In a move that quickly stirred controversy in Washington, the Federal Communications Commission voted 2-1 on Thursday to repeal a set of cybersecurity rules. These rules required U.S. phone and internet providers to meet basic security standards. The vote, made along party lines, reverses measures adopted under the Biden administration earlier this year aimed at improving the digital defenses of major telecommunications networks.
This rollback occurs even as the U.S. government investigates a significant cyber espionage operation linked to China. This hacking campaign compromised over 200 American telecom companies. Critics say the timing could not be worse.
A Partisan Vote With Far-Reaching Implications
FCC Chair Brendan Carr and Republican Commissioner Olivia Trusty, both appointed by former President Donald Trump, led the push to rescind the rules. The lone Democratic commissioner, Anna Gomez, cast the only dissenting vote. She warned that the repeal eliminates the only meaningful effort the agency has made to address security gaps exposed by recent foreign intrusions.
The now-defunct rules required telecom carriers to implement basic cybersecurity controls and take steps to secure their networks from unauthorized access, data interception, or manipulation. They also mandated that companies address known vulnerabilities in equipment and follow standard protections.
Supporters of the repeal argued that the rules were too burdensome, unnecessary, and likely to hinder innovation. However, critics, including cybersecurity officials, intelligence leaders, and lawmakers from both parties, believe they were essential safeguards in a time of increasing state-sponsored digital espionage.
Salt Typhoon: A Wake-Up Call Ignored
Gomez’s opposition focused on the federal response to “Salt Typhoon,” the Chinese hacking group behind a sweeping, years-long compromise of telecom networks across the U.S.
This hacking campaign, linked to a China-backed cyber espionage unit, targeted some of the largest telecommunications providers, including AT&T, Verizon, and Lumen. Intelligence officials reported that the attackers infiltrated systems at over 200 telecom companies, gaining insight into sensitive communications and possibly accessing data related to U.S. government officials.
Worse yet, investigators found evidence that the hackers tried to compromise lawful-intercept systems, which telecom companies are required to install for government-ordered surveillance. By exploiting weaknesses in these systems, the hackers may have accessed communications that law enforcement believed were secure.
For Gomez, rolling back cybersecurity obligations after such an attack does not make sense.
“These rules were the only meaningful effort this agency has made since the discovery of Salt Typhoon,” she stated after the vote. “We are responding to a major breach by dismantling the very safeguards intended to prevent the next one.”
Lawmakers Sound the Alarm
The FCC’s decision drew immediate criticism from senior members of Congress, raising concerns that the rollback could leave Americans vulnerable to foreign surveillance, data theft, and infrastructure attacks.
Sen. Gary Peters (D-MI), the ranking member of the Senate Homeland Security Committee, expressed his disturbance over the vote. He warned that eliminating “basic cybersecurity safeguards” threatens national security.
“At a moment when threats from foreign adversaries are growing, weakening our defenses is the last thing we should be doing,” Peters said. “This decision leaves the American people exposed.”
Sen. Mark Warner (D-VA), vice chair of the Senate Intelligence Committee, issued a stark warning as well. Warner, who has repeatedly called for stronger protections across critical infrastructures, said repealing the rules “leaves us without a credible plan” to address the vulnerabilities exploited by groups like Salt Typhoon.
He emphasized that telecom networks are foundational to national security, supporting emergency communications, law enforcement systems, and military coordination.
“If our telecommunications backbone is compromised, everything built on top of it is compromised too,” Warner said.
Telecom Industry Celebrates Regulatory Rollback
While lawmakers and security experts raised alarms, the telecommunications industry welcomed the FCC’s decision.
The NCTA, a major trade association for cable and telecommunications companies, praised the repeal as a win for innovation and regulatory flexibility. The group described the previous rules as “prescriptive and counterproductive,” arguing that industry-driven cybersecurity efforts are more effective than government mandates.
Telecom companies have long resisted attempts by the FCC to impose cybersecurity rules, claiming that federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), already collaborate with the sector to identify and address emerging threats.
Industry leaders argue that strict regulations could lock companies into outdated security practices, hindering their ability to respond quickly to evolving threats.
Gomez: Voluntary Standards Are Not Enough
In her dissent, Commissioner Gomez rejected the argument that voluntary guidelines and private-sector best practices can adequately protect the nation’s communications networks.
“Handshake agreements without enforcement will not stop state-sponsored hackers,” she said. “They won’t prevent the next breach. They do not ensure that the weakest link in the chain is strengthened.”
Gomez highlighted that cybersecurity is only as robust as its most vulnerable access point. Without enforceable rules, companies can invest unevenly, creating critical gaps.
If voluntary measures were sufficient, she argued, Salt Typhoon would never have succeeded in breaching dozens of major telecommunications networks, many of which claimed to follow industry best practices.
A Debate Rooted in the Future of Critical Infrastructure Security
The FCC’s decision underscores a deeper philosophical divide in Washington about how to protect U.S. critical infrastructure sectors — telecommunications, energy, transportation, healthcare — from foreign threats.
On one side are policymakers who believe enforceable federal cybersecurity standards are essential for national security. They argue that adversaries like China, Russia, and Iran are stepping up cyber operations that target the “plumbing” of American society.
On the other side are regulators and industry groups who believe that flexible, industry-led approaches are quicker, more adaptable, and less disruptive. They caution that rigid compliance requirements could stifle innovation and lead to outdated security protocols.
The FCC’s decision represents a clear example of this tension, with the agency backing deregulation at a time when cyber threats are increasingly tied to geopolitical conflict.
Security Experts: A Step Backward During a Time of Escalation
Cybersecurity experts outside the government echoed lawmakers’ concerns, noting that telecommunications networks are attractive targets for foreign intelligence services.
“Telecommunications systems are the nervous system of the nation — everything flows through them,” said one former Homeland Security official. “Weakening protective requirements right after discovering widespread breaches is like removing the fire alarm after the house has already caught fire.”
Several analysts pointed out that China-backed groups like Salt Typhoon often operate over multiple years, using stolen credentials and subtle backdoors that are hard to detect without rigorous oversight and monitoring.
“Minimum security standards create a baseline,” said a former NSA cyber analyst. “Without that baseline, you depend on companies to manage their own security — and historically, that hasn’t worked.”
What Comes Next: Calls for Congressional Intervention
The FCC’s vote is likely to renew calls for Congress to legislate cybersecurity requirements for telecom providers, sidestepping regulatory changes based on political leadership.
Lawmakers like Senators Peters and Warner have previously supported legislation to establish mandatory baseline standards for critical infrastructure sectors, though such proposals have faced strong opposition from industry groups.
Now, with the FCC stepping back from enforcement, pressure will likely build again.
“Cybersecurity should not be optional,” Warner said. “And it should not depend on who sits in the FCC majority.”
For now, telecommunications companies will continue to operate under a voluntary cybersecurity framework — one that security officials say has proven inadequate against Salt Typhoon and other state-backed hacking groups.
