The Federal Communications Commission is set to hold a vote in November to overturn a decision mandating telecom companies to protect their networks, acting upon a request from major lobbying organizations representing Internet service providers.
FCC Chairman Brendan Carr stated that the decision, made in January just prior to the Republicans taking majority control of the commission, “went beyond the agency’s authority and did not offer an effective or responsive approach to the relevant cybersecurity challenges.” Carr indicated that the vote planned for November 20 follows “comprehensive FCC engagement with carriers” that have made “significant efforts… to enhance their cybersecurity measures.”
The FCC’s January 2025 declaratory ruling was a reaction to incursions by China, including the Salt Typhoon penetration of major telecom providers such as Verizon and AT&T. The Biden-era FCC determined that the Communications Assistance for Law Enforcement Act (CALEA), a law from 1994, “clearly mandates telecommunications carriers to secure their networks from unlawful access or communication interceptions.”
“The Commission has previously concluded that section 105 of CALEA imposes an affirmative duty on a telecommunications carrier to mitigate the risk that providers of untrusted equipment will ‘illegally activate interceptions or other forms of surveillance within the carrier’s switching premises without its awareness,’” the January order stated. “Through this Declaratory Ruling, we clarify that telecommunications carriers’ responsibilities under section 105 of CALEA not only apply to the equipment they opt to utilize in their networks but also extend to how they operate their networks.”
ISPs achieve their objectives
The declaratory ruling was accompanied by a Notice of Proposed Rulemaking that would have resulted in more stringent regulations necessitating certain actions to secure networks against unauthorized interceptions. Carr opposed the decision at that time.
While the declaratory ruling lacked specific accompanying regulations, the FCC then asserted that it held some authority. “Even in the absence of rules enacted by the Commission, like those suggested below, we assert that telecommunications carriers would likely struggle to meet their statutory duties under section 105 without implementing fundamental cybersecurity practices for their communication systems and services,” the January order noted. “For instance, fundamental cybersecurity hygiene measures, such as establishing role-based access controls, altering default passwords, demanding minimum password strength, and implementing multifactor authentication, are essential for any sensitive computing system. Additionally, neglecting to address known vulnerabilities or to employ recognized best practices deemed necessary in light of identified exploits would seemingly fall short of meeting this statutory duty.”
