The Federal Communications Commission (FCC) is taking action in response to recent cyberattacks targeting US communications companies by foreign entities. The FCC has put forth new cybersecurity rules aimed at enhancing the security of telecommunication networks.
According to FCC Chairwoman Jessica Rosenworcel, safeguarding the cybersecurity of the country’s critical communication infrastructure is crucial for national security, public safety, and economic stability. As technology evolves, so do the capabilities of adversaries, necessitating a continuous reinforcement of defensive measures.
The proposed requirements, outlined in a Declaratory Ruling shared with other commission members, mandate that telecommunication carriers must secure their networks against unauthorized access or interception of communications. Additionally, these companies are required to submit annual certifications to the FCC confirming the development, updating, and implementation of a cybersecurity risk management plan to fortify defenses against potential cyber threats. Rosenworcel emphasized the importance of establishing a modern framework to assist companies in securing their networks effectively.
Acknowledging the challenges faced by Corporate Directors and the Securities and Exchange Commission (SEC) in managing cybersecurity risks, Trey Ford, Chief Information Security Officer at Bugcrowd, lauded the FCC’s efforts to prioritize risk management and cybersecurity. This initiative is expected to drive modernization and enhance cybersecurity practices within the telecommunication industry.
One of the significant incidents that prompted these regulatory measures was the cyberattack carried out by the Chinese-state sponsored hacker group “Salt Typhoon” on several US Internet service provider networks earlier this year. Targets at organizations such as Verizon, AT&T, and Lumen were compromised in the attack. The affected carriers have yet to fully remove the attackers from their networks, and the intelligence community is still assessing the extent and impact of the breach.
The breach resulted in the compromise of a large number of call records, including phone numbers, call details, and intercepted communication of government officials and politicians. The severity of the attack prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue guidance in collaboration with the National Security Agency and the FBI to telecom industry stakeholders on mitigating the threat. The guidance includes best practices for detecting threat activities, enhancing visibility, minimizing vulnerabilities, and securing network equipment.
In response to the escalating cyber threat landscape, Senator Ron Wyden introduced legislation requiring the FCC, CISA, and the Director of National Intelligence to establish specific digital security standards to prevent unauthorized interceptions. The proposed bill mandates telecom companies to conduct annual security tests, address vulnerabilities, and undergo external audits to ensure compliance with cybersecurity regulations.
If the FCC’s proposal is accepted, it will take effect immediately through a Declaratory Ruling. The draft Notice of Proposed Rulemaking will also solicit feedback on cybersecurity risk management requirements and additional measures to bolster the cybersecurity posture of communication systems and services.
With the looming congressional recess, the fate of the proposed legislation remains uncertain. However, the FCC’s proactive stance in strengthening cybersecurity regulations reflects the agency’s commitment to addressing emerging cyber threats and safeguarding the nation’s critical communication infrastructure.