Article Details

FCC guts post-Salt Typhoon telco rules despite ongoing espionage risk. Months after China-linked spies burrowed into US networks, regulator tears up its own response. The Federal Communications Commission (FCC) has scrapped a set of telecom cybersecurity rules introduced after the Salt Typhoon espionage campaign, reversing course on measures designed to stop state-backed snoops from slipping back into America's networks. In a 2-1 vote last week, the agency revoked the January Declaratory Ruling that had sought to force carriers to lock down their systems under the Communications Assistance for Law Enforcement Act (CALEA). That earlier move, introduced in the aftermath of the China-linked Salt Typhoon intrusions, was meant to harden networks used for lawful intercept and other sensitive functions. But the FCC now says the whole thing was "unlawful and ineffective," and has torn up both the ruling and the Notice of Proposed Rulemaking that rode in with it. The rollback follows what the Commission describes as months of "extensive, urgent, and coordinated" cooperation from carriers following the Salt Typhoon discovery. In its announcement [PDF], the FCC claims that providers have already stepped up access controls, improved incident response, and generally become more attentive to cyber risks – less thanks to the rule itself and more due to what the agency frames as a voluntary clean-up effort after the intrusions. This marks a notable pivot from the mood earlier this year, when Salt Typhoon was revealed to have burrowed into multiple US telecom companies and lingered inside key systems. As The Register reported at the time, the Chinese state-backed espionage crew gained access not just to standard network management gear but also to parts of the lawful intercept stack – systems that are supposed to be the most tightly controlled parts of a carrier's infrastructure. The January ruling was sold as a necessary response to that fiasco: a baseline set of obligations to stop foreign intelligence services waltzing through carrier defenses. Fast-forward to November, the Commission's new leadership has instead opted to yank those obligations entirely. Chairman Brendan Carr and Commissioner Olivia Trusty approved the reversal, arguing that the previous order strayed beyond the statute and imposed rigid, impractical mandates. Commissioner Anna Gomez dissented, issuing a separate statement [PDF] warning that abandoning enforceable requirements would leave the country less secure at a time when hostile states are visibly probing and exploiting telecom networks. "When the next breach occurs, there will be no standards to measure compliance and no mechanism for determining which safeguards should have been in place," Gomez said. "That is governing by hope rather than by duty, and the American public deserves better." The Electronic Privacy Information Center (EPIC) has also spoken out against the gutting of the rules, arguing that the FCC is attempting "to create a sort of safe harbor for insecure cybersecurity practices." The FCC insists it's not stepping back from cybersecurity, just taking a more "agile" approach. It points to targeted rules adopted elsewhere, such as the requirement for submarine cable licensees to maintain cyber-risk management plans, and to its newly established Council on National Security, tasked with coordinating with federal partners on threats ranging from espionage to supply-chain compromise. Still, the contrast is hard to miss. After Salt Typhoon showed how easily a determined state actor could compromise carrier systems, the Commission appeared ready in January to impose clear minimum standards. Now the agency is pivoting back to informal cooperation, effectively trusting the same carriers that were infiltrated for years to police themselves without the threat of formal compliance checks. The announcement repeatedly references improved cybersecurity practices across the sector since the intrusions came to light. But the FCC offers no detail on how those improvements will be monitored or enforced without the framework it just torched. Smaller carriers, in particular, may struggle to maintain the same defensive posture as larger operators, a key argument in favor of setting universal baselines following the Salt Typhoon revelations. For now, the official line is that voluntary cooperation will keep the nation's communications backbone safe. But Salt Typhoon demonstrated that determined state-sponsored crews are already sitting within some of those networks – and that they're willing to exploit any oversight gap. Whether industry goodwill is enough to stop the next one is, once again, an open question.