FCC Rescinds Cybersecurity Ruling: Regulatory Whiplash Creates Uncertainty for Telecom Sector

Compliance Hub

Compliance Hub

9 min read
FCC Rescinds Cybersecurity Ruling: Regulatory Whiplash Creates Uncertainty for Telecom Sector
Photo by Mario Caruso / Unsplash

December 2025 — In a dramatic reversal that has sent shockwaves through the telecommunications industry, the Federal Communications Commission voted 2-1 on November 20, 2025, to rescind cybersecurity requirements established just ten months earlier. The move eliminates mandated security protections that were implemented directly in response to China's devastating Salt Typhoon espionage campaign, leaving the sector navigating a landscape of voluntary compliance and uncertain accountability.

The Reversal: From Mandate to Handshake

The rescinded ruling, originally adopted on January 16, 2025, during the final days of the Biden administration, had declared that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) "affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications." The interpretation expanded CALEA's scope beyond its original 1994 intent of enabling lawful wiretaps to encompass comprehensive network security obligations.

Under the January ruling, telecommunications carriers faced immediate requirements to implement fundamental cybersecurity practices including role-based access controls, changing default passwords, enforcing minimum password strength requirements, and adopting multifactor authentication. A companion Notice of Proposed Rulemaking sought to extend these requirements to a broader range of service providers, including broadband providers, cable operators, wireless carriers, and satellite providers, while mandating annual certifications of cybersecurity risk management plans.

FCC Chairman Brendan Carr, who led the November rescission alongside Republican Commissioner Olivia Trusty, characterized the original ruling as "neither lawful nor effective," arguing it represented a "rushed and eleventh-hour approach to cybersecurity" that misinterpreted CALEA's statutory authority. Carr contended that the statute was designed to ensure carriers could facilitate lawful wiretaps within specific network portions, not to impose network management practices across entire infrastructures.

Salt Typhoon: The Catalyst That Wasn't Enough

The timing makes the reversal particularly striking. The January 2025 cybersecurity ruling came as a direct response to Salt Typhoon, one of the most sophisticated and damaging cyber espionage campaigns in U.S. history. The China-backed operation, attributed to the Ministry of State Security and executed through private cybersecurity companies including Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology, compromised at least nine major U.S. telecommunications providers.

The scope of Salt Typhoon's reach is staggering. According to FBI statements, the operation infiltrated more than 200 companies across 80 countries, with attacks dating back to at least 2019 and possibly as early as 2021. Former FBI cyber official Cynthia Kaiser claimed it's nearly impossible to envision any American who wasn't impacted by the five-year campaign that had "full reign access" to U.S. telecommunications data. In the United States alone, confirmed victims include AT&T, Verizon, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream. The hackers gained access to wiretap systems used for court-authorized surveillance, compromised communications of political figures including candidates in the 2024 presidential election, and obtained phone data on more than one million people in the Washington, D.C. area. Recent intelligence assessments reveal that Salt Typhoon has expanded beyond traditional telecommunications targets to infiltrate critical data center infrastructure, with data center giant Digital Realty and mass media titan Comcast identified as likely victims.

Salt Typhoon's technical sophistication involved exploiting known vulnerabilities in Cisco routers and network devices, deploying the "GhostSpider" backdoor malware for persistent access, and using anti-forensic techniques to evade detection. Researchers from Recorded Future's Insikt Group observed continued Salt Typhoon activity through January 2025, with the group attempting to compromise over 1,000 Cisco devices globally even after the initial breach disclosure.

Senate Intelligence Committee Chair Mark Warner called Salt Typhoon "the worst telecom hack in our nation's history—by far," while Senator Marco Rubio described it as "the most disturbing and widespread incursion into our telecommunication systems in the history of the world." Despite this unprecedented national security crisis, the FCC's response has been to eliminate the regulatory framework designed to prevent recurrence.

