AT&T, T-Mobile, and Verizon users will be uneasy after hearing what FCC has done
The FCC has scrapped a ruling requiring carriers to keep all parts of their networks safe.
The Federal Communications Commission (FCC) is repealing a January 2025 ruling enforced in the aftermath of the China-sponsored Salt Typhoon attacks. The Chinese hacking group infiltrated eight communications companies, including AT&T and Verizon, and possibly also attempted an attack at T-Mobile which was thwarted.
Former Chairman Jessica Rosenworcel's ruling sought to bolster defences against foreign adversaries, but it has now been found to be unlawful and ineffective.
New vs old FCC
The FCC has rolled back a law aimed at bolstering carrier defences.
The January 2025 ruling was passed in the last days of former US president Joe Biden's administration. The new FCC, under Chairman Brendan Carr, is rescinding that ruling. Carr says the "prior FCC" overreached its authority when passing the ruling and its response was not appropriate.
At the heart of the matter is the interpretation of the Communications Assistance for Law Enforcement Act (CALEA). This law was passed in 1994 to require carriers to ensure the presence of the necessary surveillance capabilities to fulfil legal requests for information. The law is intended to allow law enforcement agencies to carry out surveillance without violating the privacy of information outside the scope of their investigation.
Rosenworcel's FCC held carriers responsible, based on its understanding of CALEA, for preventing interception of communications by any unauthorized means. It said that carriers were required to secure their networks from threats, and, as an extension, to adopt management practices across their entire network.
The January 2025 ruling that has been rolled back.
Carr's FCC says that CALEA was misinterpreted, and argues that the law only allows lawful wiretaps or monitoring within a certain portion of networks.
Carr's FCC has decided to pursue a flexible and collaborative strategy to secure networks. It has been working with network providers to improve defences. Carriers have implemented "additional cybersecurity controls to harden their networks," such as fixing holes in vulnerable equipment, updating and reviewing access controls, and closing unnecessary outbound connections. Telecom companies have also pledged to share more cybersecurity information.
The FCC also asserts that the January 2025 ruling broadly asked all carriers to take measures to prevent all illegal snooping of call-related information, without providing any guidance about how to do so. This put carriers in a tough spot, as the guidelines were difficult to follow. The one-size-fits-all approach also required carriers to impose costly measures not necessarily relevant to threats they faced.
The new FCC also takes issue with the fact that the previous FCC rushed to pass the ruling, foregoing the 'notice and comment' rulemaking process. Under this process, comments from the public are considered before developing final rules.
Following extensive FCC engagement with carriers, the item announces the substantial steps that providers have taken to strengthen their cybersecurity defenses. In doing so, we will also reverse an eleventh hour CALEA declaratory ruling reached by the prior FCC—a decision that both exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats. So, we’re correcting course.
Brendan Carr, Chairman FCC, October 2025
US carriers remain vulnerable
Threats to US carriers have not abated. If anything, attacks, particularly those from China, are getting more sophisticated. In the face of these evolving threats, effective cybersecurity measures are urgently needed.
The Salt Typhoon attacks used common vulnerabilities and avoidable weaknesses to infiltrate networks. The FCC is working with federal agencies and carriers to protect networks from such attacks. This includes the monitoring of network outages caused by cyber incidents.
The difference in these and prior measures is that they are targeted, rather than being inflexible and ambiguous.
Will this be enough?
Carr's FCC acknowledges that bad actors have repeatedly launched cyberattacks on US telecoms.
Associations such as CTIA, NCTA, and USTelecom requested the FCC to rescind the January 2025 ruling, pointing out that the industry had voluntarily invested resources to strengthen their defences after Salt Typhoon and would continue to do so to keep up with emerging threats. It also argued that collaborations between carriers and the government allowed service provided to respond swiftly to Salt Typhoon.
The associations also insisted that state-backed attackers such as Salt Typhoon have unlimited resources against which private sector companies alone could not contend.
While Rosenworcel's FCC may have misunderstood CALEA, its requirement, however broad, obligated carriers to take action to prevent all unauthorized interception. This no-compromise approach sounded better, at least in theory, to goad AT&T, T-Mobile, and Verizon to be vigilant about network security.
The rolling back of the ruling could cause carriers to slack on that and put their users at risk once again.
Follow us on Google News
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: