The Federal Communications Commission is set to gut cybersecurity regulations enacted after a massive Chinese state-sponsored hack, arguing the rules were an overreach and replacing them with a voluntary, industry-led approach. The move reverses one of the government's most forceful responses to the growing threat of cyberattacks on critical infrastructure.
Born from a breach: The original mandate was forged after the "Salt Typhoon" campaign exposed deep vulnerabilities in the nation's telecom infrastructure. The haul from that hack included everything from federal wiretap data to the private call records of over a million people, prompting the FCC's prior leadership to act.
Reversing course: But the FCC’s new chair, Brendan Carr, calls the mandate an "eleventh hour" mistake. An official FCC fact sheet justifying the reversal now describes the previous interpretation of the law as "legally erroneous" and ineffective, with Carr stating, "We’re correcting course."
A win for lobbyists: The reversal is a clear victory for telecom lobby groups that petitioned against the mandate back in February. It also flies in the face of the stark warning from former FCC chair Jessica Rosenworcel, who said when the rules were enacted, "Either you take serious action or you don’t."
The FCC is trading a mandatory security baseline for a gentleman's agreement with an industry that has a history of major security failures. The announcement landed with some irony, as reports emerged just hours later that another nation-state-backed hack had compromised a key telecom tech supplier, with the intruders lurking undetected for nearly a year.
The telecom supply chain remains a key target, as networking vendor Ribbon Communications recently disclosed it was the victim of a months-long, nation-state hack. Meanwhile, the political stakes of these breaches are high, with reports revealing the original Salt Typhoon hackers specifically targeted the communications of figures like Donald Trump and Kamala Harris.
