FCC Drops Telecom Cyber Rules Despite China Espionage Warnings

The FCC voted Thursday to eliminate newly adopted cybersecurity requirements for U.S. telecom providers, rolling back what critics say was the agency’s most significant response to China-linked intrusions into American communications networks.

In a 2–1 vote along party lines, the commission withdrew its previous determination that telecom carriers must secure their networks under the 1994 Communications Assistance for Law Enforcement Act (CALEA).

Experts Warn FCC Reversal Endangers U.S. Networks

The decision reverses policy adopted in the final days of the Biden administration that would have required carriers to meet minimum cybersecurity standards. 

The rollback drew swift criticism from politicians and cybersecurity experts, who warned that stronger safeguards are essential following the China-backed Salt Typhoon campaign, which infiltrated more than 200 telecom providers — including AT&T, Verizon, and Lumen — over several years.

“Scrapping mandatory cybersecurity baselines for telecommunications carriers is reckless policy at the worst possible moment. Chinese state-sponsored APT groups, including Salt Typhoon, have already compromised multiple U.S. telcos this year, exfiltrating call records and intercepting lawful wiretap systems,” said Jaya Baloo, Co-Founder, COO and CISO at AISLE.

She explained, “These federal requirements drove measurable improvements in network segmentation, zero-trust architecture deployment, and supply chain vetting that directly counter persistent threats to SS7, Diameter, and core telecom routing infrastructure.”

Jaya added, “Eliminating enforceable standards creates a patchwork of defenses across interconnected networks, guaranteeing that adversaries will exploit the weakest links to access 911 systems, government communications, and critical infrastructure that depends on telecom resilience.”

Eliminating the rules “will leave the American people exposed,” said Sen. Gary Peters (D-MI), ranking member of the Senate Homeland Security Committee. 

Sen. Maria Cantwell (D-WA), ranking member of the Commerce Committee, similarly urged the commission to preserve the standards, noting in a letter that “our efforts should be focused on further enhancing the cybersecurity of our critical infrastructure networks, not rolling back existing protections.”

FCC Commissioner Anna Gomez, the sole Democrat on the panel, issued a sharp dissent. 

She called the withdrawn standards “the only meaningful effort this agency has advanced” since the discovery of the Salt Typhoon campaign, which involved state-sponsored Chinese hackers targeting not only telecom networks but also the lawful intercept systems carriers are required to maintain for law enforcement.

Why the FCC’s Cyber Rules Mattered

The scrapped rules stemmed from the FCC’s earlier interpretation that CALEA obligated telecoms to protect network systems from “unlawful access or interception.” 

The standards would have required carriers to implement baseline cybersecurity measures to prevent intrusions, safeguard sensitive communications data, and ensure the integrity of surveillance infrastructure.

Security officials have pointed to the Salt Typhoon operation as a stark example of what weak standards can enable. 

According to federal investigators, the group quietly penetrated U.S. telecom networks for years, harvested sensitive information tied to U.S. government officials, and in some cases breached wiretap systems themselves — potentially giving foreign actors visibility into domestic law enforcement operations.

Gomez emphasized that relying on voluntary cooperation from carriers is insufficient to counter state-sponsored threats. “Handshake agreements without teeth will not stop state-sponsored hackers in their quest to infiltrate our networks,” she said. “They won’t prevent the next breach.”

Telecoms Praise Rollback, But Security Concerns Mount

The Internet & Television Association (formerly known as NCTA), which represents major telecom and broadband providers, welcomed the FCC’s reversal, calling the discarded rules “prescriptive and counterproductive regulations.” 

Industry groups have long argued that rigid federal mandates would inhibit innovation and impose costly compliance burdens.

However, congressional leaders from both parties have voiced concern about the lack of enforceable standards. 

Sen. Mark Warner (D-VA), chair of the Senate Intelligence Committee, noted that the decision “leaves us without a credible plan” to respond to the vulnerabilities that Salt Typhoon and other nation-state actors have exploited.

The underlying tension highlights a broader challenge in U.S. infrastructure protection: while telecom networks serve as the backbone of national communications, the federal government has limited authority to impose uniform cybersecurity standards across providers. 

This governance gap has left much of the industry self-regulated — an arrangement some lawmakers say is no longer tenable in an era of advanced espionage campaigns.

Telecom Security at a Crossroads

Following the vote, Carr said the FCC would pursue alternative approaches to protecting U.S. communications networks, though he offered limited details about what future actions may entail. 

He emphasized that the commission intends to move away from prescriptive mandates toward “collaborative” approaches with industry.

Security experts caution that without enforceable requirements, many carriers may continue to underinvest in critical security controls, particularly smaller providers with limited resources. 

The stakes, they argue, extend far beyond consumer privacy: telecom networks underpin emergency services, government operations, military communications, and vital infrastructure.

As lawmakers weigh legislative responses and the FCC reassesses its approach, the debate highlights a core national challenge: protecting U.S. communications infrastructure from advanced foreign threats while relying on voluntary industry security practices that may not meet today’s risk landscape.