The US Federal Communications Commission (FCC) has voted 2-1 to eliminate binding cybersecurity requirements for telecommunications carriers, reversing regulations introduced earlier this year in response to a historic Chinese cyber-espionage operation known as Salt Typhoon.
The rollback dismantles the only concrete federal cybersecurity measures enacted after the Salt Typhoon breach, which compromised sensitive communications data across major US telecom networks. The breach, attributed to Chinese state-sponsored hackers, exposed not just customer metadata but also communications intercepted under lawful surveillance programs, raising alarms across national security circles.
The original rules, passed in January 2025 under the authority of the Communications Assistance for Law Enforcement Act (CALEA), clarified that telecom carriers had an affirmative legal duty to secure their networks from unlawful access and interception. The FCC also launched a rulemaking process to enforce minimum cybersecurity standards and require formal certification of carrier protections. These were intended to close dangerous gaps in the nation's communications infrastructure that foreign actors have increasingly exploited.
But under new leadership, the FCC has now reversed that course. The agency will instead rely on a voluntary, industry-led model with no enforceable standards, no certification requirements, and no formal accountability. Commissioner Anna Gomez, the lone dissenting vote, strongly criticized the move, warning that “hope and a dream” are not substitutes for concrete protections in the face of escalating threats.
Salt Typhoon attacks, which unfolded publicly between October and November 2024, saw Chinese threat actors breach the networks of major US providers, including AT&T, Verizon, and Lumen Technologies. These firms handle lawful wiretap requests and vast volumes of government and civilian data. According to FBI and CISA findings, the attackers accessed private communications of US government and political figures, duplicated surveillance data, and exfiltrated call records, suggesting a level of infiltration far beyond reconnaissance.
Despite these revelations, the telecom industry lobbied to dismantle the FCC's new obligations, claiming they were burdensome and that voluntary collaboration with government agencies was sufficient. That view prevailed with the Commission's majority, despite direct warnings from cybersecurity experts and federal agencies that similar intrusion attempts remain active today.
Gomez rejected the industry's rationale, stating: “If voluntary cooperation were enough, we would not be sitting here today in the wake of Salt Typhoon. Partnership and collaboration that carry no enforceable accountability are insufficient by design”.
Salt Typhoon is just one of several advanced persistent threat (APT) campaigns launched by Chinese actors in recent years, alongside Flax Typhoon and Volt Typhoon, all targeting US infrastructure. Microsoft and other security vendors have linked Salt Typhoon to groups like GhostEmperor and FamousSparrow, which specialize in long-term espionage against telecommunications networks.
The rollback has also drawn criticism from lawmakers. Senate Democrats Gary Peters and Maria Cantwell both opposed the FCC's action, with Cantwell emphasizing that “our efforts should be focused on further enhancing cybersecurity” in the wake of Salt Typhoon, not retreating from basic safeguards.
Leave a Reply