FCC dumps plan for telecom security rules that Internet providers don’t like

In a significant policy shift, the Federal Communications Commission (FCC) is set to vote in November on the repeal of an important ruling that mandates telecom providers to bolster the security of their networks. This decision comes in response to requests from major lobby groups representing Internet service providers. FCC Chairman Brendan Carr has stated that the original ruling, which was established in January just before the Republican party took control of the commission, exceeded the agency's authority and failed to offer a sufficient response to current cybersecurity threats. The upcoming vote, scheduled for November 20, follows what Carr describes as extensive dialogue with carriers who have reportedly made considerable advancements in enhancing their cybersecurity measures. The January ruling was a direct reaction to cyberattacks attributed to China, including the infiltration of telecom giants like Verizon and AT&T. The FCC, during the Biden administration, determined that the Communications Assistance for Law Enforcement Act (CALEA) of 1994 imposes a clear obligation on telecom carriers to protect their networks from unauthorized access and interception. The January order emphasized that these carriers must not only ensure the security of the equipment they utilize but also the overall management of their networks. Accompanying the declaratory ruling was a Notice of Proposed Rulemaking that intended to implement stricter measures requiring telecom providers to take specific actions to safeguard against unauthorized interceptions. Although Carr opposed the ruling at the time, he acknowledged that it had the potential for significant impact. Despite the absence of concrete rules in the previous order, the FCC asserted that telecom companies would likely not meet their legal obligations under CALEA without adopting fundamental cybersecurity practices. These practices include implementing role-based access controls, updating default passwords, enforcing minimum password standards, and using multifactor authentication. The agency further warned that neglecting to address known vulnerabilities would likely not fulfill the statutory requirements imposed on these providers.