FCC Chair Carr Looks to Eliminate Telecom Cybersecurity Ruling
None
<p>In the waning days of the Biden Administration in January, the Federal Communications Commission (FCC) made a <a href="https://docs.fcc.gov/public/attachments/FCC-25-9A1.pdf" target="_blank" rel="noopener">declaratory ruling</a> that a section of a 30-year-old law that governs U.S. telecommunications companies’ cooperation with law enforcement also requires them to ensure sufficient cybersecurity protections are in place.</p><p>The decision by the FCC under then-Chair Jessica Rosenworcel came in the wake of the <a href="https://securityboulevard.com/2025/08/nsa-fbi-others-say-chinese-tech-firms-are-aiding-salt-typhoon-attacks/" target="_blank" rel="noopener">widespread attack on U.S. telecom networks</a> by the China-nexus threat group Salt Typhoon that highlighted the poor cybersecurity of the companies. At the time, Brendan Carr, then a member of the FCC, voted against the declaration.</p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p>Now, as FCC chair, Carr says the agency, in a meeting in November, will look to eliminate the declaration, one of the few tools the government can leverage to push telecoms like AT&T, Verizon, T-Mobile, and Lumen to improve their cybersecurity protections.</p><p>In a <a href="https://www.fcc.gov/news-events/blog/2025/10/29/halloween-treats" target="_blank" rel="noopener">blog post this week</a>, Carr wrote that doing so will “reverse an eleventh-hour” declaratory ruling to the 1994 Communications Assistance for Law Enforcement Act (CALEA) that he called “a decision that both exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats.”</p><p>“So, we’re correcting course,” he wrote.</p><h3>‘Pressing National Security’ Need</h3><p>In making the declaratory ruling, the FCC in January wrote that CALEA “affirmatively requires” that carriers “secure their networks from unlawful access or interception of communications.”</p><p>“There is a pressing national security and public safety need to take additional measures to safeguard our nation’s communications systems from real and present cybersecurity threats,” the FCC said in the ruling. “The federal government must be able to maintain communication capabilities to fulfill its most critical and time-sensitive missions under any circumstances.”</p><p>The agency pointed to a <a href="https://media.defense.gov/2024/Feb/07/2003389935/-1/-1/1/CSA-PRC-COMPROMISE-US-CRITICAL-INFRASTRUCTURE.PDF" target="_blank" rel="noopener">2024 advisory</a> issued by U.S. agencies – including CISA, the National Security Agency, and the FBI – and their counterparts in others countries warning that the “People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. The advisory includes the communications sector among the targeted critical infrastructure segments.”</p><p>The Salt Typhoon long-term intrusion into carrier networks – which allowed it to steal large amounts of data, including phone calls information and audio and text messages – was called among the most <a href="https://docs.fcc.gov/public/attachments/FCC-25-9A3.pdf" target="_blank" rel="noopener">damaging cyberattacks</a> against the United States, with Senator Ron Wyden (D-OR) <a href="https://securityboulevard.com/2025/04/wyden-to-hold-up-trump-cisa-nominee-over-telecom-cover-up-report/">saying</a> late last year that “telecom companies and federal regulators were asleep on the job and as a result, Americans’ calls, messages, and phone records have been accessed by foreign spies intent on undermining our national security.”</p><h3>Collaboration, Not Regulation</h3><p>In his blog post, Carr wrote that telecom providers have taken “substantial steps … to strengthen their cybersecurity defenses” after “extensive FCC engagement.”</p><p>The FCC’s upcoming vote on the declaratory ruling comes despite efforts by outside groups, including the Electronic Privacy Information Center (EPIC), Public Knowledge, and R Street, over the summer lobbied the agency to keep it in place. EPIC supported the ruling, “emphasizing the unprecedented nature of the Salt Typhoon hack, the unique role the FCC must play as a federal telecom regulator, and the directives of Congress as expressed through CALEA,” the organization wrote in a <a href="https://epic.org/epic-leads-civil-society-support-for-post-salt-typhoon-fcc-cybersecurity-order/" target="_blank" rel="noopener">blog post</a> in August.