The New Framework: Collaboration Without Enforcement

In place of enforceable requirements, the FCC now relies on what Chairman Carr describes as "targeted measures and public-private collaboration." According to the rescission order, telecommunications providers have voluntarily agreed to implement enhanced cybersecurity controls including accelerated patching schedules, access control reviews, improved threat-hunting capabilities, disabling unnecessary outbound connections, and increased information-sharing with the federal government.

FCC Commissioner Olivia Trusty endorsed this approach, stating it "affirms the FCC's commitment to act within its regulatory authority" while pursuing "targeted and enforceable" actions. She emphasized that the decision "does not signal a retreat from our cybersecurity mission" but rather reflects recognition that "one of the most effective defenses against foreign threats comes from a dynamic partnership between the federal government and the private sector."

Leon Kenworthy, chief of the FCC's cybersecurity division, characterized the January requirements as "redundant" given the voluntary steps industry has undertaken. The telecommunications industry, represented by trade associations including the CTIA, NCTA, and USTelecom, praised the rescission, calling the original rules "prescriptive and counterproductive regulations."

Democratic Opposition: "Invitation for the Next Breach"

The reversal drew sharp criticism from Democratic lawmakers and FCC Commissioner Anna Gomez, who cast the lone dissenting vote. In her statement, Gomez warned that the FCC's action "reverses the only meaningful effort this agency has advanced in response to" the Salt Typhoon attack.

"Simply trusting industry to police itself is an invitation for the next breach," Gomez argued. "Handshake agreements without teeth will not stop state-sponsored hackers in their effort to infiltrate networks. They will not prevent the next breach. If voluntary cooperation were enough, we would not be sitting here today in the wake of Salt Typhoon."

Senator Gary Peters (D-MI), ranking member of the Senate Homeland Security Committee, stated he was "disturbed by the FCC's efforts to roll back these basic cybersecurity safeguards," warning that doing so will "leave the American people exposed and erode efforts to harden our national security against attacks like these in the future."

Senator Maria Cantwell (D-WA), ranking member of the Senate Commerce Committee, wrote directly to Chairman Carr arguing that the January ruling "simply brought the agency's interpretation of the statute in line with current network realities" and represented "a commonsense acknowledgement that providers are responsible for protecting public safety against cybersecurity threats." She emphasized that "after Salt Typhoon, our efforts should be focused on further enhancing the cybersecurity of our critical infrastructure networks, not rolling back existing protections."

Senator Mark Warner (D-VA), ranking member of the Senate Intelligence Committee, said the reversal "leaves us without a credible plan" to address the fundamental security gaps that Salt Typhoon and other threat actors have exploited.

Regulatory Uncertainty and Industry Implications

For telecommunications providers, the November reversal creates a landscape of regulatory uncertainty unprecedented in the cybersecurity context. Organizations that had begun implementing compliance frameworks for the January requirements now face questions about whether to maintain those investments without regulatory mandate, how to navigate the shift from enforceable standards to voluntary commitments, and what liability exposure exists in the absence of clear regulatory baseline requirements.

The voluntary approach raises critical questions about accountability. Under the rescinded framework, carriers faced potential enforcement actions and monetary penalties for failing to implement basic cybersecurity practices. The new model relies on industry goodwill and competitive pressure, with no clear mechanism for ensuring consistent security posture across the sector or holding organizations accountable for failures that result in breaches. This liability gap is particularly concerning given the surge in data breach class action lawsuits, which have nearly tripled since 2022.

The legal ambiguity compounds the operational challenges. While Chairman Carr argues that CALEA was never intended to support comprehensive cybersecurity mandates, the practical reality is that telecommunications infrastructure represents critical national security assets that require protection. The question becomes whether voluntary industry commitments can provide sufficient security in the face of well-resourced, state-sponsored adversaries who have already demonstrated their ability to compromise major U.S. carriers.

