The Federal Communications Commission moves to roll back post–Salt Typhoon cybersecurity rules
The FCC’s proposal to unwind the Biden-era rules comes despite earlier federal assessments that stronger, binding requirements were needed to address long-term, persistent access by foreign threat actors.
The Federal Communications Commission is preparing to vote on whether to rescind a set of cybersecurity requirements for US telecommunications providers that were adopted in January 2025, shortly after the large-scale Salt Typhoon intrusion campaign came to light. The vote on Thursday (20 November) would withdraw both the Biden-era ruling under Section 105 of the Communications Assistance for Law Enforcement Act and a related package of proposed rules intended to harden telecom networks against state-sponsored attacks.
FCC Chairman Brendan Carr argues that the January measures exceeded the agency’s statutory authority and failed to deliver a practical response to the kinds of threats revealed by Salt Typhoon. Instead of prescriptive requirements, the draft order calls for an ‘agile and collaborative’ cybersecurity approach built around federal–private partnerships and more narrowly tailored rulemaking. This is a sharp shift from the previous administration’s approach, which sought to mandate specific cybersecurity obligations across the telecom sector in response to what US officials described as an unprecedented compromise of critical communications infrastructure.
Salt Typhoon was disclosed in 2024 as one of the most extensive intrusions ever uncovered in the US telecom ecosystem. According to US authorities, Chinese state-sponsored operators infiltrated major backbone routers and provider-edge equipment, using compromised devices and trusted connections to reach the communications of political figures, government officials and other high-value targets. The Cybersecurity and Infrastructure Security Agency later linked the campaign to a broader pattern of global activity against telecommunications, government services, transportation systems, lodging networks and military infrastructure. The breach’s scale led senior lawmakers to characterise it as the worst telecommunications hack in US history.
The FCC’s proposal to unwind the Biden-era rules comes despite earlier federal assessments that stronger, binding requirements were needed to address long-term, persistent access by foreign threat actors. Current leadership, however, says the January order relied on a strained interpretation of the law and was introduced without sufficient public consultation. Industry groups have welcomed the reconsideration. In an October letter, lawyers representing several telecom associations said mandatory rules would undermine existing voluntary partnerships, arguing that operators had already cooperated extensively with federal agencies to investigate Salt Typhoon and had implemented more robust security practices.
Why does it matter?
The decision now centres on a broader policy debate about how aggressively the United States should regulate cybersecurity in critical telecom infrastructure. If the FCC rescinds the rules, oversight of security standards will continue to depend heavily on voluntary cooperation and targeted enforcement actions rather than comprehensive, sector-wide obligations. Given the strategic importance of telecom networks – and the demonstrated vulnerability exposed by Salt Typhoon – the outcome will shape how the US balances regulatory authority, national security concerns and industry flexibility in the next phase of cyber governance.
