Internet service providers and cellular carriers will no longer be required to meet minimum cybersecurity standards after a Federal Communications Commission vote Thursday.
The FCC voted 2-1 along party lines to reverse course on a January ruling -- adopted four days before President Donald Trump’s inauguration -- that required providers to issue an annual certification showing that they have “created, updated and implemented a cybersecurity risk management plan.”
The rules applied to a broad range of companies, including cellular carriers, internet service providers, radio stations and even television broadcasters.
Locating local internet providers
The new requirements were largely a response to the Salt Typhoon cyberattackin September last year, in which hackers linked to the Chinese government broke into the networks of US internet providers like AT&T, Verizon and Lumen, which owns CenturyLink and Quantum Fiber. Attackers gained access to millions of customers’ call and text message metadata and reportedly captured audio recordings from people involved with both the Harris and Trump campaigns.
“This is such a terrible idea. This is rolling out the red carpet for another attack,” Cooper Quintin, a senior staff technologist at the Electronic Frontier Foundation, told CNET. “I can't overstate how impactful Salt Typhoon was. This gave them access to the communications of every American. It impacted everyone, and there were no consequences for the telcos other than having to generate a regular report.”
Locating local internet providers
So why roll back the rules now? FCC Chair Brendan Carr said the rules are not necessary because longer providers have already “demonstrated a strengthened cybersecurity posture” in the year since the Salt Typhoon attacks.
The move is the latest chapter in Carr’s “Delete, Delete, Delete” agenda, which aims to end the “regulatory onslaught from Washington.”
If you look at the FCC as being the protector of the public interest in modern communications, the notion that you don't have a role in cybersecurity strikes me as being willfully blunt. Blair Levin, former FCC chief of staff and a telecom industry analyst at New Street Research
... continue reading