Federal Communications Commission Chairwoman Jessica Rosenworcel presented draft regulations Thursday to fellow commissioners that would for the first time require telecom companies to upgrade cyber defenses under a federal wiretapping law, or face fines.
The draft rules are a response to alarming breaches of telecom providers by Chinese government hackers known as Salt Typhoon. The breaches have drawn scrutiny on how those hackers exploited the Communications Assistance for Law Enforcement Act (CALEA), the means by which telecom carriers are obligated to provide law enforcement access to their systems.
“The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” Rosenworcel said in a statement. “As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses.
“While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the communications sector in the future,” she said.
The potentially yearslong intrusions of at least eight U.S. telecom companies have spurred Hill briefings, a looming Cyber Safety Review Board probe, upcoming congressional hearings and exclamations that the breaches amount to the worst telecom hack in U.S. history, in addition to global ramifications.
Under the rules that would take effect immediately, commissioners “may choose to vote on them at any moment,” according to an FCC fact sheet.
Specifically, the FCC declaratory ruling “creates a legal obligation for telecommunications carriers to secure their networks against unlawful access and interception” under CALEA, the FCC fact sheet explained. Multiple lawmakers have called on the FCC to take action similar to what Rosenworsel proposed under CALEA on Thursday.
The FCC also circulated a notice of proposed rulemaking Thursday for an annual cybersecurity risk management plan certification process.
The commission has two more scheduled open meetings before the second Trump administration begins. While the 2024 Republican platform discussed the need for minimum cybersecurity standards for critical infrastructure, some Trump-aligned parties have suggested he is less likely to welcome cyber regulations than the Biden administration, which has embraced them more vigorously than past administrations.
On Wednesday, prior to the proposal of the new rules, Republican FCC chair nominee Brendan Carr commented on the need for action in response to Salt Typhoon.
“The Salt Typhoon intrusion is a serious and unacceptable risk to our national security. It should never have happened,” he said on X. “I will be working with national security agencies through the transition and next year in an effort to root out the threat and secure our networks.”
Neither Rosenworcel nor Carr had previously committed to the idea of FCC cyber rules tied to CALEA.
Jonathan Spalter, president and CEO of USTelecom – The Broadband Association, provided this statement when asked about the FCC proposal.
“Securing our networks from cyber threats is a dynamic and evolving process that broadband providers take extremely seriously, harnessing cutting-edge technologies to defend our nation’s critical connectivity infrastructure in the face of military-grade aggression by foreign adversaries,” he said. “Ensuring the security of our customers is our top priority and we will continue to work side-by-side with intelligence agencies, law enforcement and other government partners to identify and address the root causes of cybersecurity incidents.”
Plus de détails sur l’article original.