The Federal Communications Commission (FCC) has announced the repeal of a January 2025 cybersecurity ruling that was originally enacted in response to the China-backed Salt Typhoon cyberattacks. This move has raised concerns among customers of major US carriers including AT&T, Verizon, and T-Mobile.
Background of the January 2025 Ruling
In the wake of the Salt Typhoon attacks — where a Chinese hacking group successfully infiltrated multiple communications companies, including AT&T and Verizon, and attempted an attack on T-Mobile that was ultimately thwarted — former FCC Chairwoman Jessica Rosenworcel introduced new regulations aimed at strengthening carrier network defenses against foreign adversaries.
Rosenworcel’s ruling interpreted the Communications Assistance for Law Enforcement Act (CALEA) as imposing an obligation on carriers to secure their entire networks against any unauthorized interception of communications, not just to allow lawful law enforcement surveillance. The ruling required carriers to adopt comprehensive risk management and cybersecurity practices.
Shift in FCC Leadership and Policy
With Brendan Carr now chairing the FCC, the agency has reevaluated the earlier ruling and declared it both unlawful and ineffective. Carr’s FCC contends that CALEA’s original intent was limited strictly to ensuring carriers support lawful wiretaps, rather than mandating sweeping security measures across carrier networks.
Due to this interpretation, Carr’s administration has rescinded Rosenworcel’s sweeping cybersecurity requirements. The new approach emphasizes collaboration with network providers, encouraging targeted and flexible improvements rather than a broad, one-size-fits-all directive.
Current Cybersecurity Efforts and Industry Response
Despite rolling back the January 2025 ruling, the FCC affirms ongoing efforts alongside federal agencies and carriers to identify vulnerabilities and address them through enhanced cybersecurity controls. These include patching equipment vulnerabilities, refining access controls, closing unnecessary network connections, and fostering increased information sharing within the industry.
Telecom trade associations such as CTIA, NCTA, and USTelecom welcomed the rollback, noting how carriers have already invested heavily in defenses since the Salt Typhoon attacks and continue to adapt to emerging threats. They argue that flexible collaboration between government and private sectors produces a more effective response than rigid regulations.
Concerns Over Carrier Vigilance
Nevertheless, some experts and observers worry that without the strict requirements of Rosenworcel’s ruling, carriers may reduce their cybersecurity vigilance, leaving networks and subscribers more exposed to increasingly sophisticated state-sponsored attacks.
Carr acknowledges the persistent threat from foreign adversaries and insists that targeted measures currently underway are more appropriate. However, critics argue that the absence of clear mandates could weaken the cybersecurity posture of major US telecom providers, including AT&T, T-Mobile, and Verizon.
Looking Ahead
The FCC’s decision represents a significant policy pivot at a critical time for US communications security. As cyberattack techniques evolve, the question remains whether industry collaboration and voluntary standards will suffice to protect American telecom networks and their customers.
