The Federal Communications Commission (FCC) on Dec. 5 responded to recent reports that the Chinese group Salt Typhoon infiltrated at least eight U.S. telecom companies by proposing that carriers create, update and implement cybersecurity risk management plans annually to the FCC, or face stiff penalties.
FCC Chairwoman Jessica Rosenworcel said the agency had this authority under Section 105 of the Communications Assistance for Law Enforcement Act (CALEA), which created a legal obligation for the telecoms to secure their networks against unlawful access and interception.
The recent proposed “Declaratory Ruling” was made available to the five members of the FCC and, if adopted, would reportedly be the first time the FCC has assumed such powers under the existing CALEA wiretapping law first enacted in 1994.
“As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses,” said Rosenworcel. “While the commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”
The Salt Typhoon campaign is serious, so much so that Deputy National Security Adviser Anne Neuberger on Dec. 4 briefed reporters on the breadth of the Chinese government-sponsored hacking campaign that reportedly gave officials in China access to private texts and phone conversations of an unknown number of Americans.
While the specific nature of what information the Salt Typhoon attackers accessed is still unknown, former NSA cybersecurity expert Evan Dornbush said the attackers could have potentially seen who is under law enforcement surveillance.
"This would allow the attackers to know if any of their agents are compromised, generate a list of blackmail targets, or a list of individuals to cease communications with," Dornbush speculated. "The attackers could have also enabled surveillance on specific subscribers. Perhaps the attackers had a list of people they wanted to get copies of text messages or phone calls from."
FCC wants new cybersecurity management plans for telecomms
As a practical matter, the big question is whether the FCC’s proposal survives the next administration, said Morgan Wright, chief security advisor at SentinelOne. Looking at the political reality of fewer and not more regulations under the incoming Trump administration, Wright said the proposal faces an uphill climb.
“Assuming it does pass, this seems to be analogous to Sarbanes-Oxley,” said Wright, an SC Media columnist. “I think a cyber Sarbanes-Oxley would be effective, but I would apply it to all of our critical infrastructure as a starting point, not just telecom. Otherwise, we’ve been reduced to a reactive whack-a-mole response that will ultimately fail.”
However, James Lewis, director of the strategic technologies program at the Center for Strategic and International Studies, was quoted in the Washington Post saying he thought Republican commissioners would pass the measure, including Brendan Carr, the incoming chairman. Lewis said Carr is a noted China hawk, as is incoming President Trump and many members of the new administration.
Jason Soroko, senior Fellow at Sectigo, said the FCC’s proposed annual cybersecurity certification for telecoms addresses vulnerabilities, but smaller providers may struggle with costs without federal support.
“The proposal is likely to pass given bipartisan urgency, however, its impact depends on addressing compliance costs and enforcement,” said Soroko. “If properly defined and audited, it could improve security, otherwise, it risks becoming a symbolic measure.”
Heath Renfrow, co-founder and CISO at Fenix24, added that while the framework is solid conceptually, its success will hinge on effective implementation, government-industry collaboration, and periodic updates to address emerging threats.
Renfrow said he doesn’t think the proposal would succeed if made into a regulatory requirement. Renfrow pointed to other regulatory requirements that become compliance-based “check-the-box” type of audits, such as if the company has a firewall, uses MFA, runs backups, or deployed a modern EDR solution.
“It becomes nothing more than ‘yes’ and ‘no’ questions and true foundational cybersecurity and IT controls are not and frankly cannot be evaluated from an outside audit,” said Renfrow. “The skill set is not there, and companies are not just going to let you poke around in their production systems.”
