The Federal Communications Commission plans to vote in November to repeal a January 2025 ruling that required internet service providers to secure their networks against unlawful access. Chairman Brendan Carr argues the measure exceeded the agency's authority and favors voluntary commitments from carriers instead. The decision follows lobbying from major telecom groups responding to cybersecurity threats like the Salt Typhoon attacks.
In January 2025, just before Republicans gained majority control of the FCC, the commission adopted a declaratory ruling under the 1994 Communications Assistance for Law Enforcement Act (CALEA). This ruling interpreted section 105 of CALEA as requiring telecommunications carriers to secure their networks from unlawful access or interception, extending duties to equipment choices and network management practices. It was a response to Chinese cyberattacks, including the Salt Typhoon infiltration of providers like Verizon and AT&T, which compromised routers and switches by exploiting outdated equipment and weak protocols.
The ruling, paired with a Notice of Proposed Rulemaking for stricter standards, emphasized basic cybersecurity hygiene such as role-based access controls, strong passwords, multifactor authentication, and vulnerability patching. Then-Chairwoman Jessica Rosenworcel defended it as 'common sense,' stating, 'This is common sense,' and noting that CALEA mandates carriers to ensure interceptions occur only with lawful authorization and carrier intervention.
However, cable, fiber, and mobile operators protested. In February, CTIA-The Wireless Association, NCTA-The Internet & Television Association, and USTelecom-The Broadband Association petitioned to reverse it, arguing CALEA only facilitates lawful intercepts and the FCC lacks authority for technical standards.
Under Chairman Brendan Carr, the FCC now views the ruling as 'unlawful and unnecessary.' A draft order for the November 20 vote will rescind it and withdraw the rulemaking, opting for a 'targeted approach' through federal-private partnerships. Carr highlighted carriers' voluntary steps, including accelerated patching, access control updates, disabling unnecessary connections, improved threat-hunting, and enhanced information sharing. The order argues the prior interpretation erroneously expanded CALEA beyond wiretap facilitation to mandate network-wide practices.