The Federal Communications Commission (FCC) has rolled back a previous ruling that required U.S. telecom carriers to implement stricter cybersecurity measures following the massive hack from the Chinese threat group known as Salt Typhoon.
The ruling came in January 2025 and took effect immediately under the Communications Assistance for Law Enforcement Act (CALEA), in response to Salt Typhoon's breaching multiple carriers to spy on private communications.
Along with Section 105 of the CALEA, the declaratory ruling included a Notice of Proposed Rulemaking (NPRM) for telecom companies to:
Create and implement cybersecurity risk-management plans
Submit annual FCC certifications proving they were doing so
Treat general network cybersecurity as a legal obligation
Following lobbying from telecommunication firms - according to a letter from Senator Maria Cantwell, that found the new framework too cumbersome and taxing for their operations, the FCC has now deemed the prior rule inflexible, retracting it.
“The Federal Communications Commission today took action to correct course and rescind an unlawful and ineffective prior Declaratory Ruling misconstruing the Communications Assistance for Law Enforcement Act (CALEA),” reads the FCC announcement.
“The Order also withdraws an NPRM that accompanied that Declaratory Ruling, which was based in part on the Declaratory Ruling’s flawed legal analysis and proposed ineffective cybersecurity requirements.”
The FCC, which is now under new leadership, noted that communications service providers have taken important steps to strengthen their cybersecurity posture following the Salt Typhoon incidents, and have agreed to continue along this path in a coordinated manner, reducing risks to national security.
... continue reading