International Context and Ongoing Threats

The FCC's reversal comes as international partners continue to grapple with Salt Typhoon's global reach. In August 2025, a joint technical report signed by U.S. agencies including the FBI, NSA, and CISA, along with intelligence bodies from Australia, Canada, Germany, Japan, and the United Kingdom, detailed how the campaign targeted government, transportation, lodging, and military infrastructure networks worldwide since 2021.

Salt Typhoon's persistence demonstrates the inadequacy of reactive approaches. Despite sanctions imposed by the U.S. Treasury Department in January 2025 against Sichuan Juxinhe Network Technology and hacker Yin Kecheng (associated with the separate Treasury Department breach), the group continued targeting telecommunications providers throughout early 2025. Recorded Future observed scanning and exploitation attempts in December 2024 and January 2025, including attacks on universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, and multiple U.S. institutions.

The Australian Security Intelligence Organisation and other Five Eyes partners have warned of ongoing threats to global telecommunications infrastructure, with particular concern about China's demonstrated capability to maintain persistent access to critical systems. Meanwhile, the European Union has taken a different regulatory approach with comprehensive cybersecurity frameworks including NIS2, DORA, and the Cyber Resilience Act.

The strategic implications of Salt Typhoon extend beyond immediate data theft. China's Ministry of State Security has transformed into the world's most formidable cyber power, with patient, persistent operations that establish access and wait—sometimes for years—positioning for long-term strategic advantage rather than immediate disruption.

What This Means for CISOs and Security Leaders

For cybersecurity professionals in the telecommunications sector, the regulatory reversal creates both challenges and opportunities:

Immediate Implications:

  • No regulatory mandate exists for baseline cybersecurity practices that were considered fundamental just months ago
  • Organizations must decide independently whether to maintain or enhance security investments without compliance drivers
  • Liability and accountability frameworks remain unclear in the absence of enforceable standards
  • Industry commitments to voluntary measures may face pressure from cost-reduction initiatives

Strategic Considerations:

  • Security programs must be justified through risk-based arguments rather than regulatory compliance
  • Documentation of voluntary security measures and board-level decisions becomes critical for liability protection
  • Industry collaboration and information-sharing take on heightened importance in the absence of regulatory oversight
  • Organizations should closely monitor potential future regulatory actions or legislation
  • Modern CISOs must navigate complex regulatory landscapes while aligning security strategy with business objectives

Operational Priorities:

  • Maintain implementation of fundamental security controls regardless of regulatory status (MFA, access controls, patching programs, network segmentation)
  • Enhance threat intelligence and detection capabilities to identify sophisticated nation-state actors
  • Participate in industry information-sharing initiatives to benefit from collective defense approaches
  • Document security posture and risk management decisions to demonstrate reasonable care

The Broader Debate: Regulation vs. Collaboration

The FCC's reversal reflects a fundamental philosophical divide in cybersecurity governance. The regulatory approach embodied in the January ruling emphasizes enforceable baseline standards, accountability through oversight and potential penalties, consistency across industry participants, and clear requirements that reduce ambiguity.

The collaborative approach now in place prioritizes flexibility to respond to evolving threats, leveraging industry expertise and operational knowledge, avoiding one-size-fits-all mandates that may be ineffective or counterproductive, and enabling rapid adaptation to new attack vectors.

Critics of the voluntary approach point to the telecommunications industry's demonstrated failure to prevent Salt Typhoon as evidence that self-regulation is insufficient. Proponents argue that prescriptive regulations can be slow to adapt and may fail to address the specific threats facing individual organizations. This debate is playing out globally as organizations navigate emerging regulations and future compliance trends.

Looking Forward: A Policy Crossroads

The November reversal may not be the final word on telecommunications cybersecurity regulation. Several factors could drive renewed regulatory action, including additional major breaches demonstrating inadequacy of voluntary measures, congressional legislation mandating specific security requirements, continued lobbying from Democratic lawmakers and national security officials, or coordination with international partners who maintain stricter telecommunications security standards.

The FCC has established the Council for National Security to leverage the Commission's regulatory, investigatory, and enforcement authorities for telecommunications security. How this body operates in the voluntary compliance framework remains to be seen.

