In the January 21, 2025, edition of the ICORE Blog, we discussed a major security breach affecting U.S. telecommunications networks. The incident was dubbed the Salt Typhoon attack. A top U.S. security agency confirmed at that time that entities sponsored by the People’s Republic of China infiltrated at least eight U.S. telecommunications companies and gained access to sensitive systems. In response to the Salt Typhoon Attack, on January 15, 2025, the Commission adopted a Declaratory Ruling and a Notice of Proposed Rulemaking (NPRM) addressing this incident and the larger issue of protecting the nation’s communications networks from cybersecurity threats and attacks.
The January 15, 2025, Declaratory Ruling was effective immediately and concluded that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications carriers to secure their networks from unlawful access. Further, the Declaratory Ruling further stated that telecommunications carriers’ duties under Section 105 extend not only to the equipment they choose to deploy in their networks, but also to how they manage their networks. The NPRM proposed to adopt specific cybersecurity and supply chain risk management requirements for a broader universe of service providers including facilities based fixed and mobile Broadband Internet Access Service providers, wireline communications providers, and interconnected VoIP providers. The NPRM recognized that EA-CAM providers were already required to implement Cybersecurity and Risk Management Plans, however, the NPRM proposed increased responsibilities for these carriers as well in terms of audit requirements and annual certification requirements.
At its November 20, 2025, Open Meeting the Commission approved an Order on Reconsideration (Order) rescinding the January 15, 2025, Declaratory Ruling and withdrawing the accompanying NPRM. This Order concludes that the January 2025 Declaratory Ruling misinterpreted CALEA and unnecessarily raised and purported to resolve issues that were not appropriate for consideration in the absence of public input. The Order further concludes that the Declaratory Ruling’s approach to cybersecurity was an unlawful and ineffective response. Further, the Order states that the Commission should instead continue to pursue a more industry collaborative approach and a more legally sound rulemaking and enforcement process. In withdrawing the NPRM, the Commission expressed support for a targeted approach to achieving effective cybersecurity rather than a one-size-fits-all approach of a single rulemaking to govern all Commission licenses.
A Press Release announcing the Commission’s action to rescind the January, 2025 Declaratory Order and NPRM states that the November 20, 2025 Order follows a months-long engagement with communications providers where they have agreed to take extensive, urgent, and coordinated efforts to mitigate operational risks, protect consumers, and preserve national security interests against the range of cyberattacks that target their networks. In addition, the Press Release cites other actions taken by the Commission this year to address network security including the establishment of the Council on National Security whose aim is to facilitate the Commission’s interaction with national security partners to mitigate America’s vulnerabilities to cyberattacks, espionage, and surveillance by foreign adversaries. The Order was adopted with Chairman Carr and Commissioner Trusty approving. Commissioner Gomez dissented.
