FCC Chair Carr Criticizes Agency's Handling of Salt Typhoon Cyber Assaults - New Development
The Federal Communications Commission (FCC) has proposed new cybersecurity rules aimed at strengthening the nation's telecommunications infrastructure, following the Salt Typhoon cyber intrusion that was attributed to Chinese intelligence services.
The Salt Typhoon attacks, which occurred in the fall of 2024, targeted nine major U.S. telecommunications companies, causing significant concern over the vulnerability of the country's communications critical infrastructure. Following the reports, FCC chair Jessica Rosenworcel highlighted the severity of the threat and called for action.
To address these deficiencies, the FCC's proposal includes instituting new rules for telecommunications providers that would require them to submit annual certifications proving their cybersecurity measures meet certain standards. This initiative is intended to ensure that communications service providers (CSPs) maintain robust cybersecurity practices.
The specific cybersecurity requirements for these certifications have not yet been publicly detailed, as the full extent of the attack is still under investigation. However, the FCC's materials relating to Salt Typhoon can be found at a specified location.
In January 2025, the FCC adopted a Declaratory Ruling and a Notice of Proposed Rulemaking (NPRM) aimed at affirming and clarifying its cybersecurity and infrastructure protection authority in response to threats like Salt Typhoon. This ruling emphasizes the need for stronger mandatory cybersecurity standards for the telecommunications sector, addressing vulnerabilities that were exploited during the attack.
Commissioner Brendan Carr, slated to become the FCC's chair in the new Trump administration, has expressed criticism of the FCC's response to the Salt Typhoon cyber intrusion. Carr believes that the FCC's actions are neither serious nor effective and has questioned why the FCC departed from its previous approach at the eleventh hour. Despite his initial skepticism, Carr appears to accept that expanded regulatory efforts are necessary to counter ongoing threats.
Rosenworcel, a Democrat, believes that as technology advances, the U.S. must adapt and reinforce its defenses against cyberattacks. She proposed that communications service providers submit an annual certification to the FCC regarding their cybersecurity risk management plans. Carr, on the other hand, has criticized CALEA as an inappropriate legal basis for the FCC's actions regarding cybersecurity.
The FCC's proposed response to the Salt Typhoon cybersecurity attacks includes the new rules for telecommunications providers and the Declaratory Ruling and NPRM aimed at affirming the FCC's authority to impose mandatory cybersecurity standards. Under Carr's leadership, the FCC continues to vigorously defend the rules in court, signifying a pragmatic approach acknowledging the persistent cybersecurity threats to U.S. telecom networks, especially those posed by Chinese hacking groups like Salt Typhoon.
[1] Source: FCC documents on Salt Typhoon cybersecurity attacks [2] Source: FCC Declaratory Ruling and Notice of Proposed Rulemaking on cybersecurity and infrastructure protection [3] Source: FCC records and public statements by Commissioner Brendan Carr
- The FCC's proposal for new cybersecurity rules involves requiring telecommunications providers to submit annual certifications ensuring their cybersecurity measures meet certain standards, as a means to improve the nation's telecommunications infrastructure in response to the Salt Typhoon cyber intrusion.
- The details of the specific cybersecurity requirements for these certifications remain undisclosed, as investigations into the extent of the attack are ongoing.
- The FCC's materials related to the Salt Typhoon cybersecurity attacks can be found in a specified location.
- In January 2025, the FCC adopted a Declaratory Ruling and a Notice of Proposed Rulemaking (NPRM), aiming to affirm and clarify its cybersecurity and infrastructure protection authority in response to threats like Salt Typhoon.
- Commissioner Brendan Carr has shown initial skepticism about the FCC's response to the Salt Typhoon cyber intrusion but has since accepted that expanded regulatory efforts are necessary to counter ongoing threats, acknowledging the persistent cybersecurity threats posed to U.S. telecom networks, especially those from Chinese hacking groups like Salt Typhoon.
