FCC Guts Telecom Security Rules One Year After Salt Typhoon Hack

TL;DR

In November 2025, the FCC voted 2-1 to revoke cybersecurity rules for telecom companies—rules created specifically because Chinese hackers breached AT&T, Verizon, T-Mobile, and six other carriers. The same companies that failed to patch seven-year-old vulnerabilities successfully lobbied to kill requirements that they secure their networks. Commissioner Anna Gomez called the rollback a "hope and a dream" that leaves U.S. communications less protected.

What Happened

On November 20, 2025, the FCC voted to rescind a cybersecurity ruling adopted in the last days of the Biden administration. That ruling—passed in January 2025—required telecom companies to:

  • Create and implement cybersecurity risk-management plans
  • Submit annual certifications to the FCC confirming compliance
  • Treat network cybersecurity as a legal obligation under CALEA

The rules existed because of Salt Typhoon—the Chinese hacking campaign that compromised at least nine major U.S. telecoms and accessed the communications of over a million Americans, including calls involving Donald Trump and Kamala Harris's campaign staff.

One year later, the FCC decided those rules weren't needed after all.

The Vote

The vote was 2-1 along party lines:

  • For rollback: Chair Brendan Carr, Commissioner Nathan Simington
  • Against: Commissioner Anna Gomez

FCC Chair Brendan Carr argued the original rules were "neither lawful nor effective" and that CALEA wasn't the right legal vehicle for cybersecurity requirements. He claimed the FCC would take a more "agile" approach through its newly established Council on National Security.

Translation: voluntary cooperation instead of enforceable requirements.

The Dissent

Commissioner Anna Gomez didn't hold back:

"Collaboration is not a substitute for obligation. Handshake agreements without teeth will not stop state-sponsored hackers in their quest to infiltrate our networks."

She called the rollback a "hope and a dream" that will leave U.S. communications systems less protected.

Security experts agreed. David Shipley, CEO of Beauceron Security, described the decision as "the cyber equivalent of hanging a 'come kick me' sign on critical infrastructure and national cyber security."

The Telecom Lobby Won

The rollback didn't happen in a vacuum. Senator Maria Cantwell spelled it out in a letter to Carr:

"You have now proposed to reverse this requirement after heavy lobbying from the very telecommunications carriers whose networks were breached by Chinese hackers. Your proposal to rescind this ruling would undermine the FCC's ability to hold carriers accountable for protecting our nation's critical communications infrastructure."

The same companies that:

  • Failed to patch vulnerabilities for seven years
  • Let Chinese hackers access wiretap systems
  • Exposed metadata from over a million Americans
  • Still haven't fully remediated the breach

...successfully convinced the FCC to eliminate requirements that they secure their networks.

What Salt Typhoon Actually Did

Context matters. Here's what the FCC just decided didn't require mandatory security rules:

9+

U.S. telecom companies breached

200+

Organizations compromised globally

1M+

Users' metadata accessed

80

Countries with victims

Salt Typhoon accessed the CALEA wiretap systems—the government-mandated backdoors that telecoms are required to maintain. Chinese hackers obtained:

  • An almost complete list of numbers the U.S. was surveilling
  • Metadata showing who called whom, when, for how long
  • Actual audio recordings of phone calls
  • Network infrastructure details

Senator Mark Warner called it "the worst telecommunications hack in our nation's history."

The FCC's response: remove the rules requiring telecoms to prevent this from happening again.

The "Agile" Alternative

Chair Carr claims the FCC isn't abandoning cybersecurity—just taking a different approach. The new plan relies on:

  • Council on National Security — An advisory body with no enforcement power
  • Targeted rules elsewhere — Vague references to other proceedings
  • Voluntary cooperation — Trusting telecoms to secure themselves

This is the same voluntary approach that produced:

  • Seven-year-old unpatched vulnerabilities
  • Legacy equipment never updated
  • Basic security measures not implemented
  • Chinese hackers with three years of undetected access

Voluntary cooperation failed. The FCC's solution is more voluntary cooperation.

Salt Typhoon Is Still Active

Here's the part that makes this worse: Salt Typhoon isn't gone.

Despite sanctions, despite a $10 million FBI bounty, despite public exposure, the Chinese hacking group continues operating. Recorded Future documented new breaches of five additional telecoms between December 2024 and January 2025.

By August 2025, the FBI confirmed Salt Typhoon had compromised at least 200 companies across 80 countries.

The FCC's own ruling acknowledged that vulnerabilities "are still being exploited." The response was to remove the requirement to fix them.

The Pattern

This follows a consistent approach:

Problem Initial Response Industry Lobbying Final Result
Salt Typhoon hack Mandatory security rules Heavy lobbying Rules revoked
AI discrimination State consumer protections AI industry pressure Executive order to sue states
Data broker abuses Proposed regulations Industry opposition Rules weakened or delayed

Every time there's a problem, the initial response is accountability. Then industry lobbies. Then accountability disappears.

What This Means for You

If you use AT&T, Verizon, T-Mobile, or any major U.S. carrier, your communications are handled by companies with no legal requirement to implement cybersecurity measures.

The same networks that Chinese hackers compromised—and may still have access to—are now governed by voluntary guidelines instead of enforceable rules.

The FCC has effectively said: we trust the companies that got hacked to protect you better next time. No verification required.

Protect Yourself

Since the government won't require carriers to protect your communications, you need to protect yourself:

Use Encrypted Messaging

Signal encrypts messages end-to-end. Even if carriers are compromised, your message content stays private. The FBI specifically recommended encrypted communications after Salt Typhoon.

Encrypt Voice Calls

Use Signal or other encrypted calling apps for sensitive conversations. Regular phone calls travel through carrier networks—the same networks Salt Typhoon compromised.

Minimize Metadata

Even encrypted apps expose metadata (who you talk to, when). For sensitive communications, consider additional precautions like VPNs or Tor.

Assume Networks Are Compromised

This isn't paranoia—it's reality. Act accordingly. Don't transmit anything through carrier networks that you wouldn't want foreign intelligence agencies to access.

The Bottom Line

Chinese hackers breached nine major telecoms. They accessed wiretap systems, stole metadata from millions, and recorded phone calls of presidential campaign staff. The Biden administration passed rules requiring telecoms to secure their networks.

One year later, after heavy telecom lobbying, the FCC revoked those rules.

The companies that failed to patch seven-year-old vulnerabilities now have no legal requirement to improve. The hackers who exploited those vulnerabilities are still active.

This is your government protecting critical infrastructure.

References

  1. FCC revokes telecom cybersecurity rules after Salt Typhoon hacks - Axios
  2. FCC rolls back cybersecurity rules for telcos, despite state-hacking risks - BleepingComputer
  3. FCC guts Salt Typhoon telco rules despite espionage risk - The Register
  4. Cantwell Slams Efforts to Roll Back Network Protection Rules - Senate Commerce Committee
  5. Warner Responds to FCC Rollback of Salt Typhoon Cybersecurity Rules - Senator Mark Warner
  6. FCC spikes Biden-era cyber regulations prompted by Salt Typhoon telecom breaches - The Record
  7. FCC votes to reverse telecom security rulemaking issued under Biden - Nextgov

Related Articles