The Federal Communications Commission (FCC) will vote this week on whether to scrap Biden-era cybersecurity rules, enacted after the Salt Typhoon attacks came to light in 2024, that required telecom carriers to adopt basic security controls.
The regulator’s monthly open meeting, due to be held on Thursday, will dedicate time to the Communications Assistance for Law Enforcement Act (CALEA) and the rules the FCC introduced following a reinterpretation of the 1994 legislation.
In January 2025, five days before President Trump returned to the White House, the FCC adopted a declaratory ruling that imposed sweeping rules on communications organizations to prevent unauthorized access to their networks.
A declaratory ruling is a regulator’s official interpretation of a law. It is legally binding and becomes so immediately.
Under the Trump administration, the FCC wants to reverse this ruling. A fact sheet [PDF] that will be handed to those voting on Thursday cites two main reasons for the decision.
The first is that the FCC feels the ruling was unlawful. It follows strongly-worded petitions made by various organizations overseen by the FCC, which claimed the regulator was acting beyond its legal powers, and its interpretation of the law, as one petition described it, was “wholly inconsistent with CALEA’s text, structure, and purpose.”
Brought to the FCC by CTIA (the Wireless Association), NCTA (the Internet and Television Association), and USTelecom (the Broadband Association), the petition [PDF] added: “Congress did not intend for CALEA to evolve into a general cybersecurity statute over three decades after its enactment.”
CALEA was introduced, in part, to maintain law enforcement’s ability to carry out lawful interceptions of communications.
However, the declaratory ruling aimed to – in the associations’ view – expansively interpret section 105 of that legislation to introduce “prescriptive, burdensome, and uniform” cybersecurity duties to “prevent all incidents of unauthorized interception of communications,” in the context of the Salt Typhoon attacks.
These “onerous” duties would have included implementing measures such as role-based access controls, adopting MFA, mandatory vulnerability patching and exploit mitigation, and changing default passwords across the networks of in-scope organizations.
The Electronic Privacy Information Center (EPIC) submitted its opposition [PDF] to the associations’ petition, arguing that their attempts to repeal the declaratory ruling were a ploy “to create a sort of safe harbor for insecure cybersecurity practices.”
Then-national security advisor Jake Sullivan and then-CISA boss Jen Easterly endorsed the declaratory ruling when it was announced [PDF], both noting that it was an important step toward improving US cybersecurity.
The second reason for the reversal, according to the FCC, is that the declaratory ruling is ineffective at promoting cybersecurity.
It argues that the ruling is not specific enough about the vulnerabilities in-scope organizations are required to patch or otherwise mitigate, and fails to account for the different requirements of each organization, which may already employ adequate safeguards to prevent related exploits.
According to the FCC’s fact sheet, the ruling also abandons the long-running practice of the regulator working with industry to identify the most pertinent risks and ways to reduce them.
It went on to say: “Instead of taking the declaratory ruling’s broad tack, we believe that the Commission should promote an agile and collaborative approach to cybersecurity as reflected in existing federal and state cybersecurity requirements and federal-private partnerships that protect and secure communications networks.
“This collaborative approach to cybersecurity includes industry participation in the Comm-ISAC; the contribution of technical expertise to CSRIC, and collaboration with other federal agencies such as NIST and CISA to help produce best practices, guidelines, and tools to reduce cybersecurity risk.”
The FCC also appeared to be satisfied with how in-scope communications organizations are improving their security standards on a voluntary basis while partnering with the federal government.
The regulator went on to note the various other commitments to cybersecurity made by the associations and the government and how this collective approach “continues to be effective.”
Described by many as one of the most impactful cyberespionage attacks, China’s Salt Typhoon campaign began in 2019 but was not detected until late 2024.
Details about the attack, which likely compromised information belonging to almost every single US resident, as well as those in more than 80 other countries, are still being unearthed a year after the initial discovery.
The Chinese state-backed attackers quietly gained access to government agencies, telecoms companies, and top universities, sucking up untold quantities of data – and likely trade secrets and other economically sensitive information – in the process. ®