Sen. Ron Wyden, D-Ore., today unveiled draft legislation that would light a fire under the Federal Communications Commission (FCC) to create a tough new set of cybersecurity rules for telecommunications services providers following news in October of China-sponsored Salt Typhoon hacks into the networks of several big U.S. carriers including AT&T, Verizon, and Lumen.
The senator’s proposed Secure American Communications Act would require the FCC to issue “binding cybersecurity rules” for telecom systems and operators.
According to the senator’s office, the FCC would design those cybersecurity requirements in consultation with the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence “to prevent unauthorized interceptions by any person or entity, including by an advanced persistent threat (APT).”
The proposed FCC rules also would require telecom carriers to “conduct annual testing to evaluate whether their systems are susceptible to unauthorized interceptions by any person or entity, including by an advanced persistent threat,” take corrective measures for any deficits shown by the testing, and document those measures.
Telecom carriers also would need to contract with independent auditors to conduct annual assessments of their compliance with the new FCC rules. Carriers would be required to submit test and audit results to the FCC, including written statements “signed by the CEO and CISO (or equivalent) stating that the telecom carrier is in compliance with FCC cybersecurity rules.”
The FCC has not been sitting on its hands as the scope of the Salt Typhoon hacks has become increasingly clear. Last week, the agency announced two actions that aim in the same direction as Sen. Wyden’s proposed legislation, although they do not appear to be as far-reaching.
First, the FCC said it plans to open a rulemaking proceeding to require communications service providers to submit an annual certification to the agency “attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks.”
That proposal – in the form of a notice of proposed rulemaking that would solicit public comment and likely take months to consider before any new rule is put in place – would ask for comment on “cybersecurity risk management requirements for a wide range of communications providers,” the agency said.
Second, FCC Chairwoman Jessica Rosenworcel proposed that the agency quickly approve a declaratory ruling that finds “section 105 of Communications Assistance for Law Enforcement Act (‘CALEA’) affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications.”
CALEA is a law enacted by Congress in 1994 that requires telecom service providers to build into their networks the capacity to provide for wiretaps and other surveillance capabilities for the benefit of law enforcement agencies to carry out legal requests for information. The FCC in 2005 extended those requirements to facilities-based broadband service providers and firms that offer voice-over-internet protocol services.
In announcing his proposed legislation, Sen. Wyden groused that the FCC has not acted on its authorities in existing law to require better cybersecurity at telecom carriers.
His proposed bill, the senator’s office said, requires the FCC to “fix its own failure to fully implement telecom security requirements already required by federal law.”
“In 1994, Congress required telecom providers to design their systems to permit the government to obtain communications and call-identifying information with a court order or other lawful authorization” through the CALEA law, the senator’s office said.
“That law required providers to secure their systems from unauthorized interceptions, and gave the FCC the authority to issue regulations to implement this requirement,” it continued. “However, in the years since, the FCC has never fully implemented this provision.”
“It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cybersecurity rules,” Sen. Wyden said in a statement today.
“Telecom companies and federal regulators were asleep on the job and as a result, Americans’ calls, messages, and phone records have been accessed by foreign spies intent on undermining our national security,” he said. “Congress needs to step up and pass mandatory security rules to finally secure our telecom system against an infestation of hackers and spies.”
