposed measures
Jessica Rosenworcel, the FCC's outgoing chair, announced a draft Declaratory Ruling that reinterprets section 105 of the Communications Assistance for Law Enforcement Act (CALEA), a decades-old law mandating lawful interception capabilities for telcos. Under the new interpretation, carriers would be required to safeguard their networks against unauthorized access and provide annual certifications detailing their cybersecurity efforts.
“The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” Rosenworcel said in a statement. “As adversaries grow more capable, we must adapt and strengthen our defenses.”
If adopted, the new rules would take effect immediately, mandating telcos to:
Develop and update cybersecurity risk management plans.
Submit annual reports to the FCC attesting compliance with these security measures.
The FCC also plans to seek public input on additional measures to boost the resilience of communication systems.
Salt Typhoon: A wake-up call
The urgency of these proposals stems from the fallout of the Salt Typhoon cyberattack, reportedly orchestrated by state-backed Chinese hackers. The campaign exploited vulnerabilities in telecom infrastructure, compromising devices and wiretapping systems, and establishing a persistent presence across multiple US operators.
Addressing the scale of the breach, experts warned that remediation efforts might require replacing thousands of compromised switches and routers, underscoring the critical need for proactive defenses.
A global concern
The vulnerabilities exploited in the US are believed to exist worldwide, highlighting a broader regulatory failure and lax security practices within the telecom industry. To address this, the US Cybersecurity and Infrastructure Security Agency (CISA) recently issued guidance recommending encrypted communications to protect sensitive information—an ironic shift given historical efforts to weaken encryption for surveillance purposes.
What’s next?
While the proposed rules signal a strong stance on cybersecurity, they may face resistance from industry players concerned about compliance costs and operational impacts. However, the long-term risks of inaction far outweigh the short-term challenges of implementing robust security measures.