The Federal Communications Commission (FCC) is mounting a quick effort to push telecom service providers to certify they are taking steps to strengthen their networks from cyberattacks following the China-sponsored Salt Typhoon hacks of U.S.-based carriers including AT&T, Verizon, and Lumen – and as many as eight providers in all.
At the heart of the FCC action is a proposal that would require communications service providers to submit an annual certification to the agency “attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks,” the commission said on Dec. 5.
That proposal – in the form of a notice of proposed rulemaking that would solicit public comment and likely take months to consider before any new rule is put in place – would ask for comment on “cybersecurity risk management requirements for a wide range of communications providers,” the agency said.
“The proposal would also seek comment on additional ways to strengthen the cybersecurity posture of communications systems and services,” the FCC said.
In a separate move that would serve to bolster the FCC’s authority to push service providers toward improved security steps, FCC Chairwoman Jessica Rosenworcel is proposing that the agency approve a declaratory ruling that finds “section 105 of Communications Assistance for Law Enforcement Act (‘CALEA’) affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications.”
CALEA is a law enacted by Congress in 1994 that requires telecom service providers to build into their networks the capacity to provide for wiretaps and other surveillance capabilities for the benefit of law enforcement agencies to carry out legal requests for information. The FCC in 2005 extended those requirements to facilities-based broadband service providers and firms that offer voice-over-internet protocol services.
According to reporting on the Salt Typhoon hacks that emerged beginning in October, the exploits have penetrated some carriers’ systems that fulfill their CALEA obligations.
If Rosenworcel’s proposal for a declaratory ruling on CALEA authority wins support from a majority of the agency’s five commissioners, it would take effect immediately.
At a Senate hearing on Nov. 19, Sen. Richard Blumenthal, D-Conn., called for the FCC to investigate the Salt Typhoon hacks and immediately start a rulemaking process to deal with improving telecom service provider security. “It can be started under this administration [and] carried forward under the next,” Sen. Blumenthal said. “There should be bipartisan unity on the urgency of that action.”
“The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” Rosenworcel said on Dec. 5 in announcing plans for the two actions responding to the cyberattacks.
“As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses,” she said. “While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”
