The Federal Communications Commission will vote next month to rescind a controversial January 2025 Declaratory Ruling that attempted to impose sweeping cybersecurity requirements on telecommunications carriers by reinterpreting a 1994 wiretapping law.
In an Order on Reconsideration circulated Thursday, the FCC concluded that the previous interpretation was both legally erroneous and ineffective at promoting cybersecurity.
The reversal marks a dramatic shift in the FCC’s approach to telecommunications security, moving away from mandated requirements toward voluntary industry collaboration—particularly in response to the massive Salt Typhoon espionage campaign sponsored by China that compromised at least eight U.S. communications companies in 2024.
CALEA Reinterpretation
On January 16, 2025—just five days before a change in administration—the FCC adopted a Declaratory Ruling claiming that section 105 of the Communications Assistance for Law Enforcement Act (CALEA) “affirmatively requires telecommunications carriers to secure their networks from unlawful access to or interception of communications.”
CALEA, enacted in 1994, was designed to preserve law enforcement’s ability to conduct authorized electronic surveillance as telecommunications technology evolved. Section 105 specifically requires that interception of communications within a carrier’s “switching premises” can only be activated with a court order and with intervention by a carrier employee.
The January ruling took this narrow provision focused on lawful wiretapping and expanded it dramatically, interpreting it as requiring carriers to prevent all unauthorized interceptions across their entire networks. The Commission stated that carriers would be “unlikely” to satisfy these obligations without adopting basic cybersecurity practices including role-based access controls, changing default passwords, requiring minimum password strength, and adopting multifactor authentication.
The ruling emphasized that “enterprise-level implementation of these basic cybersecurity hygiene practices is necessary” because vulnerabilities in any part of a network could provide attackers unauthorized access to surveillance systems. It concluded that carriers could be in breach of statutory obligations if they failed to adopt certain cybersecurity practices—even without formal rules adopted by the Commission.
Industry Pushback and Legal Questions
CTIA – The Wireless Association, NCTA – The Internet & Television Association, and USTelecom – The Broadband Association filed a petition for reconsideration on February 18, arguing that the ruling exceeded the FCC’s statutory authority and misinterpreted CALEA.
The new FCC agreed with these concerns, finding three fundamental legal flaws in the January ruling:
Enforcement Authority: The Commission concluded it lacks authority to enforce its interpretation of CALEA without first adopting implementing rules through notice-and-comment rulemaking. CALEA section 108 commits enforcement authority to the courts, not the FCC. The Commission noted that when it previously wanted to enforce CALEA requirements, it codified them as rules in 2006 specifically to gain enforcement authority.
“Switching Premises” Limitation: Section 105 explicitly refers to interceptions “effected within its switching premises,” but the ruling appeared to impose obligations across carriers’ entire networks. The Commission found this expansion ignored clear statutory limits.
“Interception” Definition: CALEA incorporates the Wiretap Act’s definition of “intercept,” which courts have consistently interpreted as limited to communications intercepted contemporaneously with transmission—not stored data. The ruling’s required practices target both data in transit and at rest, exceeding section 105’s scope.
“It was unlawful because the FCC purported to read a statute that required telecommunications carriers to allow lawful wiretaps within a certain portion of their network as a provision that required carriers to adopt specific network management practices in every portion of their network,” the new order states.
The Voluntary Approach of Provider Commitments
Rather than mandated requirements, the FCC pointed to voluntary commitments from communications providers following collaborative engagement throughout 2025. In an October 16 ex parte filing, industry associations detailed “extensive, urgent, and coordinated efforts to mitigate operational risks, protect consumers, and preserve national security interests.
These voluntary measures include:
- Accelerated patching cycles for outdated or vulnerable equipment
- Updated and reviewed access controls
- Disabled unnecessary outbound connections to limit lateral network movement
- Improved threat-hunting efforts
- Increased cybersecurity information sharing with federal government and within the communications sector
- Establishment of the Communications Cybersecurity Information Sharing and Analysis Center (C2 ISAC) for real-time threat intelligence sharing
- New collaboration forum for Chief Information Security Officers from U.S. and Canadian providers
The government-industry partnership model of collaboration has enabled communications providers to respond swiftly and agilely to Salt Typhoon, reduce vulnerabilities exposed by the attack, and bolster network cyber defenses,” the industry associations stated.
Salt Typhoon Context
The Salt Typhoon attacks, disclosed in September 2024, involved a PRC-sponsored advanced persistent threat group infiltrating U.S. communications companies as part of a massive espionage campaign affecting dozens of countries. Critically, the attacks exploited publicly known common vulnerabilities and exposures (CVEs) rather than zero-day vulnerabilities—meaning they targeted avoidable weaknesses rather than previously unknown flaws.
The FCC noted that following its engagement with carriers after Salt Typhoon, providers agreed to implement additional cybersecurity controls representing “a significant change in cybersecurity practices compared to the measures in place in January.”
Also read: Salt Typhoon Cyberattack: FBI Investigates PRC-linked Breach of US Telecoms
Targeted Regulatory Actions Continue
While rescinding the broad CALEA interpretation, the FCC emphasized it continues pursuing targeted cybersecurity regulations in specific areas where it has clear legal authority:
- Rules requiring submarine cable licensees to create and implement cybersecurity risk management plans
- Rules ensuring test labs and certification bodies in the equipment authorization program aren’t controlled by foreign adversaries
- Investigations of Chinese Communist Party-aligned businesses whose equipment appears on the FCC’s Covered List
- Proceedings to revoke authorizations for entities like HKT (International) Limited over national security concerns
“The Commission is leveraging the full range of the Commission’s regulatory, investigatory, and enforcement authorities to protect Americans and American companies from foreign adversaries,” the order states, while maintaining that collaboration with carriers coupled with targeted, legally robust regulatory and enforcement measures, has proven successful.
The FCC also set to withdraw the Notice of Proposed Rulemaking that accompanied the January Declaratory Ruling, which would have proposed specific cybersecurity requirements for a broad array of service providers. The NPRM was never published in the Federal Register, so the public comment period never commenced.
The Commission’s new approach reflects a bet that voluntary industry cooperation, supported by targeted regulations in specific high-risk areas, will likely prove more effective than sweeping mandates of questionable legal foundation.
