Internet service providers and cellular carriers will no longer be required to meet minimum cybersecurity standards after a Federal Communications Commission vote Thursday.
The FCC voted 2-1 along party lines to reverse course on a January ruling — adopted four days before President Donald Trump’s inauguration — that required providers to issue an annual certification showing that they have “created, updated and implemented a cybersecurity risk management plan.”
The rules applied to a broad range of companies, including cellular carriers, internet service providers, radio stations and even television broadcasters.
The new requirements were largely a response to the Salt Typhoon cyberattackin September last year, in which hackers linked to the Chinese government broke into the networks of US internet providers like AT&T, Verizon and Lumen, which owns CenturyLink and Quantum Fiber. Attackers gained access to millions of customers’ call and text message metadata and reportedly captured audio recordings from people involved with both the Harris and Trump campaigns.
“This is such a terrible idea. This is rolling out the red carpet for another attack,” Cooper Quintin, a senior staff technologist at the Electronic Frontier Foundation, told CNET. “I can’t overstate how impactful Salt Typhoon was. This gave them access to the communications of every American. It impacted everyone, and there were no consequences for the telcos other than having to generate a regular report.”
So why roll back the rules now? FCC Chair Brendan Carr said the rules are not necessary because longer providers have already “demonstrated a strengthened cybersecurity posture” in the year since the Salt Typhoon attacks.
The move is the latest chapter in Carr’s “Delete, Delete, Delete” agenda, which aims to end the “regulatory onslaught from Washington.”
If you look at the FCC as being the protector of the public interest in modern communications, the notion that you don’t have a role in cybersecurity strikes me as being willfully blunt.
Blair Levin, former FCC chief of staff and a telecom industry analyst at New Street Research
Objections from Democrats came swiftly. Mark Warner, the vice chairman of the Senate Select Committee on Intelligence, said the elimination of requirements “leaves us without a credible plan to address the gaps exposed by Salt Typhoon, including basic failures like credential reuse and the absence of multi-factor authentication for highly privileged accounts.”
In a letter to Carr earlier this week, Sen. Maria Cantwell said that the Salt Typhoon allowed the Chinese government to “geolocate millions of individuals” and “record phone calls at will,” noting that the incident targeted almost every American.
“You have now proposed to reverse this requirement after heavy lobbying from the very telecommunications carriers whose networks were breached by Chinese hackers,” Cantwell said.
Carr waved off these objections at this morning’s meeting, saying, “Doing anything just so we can say we did something is not the answer.”
Blair Levin, a former FCC chief of staff and a telecom industry analyst at New Street Research, told me that he found Carr’s position counterintuitive.
“If you look at the FCC as being the protector of the public interest in modern communications, the notion that you don’t have a role in cybersecurity strikes me as being willfully blunt,” Levin said.
The ruling is a major win for telecom companies, which have lobbied for the rules to be rescinded. In a letter sent to the FCC last month, industry groups argued that the decades-long cybersecurity collaboration between industry and government meant the rules weren’t just unnecessary — they “significantly undermine this system and make our networks less safe.”
When I read this quote to Quintin, he laughed and dismissed it with a seven-letter word.
“If having to report to somebody what their cybersecurity posture is makes them less secure, then they had terrible cybersecurity,” he said.
Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.
How to protect yourself from future cyberattacks
The FCC is taking a step back in monitoring the security of our networks, which means it’s never been more essential to practice good cybersecurity yourself. While Salt Typhoon targeted government officials, everyday Americans could be at risk in future attacks.
“The concern for you or me is more around scams and cybercrime,” said Quintin, noting that SIM swapping attacks, intercepting two-factor authentication codes and scammers posing as your bank or healthcare provider could become more common.
Here are a few steps you can take right now to protect yourself and mitigate the potential damage:
Set strong passwords and always use multifactor authentication. Your passwords should all be unique and long, with a variety of special characters, letters and numbers. If that sounds impossible to remember, it should be. A good password manager will do the heavy lifting for you. If you learn that one of your passwords has been compromised in a breach, change it as soon as possible.
Look out for phishing attacks. Data breaches give criminals a great opportunity to use your personal details against you by sending scam emails, text messages or social media messages. Don’t click on links from senders you don’t recognize, and be extremely skeptical about handing out money or personal information to any person or company you haven’t vetted.
Monitor your financial accounts. It’s always a good idea to keep a close eye on your bank accounts and credit cards, but especially when you’re notified that your personal information has been exposed. You can also set up account alerts to let you know whenever a large transaction has gone through.
Use a VPN. If you’re concerned about another Salt Typhoon-style attack from a foreign government or anyone else, the single best thing you can do to ensure your connection remains private is to use a trustworthy VPN. Look for advanced features like obfuscation, Tor over VPN and a double VPN, which uses a second VPN server for an added layer of encryption. You can also install a VPN on your router directly so that all your traffic is encrypted automatically.
