The U.S. Federal Communications Commission (FCC) announced last week that it has implemented measures to protect the nation’s communication systems from significant cybersecurity threats, including those posed by state-sponsored cyber actors from the People’s Republic of China. This decision follows recent reports of foreign actors infiltrating U.S. communication networks.
The action by the FCC builds on its December 2024 initiative, which introduced robust measures requiring telecom carriers to fortify their networks. This effort is designed to enhance the security of U.S. communications against potential cyberattacks, particularly those originating from state-sponsored entities in China. The agency is committed to ensuring that telecommunication companies effectively safeguard their networks.
“In response to Salt Typhoon, there has been a government-wide effort to understand the nature and extent of this breach, what needs to happen to rid this exposure in our networks, and the steps required to ensure it never happens again,” Jessica Rosenworcel, FCC chairwoman, wrote in a media statement. “At the Federal Communications Commission, we now have a choice to make. We can turn the other way and hope this threat goes away. But hope is not a plan.”
“Leaving old policies in place when we know what new risks look like is not smart. Today, in light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks. Our existing rules are not modern,” Rosenworcel highlighted. “It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed. The time to take this action is now. We do not have the luxury of waiting.”
She noted that telecommunications networks are essential for everything in day-to-day life, from national defense to public safety to economic growth. “The actions we take and propose here will strengthen our cybersecurity safeguards and enhance our resilience against future attacks.”
“The FCC’s Declaratory Ruling and Notice of Proposed Rulemaking is a critical step to require U.S. telecoms to improve cybersecurity to meet today’s nation state threats, including those from China’s well-resourced and sophisticated offensive cyber program,” Jake Sullivan, national security advisor, said.
“The FCC’s actions today are an important step in securing the nation’s telecommunications infrastructure against the very real threat posed by the PRC and other threat actors,” Jen Easterly, director at the CISA (Cybersecurity and Infrastructure Security Agency), said. “CISA will continue to work with all critical infrastructure entities to implement measures that help them safeguard their networks.”
The FCC has adopted a Declaratory Ruling finding that section 105 of Communications Assistance for Law Enforcement Act (CALEA) affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications. That action is accompanied by a proposal to require communications service providers to submit an annual certification to the FCC attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks.
The Declaratory Ruling takes effect immediately. The Notice of Proposed Rulemaking (NOPR) invites comment on cybersecurity risk management requirements for various communications providers. The Notice also seeks comment on additional ways to strengthen the cybersecurity posture of communications systems and services.
In November, the Commission proposed cybersecurity risk management plan requirements for submarine cable landing applicants and licensees. In addition, the Commission previously proposed that participants in the Emergency Alert System and Wireless Emergency Alerts maintain cybersecurity risk management plans.
Earlier this month, the FCC pushed for the adoption of rules to enable a spectrum auction, aiming to fund the swift removal of insecure Huawei and ZTE equipment from the nation’s networks. The action follows reports of Chinese hackers, linked to the Salt Typhoon cyberespionage operation, breaching more U.S. telecommunications firms, including Charter, Consolidated, and Windstream, highlighting the expanding threat to critical infrastructure installations.
link