In December, US officials claimed that hackers linked to the Chinese government breached security at nine major telecommunications companies, including AT&T and Verizon and some US agencies including the Department of the Treasury. Apparently, the hackers were able to access employee workstations and some unclassified documents. Officials said that this series of attacks began in September and were linked to attempts to influence the presidential election. The group behind the telecom cyberattacks is closely associated with China and called “Salt Typhoon,” the name given to it by researchers at Microsoft.
In one of her last acts as Chairwoman of the FCC Jessica Rosenworcel decided the agency had to respond to the hacks.
In response to Salt Typhoon, there has been a government-wide effort to understand the nature and extent of this breach, what needs to happen to rid this exposure in our networks, and the steps required to ensure it never happens again. At the Federal Communications Commission, we now have a choice to make. We can turn the other way and hope this threat goes away. But hope is not a plan. Leaving old policies in place when we know what new risks look like is not smart. Today, in light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks. Our existing rules are not modern. It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed. The time to take this action is now. We do not have the luxury of waiting. Telecommunications networks are essential for everything in day-to-day life, from our national defense to public safety to economic growth. The actions we take and propose here will strengthen our cybersecurity safeguards and enhance our resilience against future attacks. (FCC January 16, 2024, News Release).
The Commission’s actions include the following:
- Adopt a Declaratory Ruling that takes immediate effect finding that section 105 of the Communications Assistance for Law Enforcement Act (CALEA) affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications. This includes not only the equipment they choose to use in their networks, but also to how they manage their networks.
- Begin a Notice of Proposed Rulemaking (Notice) in Docket 22-239 to adopt specific cybersecurity and supply chain risk management requirements and apply them to a broader universe of service providers. Specifically, the new requirements would apply to:
- Facilities-based fixed and mobile Broadband Internet Access Service providers; all broadcasting stations—including AM broadcast stations, FM broadcast stations (including low power FM broadcast stations and program originating FM booster stations), digital audio broadcasters, all television stations—including low power television stations, television broadcast translator stations, and all analog television and digital television service providers; all cable systems (including digital cable systems and wireless cable systems); wireline video systems; wireline communications providers; commercial radio operators; interconnected VoIP providers (including providers of outbound-only VoIP); telecommunications relay service (TRS) providers; satellite communications providers (including all space and earth station licensees, mobile satellite service providers, Direct Broadcast Satellite (DBS) providers, SDARS providers, geostationary orbit (GSO) and GSO-like satellite operations, non-geostationary orbit (NGSO) and NGSO-like satellite operations, Fixed Satellite Services, Earth Exploration-Satellite Services, satellite operators, and any other satellite communications provider that use space stations as a means of providing the public with communications); commercial mobile radio providers; wireless resellers and Mobile Virtual Network Operators (MVNOs); covered 911 service providers; covered 988 service providers; and international section 214 authorization holders.
For the companies included above, called “Covered Providers”, the agency proposes the following requirements:
- Require all Covered Providers to create, update, and implement cybersecurity and supply chain risk management plans.
- Require Covered Providers to take reasonable measures to protect the confidentiality, integrity, and availability of their systems and services that could affect their provision of communications service. In this regard, Covered Providers’ cybersecurity and supply chain risk management plans must identify the cyber risks they face, the controls they use or plan to use to mitigate those risks and how they ensure that these controls are applied effectively to their operations.
- Each Covered Provider must have the flexibility to structure its cybersecurity and supply chain risk management plans in a manner that is tailored to its organization, provided that the plans demonstrate that the Covered Provider is taking affirmative steps to analyze security risks and improve its security posture.
Industry comments regarding the Commission’s specific proposals regarding the new cybersecurity proposed requirements are due 30 days after the Notice appears in the Federal Register.
PR Archives: Latest, By Company, By Date