Insecure
FCC chair to rely on ISPs’ voluntary commitments instead of Biden-era ruling.
Credit: Getty Images | Yuichiro Chino
The Federal Communications Commission will vote in November to repeal a ruling that requires telecom providers to secure their networks, acting on a request from the biggest lobby groups representing Internet providers.
FCC Chairman Brendan Carr said the ruling, adopted in January just before Republicans gained majority control of the commission, “exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats.” Carr said the vote scheduled for November 20 comes after “extensive FCC engagement with carriers” who have taken “substantial …
Insecure
FCC chair to rely on ISPs’ voluntary commitments instead of Biden-era ruling.
Credit: Getty Images | Yuichiro Chino
The Federal Communications Commission will vote in November to repeal a ruling that requires telecom providers to secure their networks, acting on a request from the biggest lobby groups representing Internet providers.
FCC Chairman Brendan Carr said the ruling, adopted in January just before Republicans gained majority control of the commission, “exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats.” Carr said the vote scheduled for November 20 comes after “extensive FCC engagement with carriers” who have taken “substantial steps… to strengthen their cybersecurity defenses.”
The FCC’s January 2025 declaratory ruling came in response to attacks by China, including the Salt Typhoon infiltration of major telecom providers such as Verizon and AT&T. The Biden-era FCC found that the Communications Assistance for Law Enforcement Act (CALEA), a 1994 law, “affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications.”
“The Commission has previously found that section 105 of CALEA creates an affirmative obligation for a telecommunications carrier to avoid the risk that suppliers of untrusted equipment will ‘illegally activate interceptions or other forms of surveillance within the carrier’s switching premises without its knowledge,’” the January order said. “With this Declaratory Ruling, we clarify that telecommunications carriers’ duties under section 105 of CALEA extend not only to the equipment they choose to use in their networks, but also to how they manage their networks.”
ISPs get what they want
The declaratory ruling was paired with a Notice of Proposed Rulemaking that would have led to stricter rules requiring specific steps to secure networks against unauthorized interception. Carr voted against the decision at the time.
Although the declaratory ruling didn’t yet have specific rules to go along with it, the FCC at the time said it had some teeth. “Even absent rules adopted by the Commission, such as those proposed below, we believe that telecommunications carriers would be unlikely to satisfy their statutory obligations under section 105 without adopting certain basic cybersecurity practices for their communications systems and services,” the January order said. “For example, basic cybersecurity hygiene practices such as implementing role-based access controls, changing default passwords, requiring minimum password strength, and adopting multifactor authentication are necessary for any sensitive computer system. Furthermore, a failure to patch known vulnerabilities or to employ best practices that are known to be necessary in response to identified exploits would appear to fall short of fulfilling this statutory obligation.”
Cable, fiber, and mobile operators protested the decision. A petition asking the FCC to reverse it was filed in February by CTIA-The Wireless Association, NCTA-The Internet & Television Association, and USTelecom-The Broadband Association. The telecom lobby groups argued that CALEA “obligates providers only to facilitate lawful intercepts from law enforcement,” and that “the FCC lacks authority to promulgate technical standards under Section 105.”
In a draft of the order that will be voted on in November, the FCC said it will “rescind the declaratory ruling as unlawful and unnecessary, finding that the commission’s interpretation of CALEA was legally erroneous and ineffective at promoting cybersecurity.” The order will also withdraw the Notice of Proposed Rulemaking, saying that the FCC will try to implement “a targeted approach to promoting effective cybersecurity productions rather than a one-size-fits-all approach of a single rulemaking to govern all Commission licensees.”
Voluntary commitments enough, FCC says
The FCC leadership appears to be satisfied that promises from carriers make new rules unnecessary. The draft order said “providers have agreed to implement additional cybersecurity controls to harden their networks. These controls have included accelerated patching of outdated or vulnerable equipment, updating and reviewing access controls, disabling unnecessary outbound connections, and improving their threat-hunting efforts. Providers have also committed to increased cybersecurity information sharing, both with the federal government and within the communications sector. This represents a significant change in cybersecurity practices compared to the measures in place in January.”
The order argues that the previous FCC leadership’s reading of CALEA “was unlawful because the FCC purported to read a statute that required telecommunications carriers to allow lawful wiretaps within a certain portion of their network as a provision that required carriers to adopt specific network management practices in every portion of their network.”
The law says that each “telecommunications carrier shall ensure that any interception of communications or access to call-identifying information effected within its switching premises can be activated only in accordance with a court order or other lawful authorization and with the affirmative intervention of an individual officer or employee of the carrier acting in accordance with regulations prescribed by the Commission.”
Former chair defended “common sense” ruling
Before Trump took over, the FCC argued that the plain text of the law supported the declaratory ruling.
“By mandating an affirmative duty requiring that carriers ‘shall ensure’ that the ‘only’ interception of communications or access to call-identifying information is that which is conducted pursuant to a lawful authorization and with the affirmative intervention of an individual officer of the carrier acting in accordance with the Commission’s regulations, CALEA obligates carriers to prevent interception of communications or access to call-identifying information by any other means,” the FCC said at the time.
Then-Chairwoman Jessica Rosenworcel said the FCC needed to modernize its rules because of attacks like Salt Typhoon. The attack “breached nine domestic telecommunications and Internet service providers” and “compromised devices like routers and switches by exploiting old equipment, facilities that had not been updated, and network components that lacked basic cybersecurity protocols,” she said.
The FCC’s declaratory ruling “makes clear that under Section 105 of the Communications Assistance for Law Enforcement Act, telecommunications carriers have a legal obligation to secure their networks against unlawful access and interception. This is common sense,” Rosenworcel said.
Under Carr, the FCC says it can tackle security through a “collaborative” approach via “federal-private partnerships that protect and secure communications networks and more targeted, legally sound rulemaking and enforcement.”
Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry.