The FCC has made a decision that may concern AT&T, T-Mobile, and Verizon customers.
The FCC has scrapped a ruling requiring carriers to keep all parts of their networks safe.
The Federal Communications Commission (FCC) is reversing a January 2025 mandate enacted after the China-backed Salt Typhoon cyberattacks. The cyberattacks saw a Chinese hacking collective breach eight telecommunications firms, like AT&T and Verizon, and a possible attack on T-Mobile was stopped.
The mandate from former Chair Jessica Rosenworcel aimed to improve defenses against foreign threats but has been deemed unlawful and ineffective.
The January 2025 mandate was approved near the end of Joe Biden's presidency. The current FCC, led by Chair Brendan Carr, is now reversing it. Carr stated that the "prior FCC" exceeded its authority in enacting the mandate and that its response was unsuitable.
The core issue is the interpretation of the Communications Assistance for Law Enforcement Act (CALEA). Passed in 1994, this law requires providers to ensure surveillance capabilities are in place to address legal requests for data. It is meant to enable law enforcement to conduct surveillance without compromising the privacy of unrelated data.
Rosenworcel's FCC held providers accountable, based on its interpretation of CALEA, for preventing unauthorized interception of communications. It stipulated that providers must protect their networks from unauthorized interception and implement management practices across their entire network.
Carr's FCC contends that CALEA was misinterpreted, arguing that the law only permits lawful wiretaps or monitoring within a defined area of networks.
Carr's FCC has chosen to implement a collaborative and flexible approach to secure networks and has been in talks with providers to strengthen protections. Providers have put in place "additional cybersecurity controls to harden their networks," by patching vulnerabilities, updating access controls, and closing unnecessary connections. Telecoms have also committed to sharing more cyber threat data.
The FCC also claims that the January 2025 mandate broadly required all providers to take steps to prevent all unlawful interception of call data, without offering any guidance on how to do so. This placed providers in a difficult position, as the guidelines were hard to implement. The blanket approach also forced providers to adopt expensive measures that were not relevant to the threats they faced.
The current FCC also objects to the previous FCC's rapid approval of the mandate, which bypassed the 'notice and comment' process. This process involves taking public feedback into account before developing final rules.
Following extensive FCC engagement with carriers, the item announces the substantial steps that providers have taken to strengthen their cybersecurity defenses. In doing so, we will also reverse an eleventh hour CALEA declaratory ruling reached by the prior FCC—a decision that both exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats. So, we’re correcting course.
Brendan Carr, Chairman FCC, October 2025
Following extensive FCC engagement with carriers, the item announces the substantial steps that providers have taken to strengthen their cybersecurity defenses. In doing so, we will also reverse an eleventh hour CALEA declaratory ruling reached by the prior FCC—a decision that both exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats. So, we’re correcting course.
Threats to US carriers have not abated. If anything, attacks, particularly those from China, are getting more sophisticated. In the face of these evolving threats, effective cybersecurity measures are urgently needed.
The Salt Typhoon attacks exploited common vulnerabilities and avoidable weaknesses to infiltrate networks. The FCC is collaborating with federal agencies and providers to protect networks from such attacks. This includes monitoring network outages caused by cyber incidents.
The difference in these and prior measures is that they are targeted, rather than being inflexible and ambiguous.
Carr's FCC recognizes that malicious actors have repeatedly launched cyberattacks on US telecoms.
Industry groups like CTIA, NCTA, and USTelecom asked the FCC to rescind the January 2025 mandate, noting that the industry had voluntarily invested in strengthening defenses after Salt Typhoon and would continue to do so to address emerging threats. It also contended that collaboration between providers and the government enabled service providers to respond quickly to Salt Typhoon.
The groups also asserted that state-backed attackers like Salt Typhoon have unlimited resources that private companies alone could not counter.
While Rosenworcel's FCC may have misinterpreted CALEA, its requirement, however broad, obligated providers to act to prevent all unauthorized interception. This zero-tolerance approach seemed better, at least in theory, to encourage AT&T, T-Mobile, and Verizon to be vigilant about network security.
The reversal of the mandate could cause providers to become less diligent and put their users at risk again.