Meanwhile, other regulatory developments continue to shape the cybersecurity landscape. The SEC announced it will review broker-dealer compliance with safeguards and incident response requirements in its 2026 examination priorities. States like Texas are investigating security camera manufacturers with potential Chinese Communist Party ties. The Global Privacy Enforcement Network conducted sweeps examining websites and mobile applications used by children.

Recommendations for the Telecommunications Sector

Despite regulatory uncertainty, telecommunications providers should maintain robust security postures:

  1. Implement Defense-in-Depth: Layer multiple security controls to protect against sophisticated adversaries, regardless of regulatory requirements
  2. Prioritize Network Segmentation: Isolate critical systems and implement strict access controls to limit lateral movement during breaches
  3. Accelerate Vulnerability Management: Given Salt Typhoon's exploitation of known Cisco vulnerabilities disclosed in 2023, rapid patching remains essential
  4. Enhance Threat Hunting: Proactive detection capabilities are critical for identifying persistent threats that evade traditional defenses. Organizations should align with CISA's critical infrastructure readiness goals while these programs remain available.
  5. Invest in Incident Response: Preparation for major breaches should include tabletop exercises, defined escalation procedures, and coordination with government agencies
  6. Maintain Information Sharing: Participate in industry ISACs and government partnerships to benefit from threat intelligence
  7. Document Risk Management Decisions: Create clear paper trails demonstrating reasonable care in security investments and risk acceptance
  8. Monitor Regulatory Developments: Stay informed about potential legislative action or future FCC rulemaking that could reinstate requirements

Conclusion: Uncertainty as the New Normal

The FCC's rescission of telecommunications cybersecurity requirements creates a regulatory vacuum at precisely the moment when threats have never been more sophisticated or consequential. Salt Typhoon demonstrated that voluntary security measures failed to prevent one of the most damaging espionage campaigns in history. Whether the shift to collaborative approaches will prove more effective remains an open question.

For cybersecurity professionals, the lesson is clear: regardless of regulatory mandates, the threat landscape demands comprehensive security programs. Nation-state adversaries like those behind Salt Typhoon don't care about regulatory frameworks or voluntary commitments. They care about vulnerable systems and exploitable networks.

The telecommunications sector now faces a critical test. Can industry self-regulation provide adequate protection for critical infrastructure that underpins national security and economic prosperity? Or will the absence of enforceable standards lead to the next major breach, prompting renewed calls for regulatory intervention?

As Senator Warner noted, the current approach "leaves us without a credible plan" to address fundamental security gaps. In cybersecurity, hope is not a strategy, and handshakes are not firewalls. The coming months will reveal whether the telecommunications industry can prove that voluntary collaboration succeeds where regulatory mandates were deemed necessary.

For organizations navigating this uncertain landscape, the prudent approach is clear: maintain robust security programs, document risk management decisions, participate in industry collaboration, and prepare for the possibility that regulatory requirements may return when, not if, the next major breach occurs.

This analysis reflects developments through December 2025. Telecommunications providers should consult legal counsel regarding specific compliance obligations and risk management strategies in light of evolving regulatory frameworks.

Read more

MongoBleed Vulnerability: Compliance Requirements and Regulatory Response Guide (CVE-2025-14847)

MongoBleed Vulnerability: Compliance Requirements and Regulatory Response Guide (CVE-2025-14847)

December 28, 2025 | Compliance Alert: Critical Organizations using MongoDB Server face immediate compliance obligations following the disclosure of CVE-2025-14847 (MongoBleed), a critical unauthenticated memory leak vulnerability. This guide addresses breach notification requirements, regulatory compliance implications, and mandated security controls across major frameworks. Executive Compliance Summary Vulnerability: CVE-2025-14847 - Unauthenticated MongoDB

lock-1 By Compliance Hub
Generate Policy Global Compliance Map Policy Quest Secure Checklists Cyber Templates