On December 4, 2024, a top U.S. security agency confirmed reports that entities sponsored by the People’s Republic of China, infiltrated at least eight U.S. telecommunications companies and gained access to sensitive systems. This incident has been dubbed the Salt Typhoon attack and reflects a sophisticated intrusion into U.S. telecommunications networks. It has been determined that this was part of a massive espionage campaign that has affected dozens of countries. In response to the Salt Typhoon attack, FCC Chairwoman Rosenworcel has circulated with her fellow Commissioners a Declaratory Ruling and a Notice of Proposed Rulemaking (NPRM) addressing the critical need to safeguard the nation’s communications systems from cybersecurity threats and attacks.
The Declaratory Ruling, if adopted, would clarify that Section 105 of the Communications for Law Enforcement Act (CALEA) creates a legal obligation for telecommunications companies to secure their networks against unlawful access. The Ruling further clarifies that this obligation extends to not just the equipment employed by telecommunications providers, but also to management of their networks.
The NPRM proposes that an annual certification process for communications providers be enacted that requires providers to create, update, and implement cybersecurity risk management plans. Providers would be required to certify compliance with their risk management plans to the FCC to ensure accountability. The NPRM also seeks public comment on expanding existing cybersecurity requirements across a range of communications providers. In addition, the NPRM seeks comment on identifying additional ways to improve cybersecurity for U.S. communications networks.
As mentioned above, the Declaratory Ruling and NPRM are on circulation and as such the Ruling and NPRM are not available for a more detailed review. These proposed actions by the FCC are consistent with other recent steps taken to address cybersecurity concerns. In November 2024, the FCC proposed that cybersecurity and risk management plans be required for submarine cable landing applicants and licenses as well as for participants in the Emergency Alert Systems and Wireless Emergency Alert System. In addition, the FCC’s EA-CAM Order required that EA-CAM participating providers implement cybersecurity risk management plans and certify and submit their plans by February 12, 2024.
Given Chairwoman Rosenworcel’s impending departure from the FCC and Commissioner Carr’s ascension to the Chair, it is difficult to speculate when and if any action will be taken by the Commission and to what extent the Commission will act on the Declaratory Ruling and NPRM. We will continue to closely follow this issue and will provide updates as more information becomes available.
