Following one of the largest telecommunications hacks in US history, the Federal Communications Commission (FCC) moved to impose stricter standards on carriers’ cybersecurity measures. On Thursday, the agency is set to vote to withdraw those requirements, arguing that they were an unnecessary violation of its authority.
The China-linked Salt Typhoon hack that emerged last year affected telecommunications companies including AT&T, Verizon, T-Mobile and Lumen Technologies. wall street journal Informed. The problem was so bad that US officials urged consumers to communicate only through encrypted apps in late 2024, fearing adversaries might still be hiding in their carriers’ networks.
In response, the FCC, led by Democratic Chair Jessica Rosenworcel, issued a declaratory decision that imposed stronger security requirements on telecommunications providers, and issued a Notice of Proposed Rulemaking (NPRM) inviting public comment on how communications providers should secure their systems. Now, the FCC under Republican Chairman Brandon Carr is seeking to roll back those actions amid broader deregulation pressure.
The fact sheet describing the order rescinding the rule said the original decision misinterpreted the FCC’s authority and was implemented just before the change in administration. Furthermore, it argues, its “vague and amorphous standards risk imposing costly new burdens on many providers that are either not relevant to the potential threats they face, or that are unnecessary because those providers may already employ adequate cybersecurity practices to mitigate the risk of successful exploits by the most sophisticated threat actors.” Telecommunications industry associations have called for these actions to be rescinded, saying the FCC has overstepped, and noting that service providers have already taken steps to harden their networks since the hack, and will continue to do so voluntarily.
“We’re going to reverse the only meaningful effort that this agency has put forward in response to that hack.”
However, Democratic Commissioner Anna Gomez isn’t convinced that’s enough. The Salt Typhoon hack was “crucially a wake-up call, and it showed us how little incentive exists to force companies to fix the vulnerabilities that allowed that attack to happen,” he told. The Verge in an interview. A White House national security adviser for the Biden administration said at the time that the companies’ lack of some basic cybersecurity protections contributed to the hack. “When I received this draft order, it was very disappointing because we are going to reverse the only meaningful effort this agency has made in response to that hack,” Gomez said.
The vote comes at a time when US cybersecurity is already under strain amid federal workforce shortages and ongoing political attacks against the federal government’s central cyber coordinator. Even if the actions following Typhoon Salt are rescinded, Gomez said she hopes the FCC will continue to collaborate with other agencies to address national security issues, but she fears the Trump administration is “weakening our cybersecurity and our agencies focused on cyber. And I think we need a well-rounded strategy to address these weaknesses.”
Carr framed the cancellation order as a course correction. But Gomez worries it’s taking away vital equipment and not replacing them. “I fear that Americans will be less safe than the day this hack was discovered a little more than a year ago,” he said. “And our adversaries will see this as an invitation, and continue to provoke our networks.”