The Federal Communications Commission voted 2-1 along party lines Thursday to repeal a rule requiring major U.S. phone and internet companies to meet certain minimum cybersecurity requirements.
Two Trump-appointed FCC commissioners, Chairman Brendan Carr and his Republican colleague Olivia Trustee, voted in favor of repealing a rule requiring telecommunications carriers to “protect their networks from unlawful access and interception.” The Biden administration adopted these rules before leaving office earlier this year.
Anna Gomez, the FCC's only Democratic commissioner, opposed it. In a statement after the vote, Gomez said the overturned rule was “the only meaningful effort this agency has taken” since the discovery of a massive attack involving a Chinese-backed hacker group known as Salt Typhoon that hacked dozens of U.S. phone and internet companies.
Hackers breached more than 200 telecommunications companies, including AT&T, Verizon, and Lumen, during a multiyear campaign to conduct mass surveillance of U.S. government officials. In some cases, hackers targeted wiretapping systems that the U.S. government had previously required telecommunications companies to install for law enforcement access.
The FCC's move to change the rules drew condemnation from senior lawmakers, including Sen. Gary Peters (D-MI), ranking member of the Senate Homeland Security Committee. Peters said he was “disturbed” by the FCC's efforts to roll back “basic cybersecurity protections” and warned that doing so “put the American people at risk.”
Sen. Mark Warner (D-Va.), ranking member of the Senate Intelligence Committee, said in a statement that the rule change “leads us without a credible plan” to address the fundamental security gaps exploited by Salt Typhoon and others.
Meanwhile, NCTA, which represents the telecommunications industry, praised the repeal of the rules, calling them “prescriptive and counterproductive regulations.”
But Gomez warned that while cooperation with the telecom industry is valuable for cybersecurity, it is insufficient without enforcement.
“A toothless handshake agreement will not stop state-sponsored hackers from infiltrating our networks,” Gomez said. “They can't prevent the next breach. They can't ensure that the weakest link in the chain is strengthened. If there was enough voluntary cooperation, we wouldn't be sitting here today on the heels of the Salt Typhoon.”