The Federal Communications Commission is set to vote Thursday on whether to rescind a set of last-minute Biden administration regulations following a massive Chinese compromise of U.S. telecommunications infrastructure last year.
Chair Brendan Carr has called the rule ineffective and unlawful, and with the likely support of newly confirmed commissioner Olivia Trusty, there is a majority position to reverse the rules.
Now in an interview, the lone dissenting voice on the panel, Commissioner Anna Gomez, told CyberScoop that rescinding the rules would let telecoms off the hook for the cybersecurity lapses that enabled the breaches.
She also noted it would eliminate one of the only substantive actions the FCC has taken in response to Salt Typhoon, a Chinese state-led cyberespionage campaign that broadly compromised the phones and data of high-level U.S. officials, including then-presidential candidate Donald Trump and vice presidential candidate JD Vance.
“What we know is that we had this major hack and the commission is probably the best positioned agency to ensure we don’t have something like this happen again,” Gomez said. “And we adopted the [rules] because we needed immediate action and we sought to create accountability, establish clear cybersecurity obligations and put in place an enforceable framework to harden the networks before the next breach.”
U.S. officials have given mixed signals as to whether Salt Typhoon remains an active and ongoing operation. Earlier this year an FBI official told CyberScoop that the bureau believes the group had been “contained,” but others have said that is unlikely given the documented technical expertise and persistence of the group and latent vulnerabilities in telecom infrastructure.
When asked if she viewed the incursions by Salt Typhoon as an active or ongoing campaign, Gomez said “this was not a one-off event.”
“These attempts are ongoing and so the need for a forceful response has not diminished,” she said.
In January, under then-chair Jessica Rosenworcel, the FCC passed a declaratory judgement stating that telecom providers have a legal obligation under the Communications Assistance for Law Enforcement Act to protect their communications and networks from being intercepted by unauthorized providers.
The agency also kicked off a proposed regulation that would have forced telecom providers to annually certify their cyber risk management plans with the FCC.
Carr indicated in an Oct. 30 fact sheet that the agency would vote to withdraw both the declaratory statement and proposed rule, providing a range of rationales.
The Biden-era rules were “rushed” out the door days before Biden and Rosenworcel left office. Carr believes there is nothing in CALEA that gives the FCC authority to regulate specific cybersecurity practices. He also called the rules “ineffective” and redundant in the face of engagement with telecoms over the past year to help harden their networks.
Gomez said it’s not clear how Carr could determine the rules were ineffective ten months after they were issued and that the commission is effectively saying it doesn’t need to wield its regulatory powers because it can rely on relationships with service providers to push for non-mandatory and industry-led cyber improvements.
“My question is ‘How many service providers have really implemented these measures?’” said Gomez. “We have one industry association coming in and saying that some providers have agreed to this. We don’t have numbers. I’m not entirely sure how many there are and we don’t know who the weakest link is going to be in a hack. I think that collaboration is very important, but it’s also important to have a regulatory backstop.”
When asked about the substance of the FCC’s engagement with the telecom industry over the past year, Gomez said it’s important to acknowledge that the agency can’t be an effective regulator without engaging in good faith with industry, but noted that she has not witnessed the kind of robust back and forth Carr described.
“As far as I know, the only evidence I had that there was any such engagement is from [Carr’s statement] saying that it happened,” she said.
Asked how much time the commission had dedicated to the Salt Typhoon incursions this year, Gomez suggested it hasn’t been a top priority.
“I would have trouble really being able to tell you that,” she said. “We haven’t seen a single proposal from [the Trump] administration. What the FCC did in January is so far the only meaningful regulatory response to Salt Typhoon that I have seen.”
In his justification, Carr has pointed to work the commission has done this year setting up a Council on National Security Council to coordinate with other federal agencies and efforts to prevent Chinese entities from owning telecom equipment testing labs in the US and investigating whether Chinese equipment providers are skirting federal restrictions to sell in the United States.
The commission has “adopted targeted rules to address the greatest cybersecurity risks to critical communications infrastructure without imposing inflexible and ambiguous requirements,” Carr wrote.
But nearly all available evidence over the past year indicates that Salt Typhoon hackers primarily exploited U.S. and Western technology and equipment to compromise U.S. telecom networks. In multiple interviews with U.S. officials, including intelligence and cybersecurity officials, none have claimed that Chinese equipment or foreign ownership of labs contributed to the breaches.
The post Why Anna Gomez believes the FCC is letting telecoms off easy after Salt Typhoon appeared first on CyberScoop.
Commissioner Gomez told CyberScoop the agency is poised to eliminate “the only meaningful regulatory response to Salt Typhoon that I have seen.”
The post Why Anna Gomez believes the FCC is letting telecoms off easy after Salt Typhoon appeared first on CyberScoop. Read MoreCyberScoop
