In the wake of the Salt Typhoon cyber breach, Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel has called for urgent action to modernize cybersecurity policies, emphasizing the need to address vulnerabilities exposed by state-sponsored cyberattacks.
“This breach has sparked a government-wide effort to assess the extent of the damage, eliminate exposure in our networks, and ensure it doesn’t happen again,” Rosenworcel said. “We cannot rely on outdated rules or simply hope this threat goes away. Hope is not a plan. Today, we must act to secure our networks and ensure they are resilient against future attacks. Telecommunications networks are essential to national defense, public safety, and economic growth. The time to act is now.”
The FCC has adopted a Declaratory Ruling affirming that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) mandates telecommunications carriers to secure their networks against unauthorized access or interception. The ruling is accompanied by a Notice of Proposed Rulemaking, which seeks input on requiring communications providers to submit annual certifications attesting to the development and implementation of cybersecurity risk management plans.
National Security Advisor Jake Sullivan described the FCC’s actions as a “critical step” in addressing threats from nation-states, particularly China. “The FCC’s Declaratory Ruling and Notice of Proposed Rulemaking are essential for ensuring that U.S. telecoms can defend against sophisticated cyber programs,” Sullivan said.
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly echoed this sentiment. “The FCC’s actions are crucial in safeguarding the nation’s telecommunications infrastructure against real threats posed by the PRC and other adversaries. CISA will continue collaborating with critical infrastructure entities to enhance their network defenses,” Easterly said.
The new measures build on previous FCC proposals, including cybersecurity risk management requirements for submarine cable systems and participants in the Emergency Alert System. The Commission’s latest actions mark a significant step in fortifying the U.S. telecommunications infrastructure against evolving cyber threats.
The Declaratory Ruling is effective immediately, while the Notice of Proposed Rulemaking invites comments on expanding cybersecurity requirements and exploring additional ways to protect communication systems.
