WASHINGTON, D.C.— In response to a significant cyberattack attributed to Chinese state-sponsored group Salt Typhoon, the Federal Communications Commission (FCC) has proposed stringent measures to enhance the cybersecurity of U.S. telecommunications networks. The initiative aims to address critical vulnerabilities exposed by the breach, which compromised sensitive systems across multiple communications companies.
Background on the Salt Typhoon Attack
On December 4, 2024, U.S. security agencies confirmed that Salt Typhoon infiltrated at least eight American telecommunications firms, accessing private communications and exposing systemic weaknesses. This cyber-espionage campaign, reportedly ongoing for over a year, targeted high-profile individuals, including senior government officials and political figures. The breach is considered one of the most severe in U.S. telecom history, with potential implications for national security and public trust.
FCC’s Proposed Measures
In response to the breach, FCC Chairwoman Jessica Rosenworcel proposed a Declaratory Ruling clarifying that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) obligates telecommunications carriers to protect their networks against unauthorized access and interception. This clarification extends carriers’ responsibilities beyond equipment security to comprehensive network management practices.
Additionally, the FCC introduced a Notice of Proposed Rulemaking that would require communications service providers to develop, update, and implement cybersecurity risk management plans. Providers would also need to annually certify their compliance with these plans to the FCC, ensuring accountability and adherence to robust cybersecurity standards.
Broader Implications and Legislative Actions
The Salt Typhoon incident has prompted legislative scrutiny and calls for enhanced cybersecurity measures. Senators Ron Wyden and Eric Schmitt have urged the Department of Defense to investigate its vulnerabilities, emphasizing the need for improved defenses against such espionage activities.
Furthermore, the U.S. House of Representatives is set to vote on a defense bill allocating over $3 billion to assist telecom companies in removing equipment from Chinese firms like Huawei and ZTE, aiming to mitigate security risks associated with foreign technology in critical infrastructure.
Next Steps
The FCC’s proposed measures are currently under review by its commissioners. If adopted, the Declaratory Ruling would take immediate effect, reinforcing carriers’ legal obligations to secure their networks. The Notice of Proposed Rulemaking would open a public comment period, allowing stakeholders to provide input on the proposed cybersecurity compliance framework. These actions represent a concerted effort to strengthen the nation’s communications infrastructure against evolving cyber threats.
