The Federal Communications Commission voted 2-1 along party lines on Thursday to scrap rules that required U.S. phone and internet giants to meet certain minimum cybersecurity requirements.
The FCC’s two Trump-appointed commissioners, chairman Brendan Carr and his Republican colleague Olivia Trusty, voted to withdraw the rules that require telecommunications carriers to “secure their networks from unlawful access or interception of communications.” The Biden administration had adopted these rules prior to leaving office earlier this year.
The FCC’s sole Democratic commissioner, Anna Gomez, dissented. In a statement following the vote, Gomez called the now-overturned rules the “only meaningful effort this agency has advanced” since the discovery of a sweeping campaign by a China-backed hacking group called Salt Typhoon that involved hacking into a raft of U.S. phone and internet companies.
The hackers broke into more than 200 telcos, including AT&T, Verizon and Lumen, during the years-long campaign to conduct broad-scale surveillance of American officials. In some cases, the hackers targeted wiretap systems that the U.S. government previously required telcos to install for law enforcement access.
The FCC’s move to change the rules sparked rebuke from senior lawmakers, including Sen. Gary Peters (D-MI), the ranking member of the Senate Homeland Security Committee. Peters said he was “disturbed” by the FCC’s effort to roll back “basic cybersecurity safeguards” and warned that doing so will “leave the American people exposed.”
Sen. Mark Warner (D-VA), the ranking member of the Senate Intelligence Committee, said in a statement that the rule change “leaves us without a credible plan” to address the basic security gaps exploited by Salt Typhoon and others.
For its part, the NCTA, which represents the telecommunications industry, praised the scrapping of the rules, calling them “prescriptive and counterproductive regulations.”
But Gomez warned that while collaboration with the telecommunications industry is valuable for cybersecurity, it is insufficient without enforcement.
“Handshake agreements without teeth will not stop state-sponsored hackers in their quest to infiltrate our networks,” said Gomez. “They won’t prevent the next breach. They do not ensure that the weakest link in the chain is strengthened. If voluntary cooperation were enough, we would not be sitting here today in the wake of Salt Typhoon.”
