FCC Reverses Mandatory Telecom Cybersecurity Rules Following Salt Typhoon Hack

In a contentious party-line vote, the Federal Communications Commission has rescinded cybersecurity regulations for telecommunications providers that were established as a direct response to the massive Salt Typhoon state-sponsored hacking campaign linked to China¹. The 2-1 decision on November 21, 2025, eliminates requirements that would have compelled carriers like AT&T, Verizon, and T-Mobile to implement comprehensive security plans and attest to their completion annually².

The reversal represents a significant policy shift in how the United States government approaches telecommunications security. FCC Chairman Brendan Carr, leading the Republican majority, argued the previous administration exceeded its legal authority by using the Communications Assistance for Law Enforcement Act (CALEA) to impose broad cybersecurity mandates³. Meanwhile, Democratic Commissioner Anna Gomez warned in her dissent that the decision leaves the country “less safe” and removes the only meaningful regulatory response to the Salt Typhoon campaign that compromised critical network infrastructure⁴.

Background: The Salt Typhoon Campaign

The now-rescinded rules were developed in the final days of the Biden administration in January 2025 following the discovery of the Salt Typhoon campaign, which security researchers have described as one of the most extensive telecommunications compromises in U.S. history⁵. According to Cybersecurity and Infrastructure Security Agency (CISA) assessments, the Chinese state-sponsored operation infiltrated at least 200 U.S. companies, including major telecommunications providers, and impacted over 600 organizations globally⁶. The threat actors specifically targeted large backbone routers, modifying them to maintain persistent, long-term access to networks, and in some cases gained the ability to intercept audio and text communications of high-profile individuals including political figures⁷.

Post-incident analysis by government agencies and lawmakers identified that the hack’s success was enabled by fundamental security deficiencies within telecommunications infrastructure. These included failures to implement secure configurations, maintain up-to-date patching schedules, enforce multi-factor authentication, and address credential reuse across systems⁸. The scale and sophistication of the campaign prompted bipartisan concern about the vulnerability of critical communications infrastructure to state-sponsored threats, leading to the initial regulatory response that has now been overturned.

The Rescinded Rules and Legal Controversy

The eliminated regulations would have required telecommunications carriers to “secure their networks from unlawful access or interception of communications” under Section 105 of CALEA⁹. The rules mandated that providers create, update, and implement comprehensive cybersecurity risk management plans, with annual attestations to the FCC regarding their completion. The Commission was also in the process of defining specific requirements for these plans through a Notice of Proposed Rulemaking, which was simultaneously withdrawn as part of the recent vote¹⁰.

Chairman Carr’s legal argument centered on the interpretation that the previous FCC administration misapplied CALEA, which was originally designed to ensure law enforcement access to communications, not to establish broad cybersecurity standards. He characterized the rules as “neither lawful nor effective” and asserted they would impose “costly new burdens” that duplicated existing industry security efforts³. Industry representatives supported this position, arguing in an October 2025 letter that mandatory regulations would undermine public-private partnerships that had developed voluntarily following the Salt Typhoon disclosures.

Voluntary Approach and Industry Commitments

In place of mandatory regulations, the FCC majority and telecommunications industry have advocated for a collaborative, voluntary approach to security enhancements. Following recent engagement with providers, Chairman Carr announced that telecom companies had already agreed to implement enhanced security measures including accelerated patching cycles, improved threat-hunting capabilities, and increased information-sharing with government agencies¹⁰. This framework, according to supporters, offers greater flexibility and agility than prescriptive regulations that might quickly become outdated in the face of evolving threats.

However, critics question whether voluntary agreements provide sufficient accountability and enforcement mechanisms to ensure compliance. Commissioner Gomez specifically warned that “handshake agreements without teeth will not stop state-sponsored hackers,” pointing to the sophisticated nature of the Salt Typhoon campaign and the historical reluctance of some providers to implement basic security measures without regulatory pressure⁴. The debate reflects broader tensions in cybersecurity policy between regulatory mandates and industry self-regulation approaches.

Political and Security Community Response

The decision has generated significant criticism from Democratic lawmakers and security experts. Senator Mark Warner (D-VA), who chairs the Senate Intelligence Committee, described Salt Typhoon as “the worst telecommunications hack in our nation’s history” and expressed concern that the U.S. now lacks a “credible plan” to address the security gaps it exploited⁶. Senator Ron Wyden (D-OR) characterized the FCC’s action as “surrendering to China” and “waving the white flag on cybersecurity,” while Senator Gary Peters (D-MI) stated he was “disturbed” by the rollback of what he termed “basic cybersecurity safeguards” that would “leave the American people exposed.”

In response to the regulatory reversal, the House of Representatives has passed the “Strengthening Cyber Resilience Against State-Sponsored Threats Act,” which would establish a joint interagency task force led by CISA to address China-linked cyber threats, including those associated with Salt Typhoon¹⁰. Simultaneously, lawmakers are pressing the Department of Homeland Security to release a 2022 report on telecommunications vulnerabilities, arguing that withholding this information undermines public understanding of the risks and necessary protective measures.

Technical Implications for Network Security

The regulatory reversal occurs amid ongoing concerns about the technical vulnerabilities exploited during the Salt Typhoon campaign. Security assessments indicate that the threat actors focused particularly on network routers, which form the backbone of telecommunications infrastructure. These devices often present attractive targets due to their critical positioning in network architecture, the sensitivity of traffic they process, and historically inconsistent security practices around their configuration and maintenance.

Without mandatory security requirements, the responsibility for implementing protective measures falls entirely to individual telecommunications providers. While major carriers have substantial security resources, the absence of standardized requirements raises concerns about consistency across the industry, particularly among smaller providers with more limited security budgets. The specific security practices that providers have voluntarily committed to implement—including accelerated patching, enhanced threat hunting, and improved information sharing—represent positive steps, though their effectiveness will depend on the rigor and consistency of their implementation.

Future Outlook and Alternative Approaches

The FCC’s decision reflects a fundamental philosophical shift in how the government approaches telecommunications security, favoring industry collaboration over regulatory mandates. This approach will face its first significant test when the next major telecommunications security incident occurs, particularly if it involves exploitation of vulnerabilities that the rescinded rules were designed to address. The effectiveness of voluntary measures will be closely monitored by policymakers, security researchers, and the intelligence community.

Alternative regulatory pathways remain possible, including congressional action to explicitly grant the FCC or other agencies authority to establish cybersecurity standards for telecommunications providers. The current legislative proposal for a CISA-led task force represents one such approach, though it focuses on coordination rather than direct regulation. The ongoing evolution of the Salt Typhoon threat and similar state-sponsored campaigns will likely continue to influence this policy debate, particularly if subsequent incidents demonstrate limitations in the voluntary security framework.

The FCC’s reversal of telecommunications cybersecurity rules represents a pivotal moment in U.S. critical infrastructure protection policy. While the voluntary approach favored by the current Commission majority may offer flexibility and reduce regulatory burdens, it also transfers primary responsibility for security decisions to private entities with varying resources and priorities. The ultimate effectiveness of this framework will be measured by the telecommunications industry’s ability to prevent, detect, and respond to sophisticated state-sponsored threats without the binding security standards that were developed specifically in response to one of the most significant compromises of U.S. communications infrastructure in recent history.