On Thursday, the Federal Communications Commission voted 2-1 along party lines to eliminate regulations that previously required major U.S. phone and internet providers to adhere to specific baseline cybersecurity standards.
Brendan Carr, the FCC chairman, and fellow Republican commissioner Olivia Trusty—both appointed during the Trump administration—voted to repeal the rules mandating telecom companies to “protect their networks from unauthorized access or interception of communications.” These regulations had been put in place by the Biden administration earlier this year before leaving office.
Anna Gomez, the FCC’s only Democratic commissioner, opposed the decision. In her statement after the vote, Gomez described the now-rescinded rules as the “sole significant initiative this agency has undertaken” since the exposure of a widespread hacking operation by Salt Typhoon, a group linked to China, which targeted numerous U.S. telecommunications and internet firms.
During this prolonged campaign, the hackers infiltrated over 200 telecom providers—including AT&T, Verizon, and Lumen—to carry out extensive surveillance on U.S. officials. In certain instances, they attacked wiretap infrastructure that the government had previously mandated telecom companies to implement for law enforcement purposes.
The FCC’s decision to revise these regulations drew criticism from prominent lawmakers such as Sen. Gary Peters (D-MI), the top Democrat on the Senate Homeland Security Committee. Peters expressed his concern over the FCC’s rollback of “fundamental cybersecurity protections,” cautioning that this move could “put Americans at risk.”
Sen. Mark Warner (D-VA), who leads the Senate Intelligence Committee, stated that the regulatory reversal “leaves us without a viable strategy” to address the core security vulnerabilities that Salt Typhoon and similar groups have exploited.
Meanwhile, the NCTA, which advocates for the telecom sector, welcomed the repeal, labeling the rules as “overly rigid and ultimately harmful regulations.”
However, Gomez cautioned that while working together with the telecom industry is important for cybersecurity, it cannot replace the need for enforceable measures.
“Agreements without real consequences will not deter state-backed hackers from breaching our networks,” Gomez stated. “Such measures won’t stop future incidents, nor will they address the weakest points in our defenses. If voluntary efforts were enough, we wouldn’t be dealing with the aftermath of Salt Typhoon today.”
