FCC spikes Biden-era cyber regulations prompted by Salt Typhoon telecom breaches

The Federal Communications Commission (FCC) voted to remove several cybersecurity regulations put in place after Chinese hackers breached multiple telecommunications giants to steal the correspondence of Donald Trump and JD Vance during campaign season last year. 

In a party line vote on Thursday, the Republican majority of the FCC reversed a declaratory ruling published in January that would have mandated telecoms to better secure their networks and submit annual certifications attesting to the creation of a cybersecurity risk management plan.

In a speech, Chairman Brendan Carr called the rules “neither lawful nor effective” and claimed the FCC has “worked directly with carriers who have agreed to make extensive, coordinated efforts to harden their networks against a range of cyber intrusions.”

“These have included accelerated patching of outdated or vulnerable equipment, updating and reviewing access controls, disabling unnecessary outbound connections, improving their threat-hunting efforts, and increasing cybersecurity information sharing,” Carr said. 

“All of these actions have been well within FCC legal authority and have effectively mitigated network vulnerabilities.”

Carr echoed comments made last month where he said the Biden-era rules, issued just days before Trump’s inauguration, did not address cybersecurity threats and were not “consistent with the agile and collaborative approach to cybersecurity that has proven successful.”

He claimed intelligence officials told him the rules would be “counterproductive and deter the productive collaboration that is necessary today.”

In December 2024, White House officials revealed that at least nine telecommunications giants in the U.S. were breached and that companies in multiple other countries were also hacked by Chinese threat actors as part of the Salt Typhoon campaign.

The Chinese government-backed hackers had broad, years-long access to the biggest U.S. telecommunications companies, including Verizon, AT&T and Lumen.

The intruders gained access to Call Detail Records, which provide granular data on whom a person spoke to, when, for how long, and where they were when they took the call.

In some cases, the hackers were able to intercept audio and text. 

They reportedly focused on gathering information about 150 high-profile targets like Trump, Vance and staff members of then-Vice President Kamala Harris, as well as other senior government leaders like Sen. Chuck Schumer (D-NY).

Republican and Democratic lawmakers bashed the Biden administration for its lack of answers about the Chinese hacking campaign. Sen. Mike Rounds (R-SD) and several others backed calls for cybersecurity standards governing the telecoms industry at the time. 

Biden administration officials said the Salt Typhoon campaign would have been “far riskier, harder and costlier for the Chinese” if companies had minimum practices — secure configurations, up-to-date patching, architecting to monitor for anomalous behavior that would have detected this earlier, managing administrator accounts with multi-factor authentication.

The FCC did not respond to requests for comment.

‘Handshake agreements without teeth’

FCC Commissioner Anna Gomez, a Biden appointee, said at Thursday’s meeting that Carr’s insistence on “collaboration” over regulation would not create the accountability needed to prevent the next telecommunications breach.   

“Handshake agreements without teeth will not stop state-sponsored hackers in their effort to infiltrate networks. They will not prevent the next breach. If voluntary cooperation were enough we would not be sitting here today in the wake of Salt Typhoon” she said.

“This FCC does not explain what the approach is, what objectives it will pursue, what milestones it will track or how the public will know whether it has succeeded.”

She also published a statement on Wednesday slamming the vote in advance, writing that the FCC “has still not put forward a single actionable solution to address the growing cybersecurity threat to our communications networks.” 

“Not one concrete proposal. Not one protection standard. Not one accountability mechanism. Its proposed rollback is not a cybersecurity strategy. It is a hope and a dream that will leave Americans less protected than they were the day the Salt Typhoon breach was discovered,” Gomez said. 

Response from Capitol Hill

Democratic senators who have worked on cybersecurity issues criticized the decision to remove the cybersecurity rules. Mark Warner (D-VA) warned that the FCC has provided few details on how existing, voluntary efforts will help avert the next compromise of U.S. communications infrastructure.

“Very few, if any, of the cybersecurity actions that occurred under Carr and that he points to in his order would have prevented Salt Typhoon or an equivalent compromise, and walking back an enforceable, standards-based approach while handwaving unclear and amorphous ‘flexible and tailored solutions’ doesn’t do much to make us safer in this moment,” he said.

Ron Wyden (D-OR), said President Donald Trump is “surrendering to China on trade” and “waving the white flag on cybersecurity and leaving Americans unprotected against foreign spies.”

“The Biden administration’s phone cybersecurity regulations were a moderate response to a five-alarm security disaster,” he said. “Anyone claiming the United States doesn’t need security regulations for phone networks after the disastrous Salt Typhoon hack is either an idiot, working for the phone companies, or on the side of the hackers.”

Gary Peters (D-MI), said he was “disturbed” by the FCC effort to roll back basic cybersecurity safeguards. 

Peters added that the FCC move will “leave the American people exposed and erode efforts to harden our national security against attacks like these in the future.”

Maria Cantwell (D-WA) noted that officials should be focused on “further enhancing” the cybersecurity of critical infrastructure networks instead of rolling back existing protections. 

Cantwell wrote a letter to the CEOs of AT&T and Verizon in June that demanded documentation proving remediation of ongoing vulnerabilities in their networks but both companies did not provide any information. She added that Carr’s own draft ruling concedes that vulnerabilities “are still being exploited.”

“You have now proposed to reverse this requirement after heavy lobbying from the very telecommunications carriers whose networks were breached by Chinese hackers. Your proposal to rescind this ruling would undermine the FCC’s ability to hold carriers accountable for protecting our nation’s critical communications infrastructure,” Cantwell said. “I am concerned that your move to drop cybersecurity requirements on carriers is part of a pattern of weakness on national security issues.”