</p><p>It had supported the ruling with a <a href="https://www.fcc.gov/ecfs/document/10730115135731/2" target="_blank" rel="noopener">lengthy memo</a> and, in February, filed another memo <a href="https://epic.org/documents/oppo-to-pet-for-recon-in-re-protecting-the-nations-communications-systems-from-cybersecurity-threats/" target="_blank" rel="noopener">opposing an effort</a> by the trade groups, including the Cellular Telecommunications and Internet Association (CTIA), NCTA (formerly known as the National Cable and Telecommunications Association), and USTelecom, urging the FCC to <a href="https://www.fcc.gov/ecfs/search/search-filings/filing/102183024015116" target="_blank" rel="noopener">reconsider the declaratory ruling</a>.</p><p>However, some organizations disagreed with the FCC’s declaratory ruling. The American Action Forum, a right-leaning think tank, said the FCC was <a href="https://www.americanactionforum.org/insight/fcc-may-be-overstepping-on-cybersecurity/" target="_blank" rel="noopener">overstepping its boundaries</a>, adding that while defending U.S. networks against Chinese intrusions was important, the agency was expanding its authority without gaining Congressional approval.</p><h3>Ribbon Reports Network Hack</h3><p>Carr’s blog post also comes around the same time that Ribbon Communications, which sells networking and communications equipment to a number of global carriers, announced in a <a href="https://investors.ribboncommunications.com/node/23216/html" target="_blank" rel="noopener">10-Q quarterly report</a> with the U.S. Securities and Exchange Commission (SEC) that a nation-state threat group had hacked into its networks and likely had spent almost a year inside before being detected.</p><p>Ribbon didn’t name the threat group or the country that supports it, though it has the hallmarks of a Chinese nation-state operation. The company said it “became aware” of the intrusion in early September, adding that a preliminary investigation found “that initial access by the threat actor may have occurred as early as December 2024, with final determinations dependent on completion of the ongoing investigation.”</p><p>Ribbon executives said they were unaware of evidence indicating that the bad actors had accessed or exfiltrated any “material information,” but said that “several customer files saved outside of the main network on two laptops do appear to have been accessed by the threat actor, and those customers have been notified by the Company.”</p><p>They said Ribbon is strengthening the security of its networks, though they didn’t give details.</p><p>Ribbon, which has more than 1,000 customers around the world, sells equipment to such carriers as BT, Verizon, Deutsche Telekom, Tata, and SoftBank, as well as regional carriers. Other customers include government agencies – including the U.S. Defense Department and the City of Los Angeles – and other organizations in such fields as healthcare, education, and finance.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/10/fcc-chair-carr-looks-to-eliminate-telecom-cybersecurity-ruling/" data-a2a-title="FCC Chair Carr Looks to Eliminate Telecom Cybersecurity Ruling"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Ffcc-chair-carr-looks-to-eliminate-telecom-cybersecurity-ruling%2F&linkname=FCC%20Chair%20Carr%20Looks%20to%20Eliminate%20Telecom%20Cybersecurity%20Ruling" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Ffcc-chair-carr-looks-to-eliminate-telecom-cybersecurity-ruling%2F&linkname=FCC%20Chair%20Carr%20Looks%20to%20Eliminate%20Telecom%20Cybersecurity%20Ruling" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Ffcc-chair-carr-looks-to-eliminate-telecom-cybersecurity-ruling%2F&linkname=FCC%20Chair%20Carr%20Looks%20to%20Eliminate%20Telecom%20Cybersecurity%20Ruling" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Ffcc-chair-carr-looks-to-eliminate-telecom-cybersecurity-ruling%2F&linkname=FCC%20Chair%20Carr%20Looks%20to%20Eliminate%20Telecom%20Cybersecurity%20Ruling" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Ffcc-chair-carr-looks-to-eliminate-telecom-cybersecurity-ruling%2F&linkname=FCC%20Chair%20Carr%20Looks%20to%20Eliminate%20Telecom%20Cybersecurity%20Ruling" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>