The U.S. Federal Communications Commission (FCC) has announced decisive measures to require telecommunications companies to secure their networks, with the goal of strengthening U.S. communications against future cyberattacks, including those by state-sponsored actors in China. The agency will ensure that carriers secure their networks.
FCC Chairman Jessica Rosenworcel said in a press release: "The cybersecurity of our nation's critical communications infrastructure is essential to advancing national security, public safety, and economic security," FCC Chairwoman Jessica Rosenworcel said in a press release. "As technology continues to advance, so do the capabilities of adversaries, which means the U.S. must adapt and strengthen our defenses. As the Commission's counterparts in the intelligence community determine the scope and impact of the Salt Typhoon attack, we need a modernized framework to help companies better secure their networks and prevent and respond to cyberattacks in the future."
Rosenworcel shared with her fellow commissioners a draft declaratory judgment that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) affirmatively requires telecommunications companies to secure their networks from unlawful access or interception of communications. Accompanying this action is a proposal that would require telecommunications service providers to annually certify to the FCC that they have created, updated, and implemented a cybersecurity risk management plan, which would bolster communications from future cyberattacks.
If adopted, the declaratory judgment will go into effect immediately. In addition, the draft Notice of Proposed Rulemaking (NOPR) will seek comments on cybersecurity risk management requirements for a wide range of telecommunications providers. The proposal will also seek comment on additional ways to strengthen the cybersecurity posture of telecommunications systems and services.
In the next steps, the FCC specified that these proposed measures are available to the five FCC members. They can choose to vote on them at any moment. If adopted, the declaratory ruling will go into effect immediately. If the NOPR is adopted, it will open for public comment the Cybersecurity Compliance Framework, which is part of a broader effort to secure the country's communications infrastructure.
"On December 4, 2024, a top U.S. security agency confirmed reports that state-sponsored foreign actors from the People's Republic of China infiltrated at least eight U.S. telecommunications companies, compromising sensitive systems and exposing vulnerabilities in critical communications infrastructure," according to the FCC's fact sheet. "This was part of a massive espionage campaign that affected dozens of countries."
Recent news reports have revealed that T-Mobile's network was among the systems compromised in a major Chinese cyber espionage operation. The operation targeted several US and international telecommunications companies, sources familiar with the matter confirmed.
Previous reports indicated that Verizon Communications, AT&T, and Lumen Technologies were also victims of the Salt Typhoon breaches, carried out by state-sponsored hackers from the People's Republic of China. These hackers have specifically targeted U.S. telecommunications companies, including Internet service providers, raising significant concerns about the implications for federal response strategies.
In response to the Salt Typhoon cyberattack, a sophisticated breach attributed to foreign state-sponsored actors, the Federal Communications Commission is implementing critical measures to strengthen U.S. telecommunications networks. These measures are designed to protect critical communications infrastructure, ensuring national security, public safety, and future economic resilience.
Communications networks are critical to the defense of the nation, public safety, and economic systems. While the Commission's counterparts in the intelligence community determine the scope and impact of the Salt Typhoon attack, the FCC can act now to strengthen cybersecurity safeguards and ensure resilience against future cyberattacks by adversaries. As technology evolves, so do the tactics of cyber adversaries. The Salt Typhoon attack highlights the need for proactive measures to stay ahead of emerging threats.
The agency highlighted that a cyberattack in the communications sector can affect other sectors, including healthcare, manufacturing, energy and transportation. Ensuring a secure and reliable communications infrastructure fosters confidence in the nation's ability to protect critical systems and also helps protect ordinary Americans from cyberattacks
Last month, the Commission proposed cybersecurity risk management plan requirements for applicants for submarine cable licenses. In addition, the Commission previously proposed that Emergency Alert System (EAS) and Wireless Emergency Alert System (WES) participants maintain cybersecurity risk management plans.
Earlier this week, global cybersecurity agencies warned of PRC-linked actors who have infiltrated the networks of major global telecom providers as part of a major cyber espionage campaign. On Tuesday, these agencies and their international partners released a joint guide outlining best practices for defending against these PRC-linked hackers. Last month, the CSA, CIA and FBI already warned the public about this hacking campaign.
comments