Chairman of the Federal Communications Commission (FCC) Brendan Carr testifies before the House Subcommittee on Financial Services and General Government on oversight of the FCC, on Capitol Hill in Washington, DC on May 21, 2025. BRENDAN SMIALOWSKI/AFP via Getty Images
By David DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW
|
The vote has drawn significant concern from congressional Democrats, who say it will weaken the security posture of telecom systems. The initial measure was enacted in response to Chinese hacks of U.S. telecom providers discovered last year.
The Federal Communications Commission on Thursday voted to reverse a measure that sought to boost the security of lawful surveillance request systems in response to major Chinese hacks into telecommunications companies discovered last year.
The commission voted 2-1, with lone Democratic commissioner Anna Gomez dissenting on the measure.
The rulemaking was enacted at the tail-end of the Biden administration under then-FCC Chairwoman Jessica Rosenworcel and immediately required telecommunications firms to secure their networks against unauthorized access to systems that house wiretap requests from law enforcement. A related notice of proposed rulemaking passed under Rosenworcel would require communications providers to submit annual attestations to the agency about their security posture.
The moves came in response to hacks carried out by Salt Typhoon, a Chinese cyberespionage group backed by the nation’s Ministry of State Security, which breached dozens of communications firms in the U.S. and around the world over the course of several years.
The campaign was only uncovered around a year ago. The FBI concluded in August that over 80 countries were affected by the hacks and said some 600 organizations were notified of potential compromise.
FCC Chairman Brendan Carr’s proposed order, made public late last month, says the previous FCC “misinterpreted” its authority established under the Communications Assistance for Law Enforcement Act. It contends that the FCC under Biden overexpanded its interpretation of the mandate so that communications providers had to follow security management rules for their entire network and also ignored court precedent on the definition of “interception.”
The order adds that the measure’s “inflexible, across the board” mandates risk “leaving carriers with a burdensome and inchoate compliance standard” that does little to protect communications networks.
Under Republican leadership, the FCC has typically taken a more deregulatory stance toward large telecom companies, including in its interpretation of compliance requirements.
“Relevant to today’s vote, the FCC has worked directly with carriers who have agreed to make extensive, coordinated efforts to harden their networks against a range of cyber intrusions” that include patching vulnerable equipment, fixing access controls and improving cyber information-sharing, Carr said.
The FCC oversees CALEA, which passed in 1994. It requires telecom operators to engineer their systems for “lawful intercept” orders that let the FBI obtain phone communications data or eavesdrop on conversations of suspected criminals and spies.
The systems that facilitate lawful intercept requests were hijacked and exploited by the Chinese hackers, allowing them to target the phone calls of high-profile figures like President Donald Trump and Vice President JD Vance when they were campaigning for the White House. Communications tied to former Vice President Kamala Harris and her presidential campaign were also targeted.
Nextgov/FCW has reached out to the FBI requesting comment.
The reversal is a “hope and a dream” that will leave U.S. communications systems less protected than they were the day the Salt Typhoon intrusions were discovered, Gomez said.
“Collaboration is not a substitute for obligation,” she added. “Handshake agreements without teeth will not stop state-sponsored hackers in their quest to infiltrate our networks. They won’t prevent the next breach. They do not ensure that the weakest link in the chain is strengthened. If voluntary cooperation were enough, we would not be sitting here today in the wake of Salt Typhoon.”
CALEA is now a 30-year-old legal protocol that has become a mainstay in law enforcement’s domestic surveillance toolkit, but it hasn’t seen a major update since the FCC last reviewed it in 2005.
Wiretaps have evolved from the act of physically tapping analog phone lines to remotely intercepting digital communications across multiple channels that collate calls, texts and internet traffic. Modern-day intercept systems allow law enforcement to request targets’ phone data through secure log-in portals hosted by telecom firms’ legal demand centers.
Once the request is greenlit by a telecom company overseer, the FBI can gain access to phone metadata on targets, including call records that map the time, duration and participants of calls, as well as geolocation data, enabling U.S. law enforcement to trace communication patterns and movements of targets.
A court warrant is required to carry out these surveillance requests. Specialized orders can also allow the FBI to listen to phone calls in real-time.
But the backdoor nature of CALEA means that, if put in the wrong hands, those listening capabilities can be hijacked for intelligence-gathering and exploitation. The FCC for years has allowed carriers to develop their own wiretap solutions tailored to their networks, purchase solutions from equipment manufacturers and rely on a third party to determine whether they are CALEA-compliant.
Telecom systems are high-value targets for nation-state hackers because compromising them can reveal insights into the private communications of government officials.
Top Democratic senators severely opposed the FCC vote.
“With these highly sophisticated foreign threat actors, our efforts should be focused on further enhancing the cybersecurity of our critical infrastructure networks, not rolling back existing protections,” Sen. Maria Cantwell, D-Wash., the top Democrat on the Senate Commerce Committee, wrote in a Wednesday letter to Carr that cited previous Nextgov/FCW reporting about Salt Typhoon.
“I am disturbed by the FCC’s effort to roll back these basic cybersecurity safeguards, which, if successful, will leave the American people exposed and erode efforts to harden our national security against attacks like these in the future,” said Sen. Gary Peters, D-Mich., who serves as ranking member on the Senate Homeland Security Committee.
“Chairman Carr’s rationale for repealing the FCC’s rulemaking leaned heavily on broad talking points while offering limited detail on how relying on existing, voluntary efforts would help avert future compromises to our communications infrastructure,” said Sen. Mark Warner, D-Va., who serves as vice chairman of the Senate Intelligence Committee.
“Few — if any — of the cybersecurity actions cited in the order would have addressed Salt Typhoon or a similar intrusion, and stepping back from an enforceable, standards-based framework in favor of undefined ‘flexible and tailored solutions’ does little to strengthen our security at a time when clarity and rigor are most needed,” Warner added.