The Federal Communications Commission (FCC) is set to vote on November 20 to rescind a cybersecurity directive issued in January 2025, days before the end of the Biden administration.

The rule reinterpreted the Communications Assistance for Law Enforcement Act (CALEA) to require telecom companies to adopt mandatory network security measures following the Salt Typhoon cyberespionage campaign, a Chinese government-backed operation that breached at least nine major U.S. telecommunications providers.

Under Chairman Brendan Carr, the new FCC argues that the earlier ruling contained legal and policy shortcomings.

Instead of blanket mandates, the Commission plans to introduce a voluntary cybersecurity framework centered on private-sector partnerships, targeted rules, and information sharing.

Supporters say this approach avoids overreach and stays within existing laws, while critics caution that it may leave infrastructure more exposed to future state-sponsored attacks.

Why It Matters: The FCC’s decision represents a change in how the federal government approaches cybersecurity in the telecom sector, emphasizing industry self-regulation rather than enforced minimum standards. After the Salt Typhoon breach exposed weaknesses in systems that carry sensitive government and public communications, the rollback has prompted questions about legal boundaries and national security readiness amid ongoing cyber threats.

• FCC Rejects Broad Reading of CALEA as Cybersecurity Mandate: The central issue is the January 2025 Declaratory Ruling that expanded CALEA, a 1994 wiretap law, to require telecom companies to secure their entire networks against unauthorized access. The current FCC contends that this interpretation exceeded the statute’s scope. Section 105 of CALEA focuses on ensuring that lawful wiretaps occur within a carrier’s switching premises, and the Commission states that broader cybersecurity requirements would require separate rule-making. The FCC also noted that the earlier decision extended the legal definition of interception beyond its established meaning of real-time access to communications in transit.

• Voluntary Commitments Replace Mandated Requirements: The FCC highlights voluntary measures that telecom companies have implemented since the Salt Typhoon breach. These include faster patching of vulnerabilities, reviewing remote access settings, restricting outbound connections, improving threat detection, and coordinating more closely with federal agencies. Industry groups have also set up new information-sharing channels, including the Communications Cybersecurity ISAC and a cross-border forum for telecom security leaders.

• Salt Typhoon Cyberattack as the Flashpoint: The January ruling followed the Salt Typhoon campaign, a multi-year cyberespionage operation attributed to Chinese state-linked actors that targeted major telecom providers, including Verizon, AT&T, and Lumen, with attempted but unsuccessful access to T-Mobile. According to U.S. officials, the attackers obtained call records and, in some instances, intercepted communications involving more than 150 prominent individuals. Officials also said the breach might have been more difficult to carry out if stronger baseline security measures had been in place across the industry.

• Industry Pushback and FCC Criticism of the Biden-Era Rule: Telecom industry associations challenged the January ruling, saying it created an unclear and overly broad compliance framework. In a formal petition, CTIA, NCTA, and USTelecom said the directive lacked specificity and legal grounding. The current FCC concurred, stating the rule did not clearly identify key vulnerabilities or define what data required protection, and that it did not account for existing security measures already in place.

• Targeted Oversight to Continue in High-Risk Areas: While reversing the broader mandate, the FCC stated it is pursuing more limited cybersecurity measures in areas where its authority is well established. These include proposed risk management requirements for submarine cable operators, restrictions on foreign-controlled testing facilities, and reviews of companies with ties to the Chinese government that appear on the FCC’s Covered List. The agency also created a Council on National Security in March 2025 to coordinate future cybersecurity initiatives. The FCC reported that collaboration with industry partners has improved security practices since the Salt Typhoon incident and said its future focus will be on supporting, rather than directing, those efforts.

Go Deeper -> FCC plans vote to remove cyber regulations installed after theft of Trump info from telecoms – The Record

FCC Set to Reverse Course on Telecom Cybersecurity Mandate – The Cyber Express