Senate Communications Spars on FCC Rollback of Post-Salt Typhoon Cybersecurity Rules
Senate Communications Subcommittee members alternated Tuesday between debating the FCC’s rollback last month of its January response to the Salt Typhoon cyberattacks and making bipartisan calls to renew the 2015 Cybersecurity Information Sharing Act. FCC Chairman Brendan Carr led the push for the agency to reverse January's declaratory ruling from the closing days of former Chairwoman Jessica Rosenworcel’s administration, which said the Communications Assistance for Law Enforcement Act Section 105 requires telecom carriers to secure their networks against cyberattacks (see 2501160041). The FCC in November also withdrew an NPRM on cybersecurity requirements that the commission issued along with the declaratory ruling (see 2511200047).
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
During Tuesday's hearing, which focused on U.S. telecom network vulnerabilities, Senate Commerce Committee Chairman Ted Cruz, R-Texas, praised the FCC for rolling back its Salt Typhoon response. The commission was “misguided” for trying “to shoehorn new cybersecurity mandates" into CALEA, first enacted in 1994, Cruz said. Carr’s “decision to shift away from ineffective and burdensome requirements is consistent with both the [FCC’s] legal authority and sound policy.” Federal agencies “cannot regulate their way into creating perfect network security, and attempts to do so will backfire,” Cruz added. The government “must incentivize genuine cooperation so that communications networks can focus on anticipating the next attack, not just responding to the last one.”
Senate Commerce ranking member Maria Cantwell of Washington and other Democrats criticized the FCC for reversing course. Cantwell, who previously urged Carr to cancel the rollback (see 2511180060), said Tuesday that the FCC was “letting these guys off the hook” amid rising vulnerabilities for U.S. networks. She also criticized AT&T and Verizon for not providing her with information she sought in June on potential vulnerabilities in their networks related to Salt Typhoon (see 2506120084).
Senate Homeland Security Committee ranking member Gary Peters, D-Mich., and Communications ranking member Ben Ray Lujan, D-N.M., both pressed USTelecom on why it lobbied the FCC in favor of the rollback. The “rule to require telecommunications providers to have a cybersecurity plan and then stick to it … is pretty commonsense,” Peters told Robert Mayer, USTelecom's senior vice president of cybersecurity and innovation. “The rollback of these rules … erodes our ability to prevent future attacks [and appears to be] part of a broader trend" of Trump administration officials undermining cybersecurity institutions.
Telecom “companies are basically leaving their front doors unlocked after a data break-in, and the FCC has decided to take their word when they promise they’ve installed deadbolts and security cameras,” Lujan said. “Which of [the] basic protections [the FCC required in January] was too burdensome for your member organizations?" he asked Mayer, citing provisions for requiring "minimum password strength, adopting multi-factor authentication and patching known vulnerabilities.”
'Rushed Regulatory Effort'
Mayer argued that the January rules “were ineffective. It would not have produced the results that we're looking for.” Salt Typhoon didn’t bypass “a checklist or a compliance thing,” he said. “It was advanced defensive capabilities that are being deployed by our member companies.” China is “a very sophisticated adversary, and the way to deal with this is collaboration with government,” Mayer added. “We're making progress, and we shouldn't stifle that or kill that with a compliance regime where you have 40% to 70% of your practitioners doing paperwork.”
Jamil Jaffer, executive director of the National Security Institute at George Mason University's Scalia Law School, also backed the FCC’s U-turn, calling the rules a “rushed regulatory effort.” The agency under Carr has shifted “in favor of a number of more focused actions directed at the Chinese threat … in line with a more agile and collaborative approach to cybersecurity that has proven successful.”
Debra Jordan, a former FCC Public Safety Bureau acting chief, said the January rules aimed to “lean forward” in response to Salt Typhoon by seeking “flexible cyber standards [rather than] sit back and wait for the inevitable next attack to happen.” She's “not convinced that providers will take sufficient and sustained actions … without a strong verification regime” and recommended that Congress encourage the FCC to “to require the [National Institute of Standards and Technology’s] cybersecurity framework or similar guidance for all telecom providers.”
Senate Communications Chair Deb Fischer, R-Neb., voiced skepticism about Jaffer’s proposal that Congress consider “impaneling an outside commission,” similar to the 9/11 Commission, “to look at what happened in Salt Typhoon [and examine] what we should do" to restore effective cyber collaboration between “the executive branch, the legislature and industry.” Jaffer noted that he was a member of the Department of Homeland Security's now-defunct Cyber Safety Review Board, which aimed to examine Salt Typhoon but was “unable to even get off the ground” amid the transition from President Joe Biden to President Donald Trump.
“The problem with any commissions is [that] by the time we get the report, it's past due,” Fischer said. “It's [very] difficult to be able to get any movement forward from the recommendations that are put into place.” She hopes she and Lujan can “cut through things and try and move quicker so that we can have private industry be able to work with the federal government to get us the information we need.” Lujan backed Jaffer’s proposal but also seeks restoration of the DHS cyber board.