FCC Announces Action Requiring Carriers To Secure Their Networks

FCC Chairwoman Jessica Rosenworcel announced action to “safeguard the nation’s communications systems from real and present cybersecurity threats,” particularly by foreign actors, by instituting a "Declaratory Ruling and Notice of Proposed Rulemaking" aimed at telecom carriers.

The announcement comes in the immediate wake of the Salt Typhoon attack on telecom providers that has been called one of the worst cyberattacks in the U.S. in history.

The ruling states that section 105 of Communications Assistance for Law Enforcement Act requires telecom carriers to “secure their networks from unlawful access or interception of communications,” and that it’s accompanied by a proposal requiring the carriers to “submit an annual certification to the FCC attesting that they have created, updated, and implemented a cybersecurity risk management plan…”

“In response to Salt Typhoon, there has been a government-wide effort to understand the nature and extent of this breach, what needs to happen to rid this exposure in our networks, and the steps required to ensure it never happens again,” said Rosenworcel.

“At the Federal Communications Commission, we now have a choice to make. We can turn the other way and hope this threat goes away. But hope is not a plan. Leaving old policies in place when we know what new risks look like is not smart.”

Rosenworcel explicitly called out Salt Typhoon. “Today, in light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks.  Our existing rules are not modern. It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed. The time to take this action is now. We do not have the luxury of waiting.”

Response

Incoming chair Brendan Carr, a Republican, issued a statement criricizing the action. Carr agreed about the threats present but did not offer specifics on what type of action he would prefer.

“Today, the FCC reads CALEA as also imposing an affirmative obligation on a covered provider to take certain undefined cybersecurity actions across every portion of the network—meaning, both within and outside the switching premises,” said Carr. “But the FCC and the court of appeals have already determined that CALEA’s ‘switching premises’ language is key to the statute’s operation. The FCC’s unprecedented decision to effectively read that language out of the statute not only undermines the action it takes today, it calls into question every previous FCC action under CALEA too.”