The Federal Communications Commission (FCC) has voted to dismantle key cybersecurity regulations for U.S. phone and internet providers, a move that has sparked significant concern amidst escalating cyber threats, including recent high-profile attacks by a China-backed hacking group. The 2-1 decision, split along party lines, eliminates minimum cybersecurity requirements that telecom giants were previously mandated to meet.

Two Trump-appointed FCC commissioners, Chairman Brendan Carr and his Republican colleague Olivia Trusty, cast the votes to withdraw the rules. These regulations had required telecommunications carriers to "secure their networks from unlawful access or interception of communications." The FCC had adopted these rules in early 2023, during the Biden administration's tenure, as part of a broader effort to bolster national cybersecurity. For more details on the initial proposal, refer to the FCC's cybersecurity proposal and ruling.

The FCC's sole Democratic commissioner, Anna Gomez, strongly dissented from the decision. In a statement following the vote, Gomez emphasized that the now-overturned rules represented "the only meaningful effort this agency has advanced" since the discovery of a widespread hacking campaign by a China-backed group known as Salt Typhoon.

Salt Typhoon's Extensive Infiltration

The Salt Typhoon hacking group gained notoriety for its sophisticated and extensive infiltration of U.S. critical infrastructure. The campaign involved hacking into a raft of over 200 U.S. phone and internet companies, including major players like AT&T, Verizon, and Lumen. This years-long operation was primarily aimed at conducting broad-scale surveillance of American officials. Disturbingly, in some instances, the hackers even targeted wiretap systems that U.S. law enforcement had previously required telcos to install for access.

Lawmakers Express Alarm

The FCC's decision to roll back these cybersecurity safeguards has drawn sharp criticism from senior lawmakers. Senator Gary Peters (D-MI), the ranking member of the Senate Homeland Security Committee, expressed his dismay, stating he was "disturbed" by the effort to undo "basic cybersecurity safeguards." He warned that such actions would "leave the American people exposed" to increased risks.

Similarly, Senator Mark Warner (D-VA), the ranking member of the Senate Intelligence Committee, issued a statement asserting that the rule change "leaves us without a credible plan" to address the fundamental security vulnerabilities exploited by Salt Typhoon and other malicious actors.

Industry Reaction and Dissenting Warnings

In contrast to the lawmakers' concerns, the NCTA, which represents the telecommunications industry, applauded the scrapping of the rules. The industry body characterized the regulations as "prescriptive and counterproductive."

However, Commissioner Gomez countered this view, emphasizing that while collaboration with the telecommunications industry is crucial for cybersecurity, it is ultimately insufficient without robust enforcement mechanisms.

"Handshake agreements without teeth will not stop state-sponsored hackers in their quest to infiltrate our networks," Gomez stated. "They won’t prevent the next breach. They do not ensure that the weakest link in the chain is strengthened. If voluntary cooperation were enough, we would not be sitting here today in the wake of Salt Typhoon."