The Federal Communications Commission announced plans this week to remove several cybersecurity regulations put in place after Chinese hackers breached multiple telecommunications giants to steal the correspondence of President Donald Trump and Vice President JD Vance last year.

The FCC did not respond to requests for comment, but Chairman Brendan Carr released a statement that said the agency would reverse a declaratory ruling published in January which would have mandated telecoms to better secure their networks and submit annual certifications attesting to the creation of a cybersecurity risk management plan. 

In a lengthy regulatory document published on Thursday, FCC Secretary Marlene Dortch outlined the Trump administration’s decision to rescind the ruling — arguing that telecoms have already taken voluntary steps to secure their networks and that the ruling was “legally erroneous.”

Dortch said the ruling “applies the same inflexible, across-the-board cybersecurity requirements to all telecommunications carriers without regard to their risk, size, or organizational posture.”

“This vague and amorphous standard risks imposing costly new burdens on many providers that are either not relevant to the potential threats they face, or which are redundant because those providers may already employ sufficient cybersecurity practices to reasonably reduce the risk of successful exploits by the most sophisticated threat actors,” Dortch wrote.  

She added that it is “an ineffective response to the Salt Typhoon exploit, and that the Commission should instead continue to pursue an agile and collaborative approach to cybersecurity through federal-private partnerships that protect and secure communications networks and more targeted, legally sound rulemaking and enforcement.”

In December 2024, White House officials revealed that at least nine telecommunications giants in the U.S. were breached and that companies in multiple other countries were also hacked by Chinese threat actors as part of the Salt Typhoon hacking campaign.

TThe Chinese government-backed hackers had broad, years-long access to the biggest telecommunications companies in the U.S. — including Verizon, AT&T, Lumen and several others. T-Mobile said it detected attempts but was able to stop them.

Salt Typhoon hackers gained access to Call Detail Records, which provide granular data on who a person spoke to, when, for how long, and where they were when they took the call.

In some cases, the hackers were able to intercept audio and text. They reportedly focused on gathering information about 150 high-profile targets like Trump, Vance and staff members of then-Vice President Kamala Harris, as well as other senior government leaders like Sen. Chuck Schumer (D-NY).

Republican and Democratic lawmakers bashed the Biden administration for its lack of answers about the Chinese hacking campaign. Sen. Mike Rounds (R-SD) and several others backed calls for cybersecurity standards governing the telecoms industry at the time. 

“There's no accountability. We have not heard a plan of how they're going to fix it. That's unacceptable,” Sen. Rick Scott (R-FL) said at the time.

Biden administration officials said the Salt Typhoon campaign would have been “far riskier, harder and costlier for the Chinese” if companies had minimum practices — secure configurations, up-to-date patching, architecting to monitor for anomalous behavior that would have detected this earlier, managing administrator accounts with multi-factor authentication.

Sen. Mark Warner (D-VA) called it the “worst telecom hack in our nation’s history — by far.” 

The new FCC

The declaratory ruling was issued days before the Trump administration took over and Biden administration officials touted it as a key measure taken in response to the Salt Typhoon incident.

The declaratory ruling was based on the view that the Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications carriers to secure their networks from unlawful access to or interception of communications and that carriers could be in breach of their statutory obligations if they fail to adopt certain cybersecurity practices.

A corresponding Notice of Proposed Rulemaking (NPRM) included several other cybersecurity measures for telecoms.. 

A Biden White House official said network segmentation was a key part of the declaratory ruling because in one telecom company’s case, a single administrator account had access to over 100,000 routers, allowing the Chinese hackers to have broad access across the entire network after compromising the account.

Sen. Ron Wyden (D-OR) said in April that the national security harms caused by Salt Typhoon are “the direct result of U.S. phone carriers’ failure to follow cybersecurity best practices, such as installing security updates and using multi-factor authentication, and federal agencies failing to hold these companies accountable.”

But in its Fact Sheet on Thursday, the new FCC slammed the Biden administration for attempting to issue the ruling in its final days, writing that it “offers no guidance about which particular vulnerabilities to prioritize or which at-risk information to protect, leaving carriers with a burdensome and inchoate compliance standard that does little to secure communications networks and protect national security.”

Dortch argued that the FCC should “promote an agile and collaborative approach to cybersecurity” and said telecommunications committed to taking “extensive, urgent, and coordinated efforts to mitigate operational risks, protect consumers, and preserve national security interests” against the range of cyberattacks that target their networks.”

The companies committed to “implement additional cybersecurity controls to harden their networks,” Dortch said.

The FCC did not respond to a lengthy list of questions about which companies reached out to the FCC or what specific measures telecommunications companies committed to. 

The Fact Sheet said telecommunications giants are already subject to several other cybersecurity regulations issued by the SEC, NIST and CISA as well as forthcoming rules under theCyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Several telecoms are also part of the Comm-ISAC information sharing organization, Dortch argued. 

The FCC said companies have also committed to increased cybersecurity information sharing within the sector and with federal agencies. Dortch added that the FCC created a Council on National Security in March that will take on cybersecurity issues in the future. 

Telecoms have already spent years working with the FBI, CISA and the NSA on addressing the Salt Typhoon attacks, Dortch added. 

The document cites a letter from multiple telecommunications industry associations that said a more “collaborative” relationship with the federal government “enabled some carriers to quickly share threat indicators related to the Salt Typhoon attacks with federal law enforcement agencies, who in turn were able to guide other carriers in taking steps to remove threat actors from their networks and harden them against future exploits.”

Some carriers “have taken additional steps to harden their networks in recent months, including implementing accelerated patching cycles, updating access controls, reviewing remote access configurations, improving threat hunting efforts, disabling unnecessary outbound connections to limit lateral network movement, and strengthening contractual obligations with third-party vendors,” the letter said.

In the associations’ petition letter, the companies concluded that the telecom industry has voluntarily “devoted extensive personnel and resources to enhancing its cybersecurity posture in the wake of Salt Typhoon, and it will continue to do so to evolve its defenses as new threats emerge.”

Dortch said the FCC decided to rescind the declaratory ruling “as unlawful and unnecessary,” — finding that the previous administration’s interpretation of certain laws was “legally erroneous and ineffective at promoting cybersecurity.”

The FCC also pledged to withdraw another cybersecurity measure that would govern all Commission licensees.

“In sum, the Declaratory Ruling was an ill-advised, rushed effort to take a controversial action without being grounded in a proper notice-and-comment process,” Dortch explained.

“In light of the Commission’s recent engagement with providers and their agreement to take extensive steps to protect national security interests, the Order on Reconsideration rescinds the Declaratory Ruling and withdraws the NPRM.”

The vote to rescind will take place at the November 20 Open Commission meeting.