The U.S. Federal Communications Commission (FCC) is set to vote this week on a contentious proposal that could overturn cybersecurity regulations imposed on telecommunications carriers in 2024. These rules were introduced by the Biden administration in the wake of the Salt Typhoon cyber campaign, which exposed serious vulnerabilities in critical telecom infrastructure.
The decision follows intense industry lobbying and criticism from major telecom providers, who argue the rules impose excessive operational and compliance costs with limited measurable benefits. Now, the FCC appears poised to walk back key parts of the regulatory framework that were designed to strengthen national cybersecurity postures.
Telecom Industry Challenges Post-Attack Reforms
Telecom carriers say the cybersecurity compliance mandate is too burdensome to implement.
The rules in question required telecommunications carriers to implement a baseline set of cybersecurity controls. These included mandatory risk assessments, incident response planning, and formal reporting procedures tailored to the sector’s role in critical infrastructure. The regulations emerged in response to the large-scale cyber campaign known as Salt Typhoon, linked to China-affiliated actors, which impacted U.S. telecom and cloud providers.
However, telcos contended that the rules duplicated existing requirements and disproportionately affected smaller operators lacking sufficient in-house cybersecurity capacity. Industry representatives appealed to the FCC, arguing that the rules created fragmented compliance regimes and expensive reporting obligations, particularly for mid-tier and regional firms.
Their core arguments included:
- The rules overlap with other federal cybersecurity mandates (e.g., CISA guidelines).
- Implementation timelines were too aggressive for smaller carriers to meet.
- The compliance costs outweigh the security benefits for many providers.
The FCC acknowledged these concerns in its upcoming rulemaking review, describing the challenged regulations as “unduly burdensome” and potentially detrimental to innovation and investment in network infrastructure.
Rules Sparked by Salt Typhoon Campaign May Be Rolled Back
Cybersecurity rules were initially enacted in response to a major espionage campaign linked to Chinese threat actors.
The Salt Typhoon incident, which came to light earlier in 2024, catalyzed a flurry of cybersecurity attention at the highest levels of government. According to U.S. intelligence and cybersecurity agencies, the threat campaign involved China-aligned actors compromising global telecom and IT systems to steal sensitive data and monitor communications stealthily.
The Biden-administration-era FCC used the incident to justify proactive regulatory oversight. By requiring telecom carriers to implement minimum cybersecurity baselines, the administration aimed to close gaps exploited in the Salt Typhoon attacks. These efforts were aligned with broader federal strategies, including the National Cybersecurity Strategy and White House Executive Orders.
But critics within the telecommunications industry maintained that the approach over-reached existing cooperative frameworks, instead favoring a punitive model built on mandatory compliance without sufficient consultation.
Regulatory Shift Indicates a Changing Cybersecurity Policy Climate
The FCC’s decision reflects mounting pressure to balance cyber regulation with industry flexibility.
If the FCC votes to repeal or revise these rules, it would mark a significant policy shift—away from prescriptive mandates and toward sector-driven self-regulation. The move underscores how cyber policy in the U.S. increasingly hinges on balancing national security risks with economic and operational realities for private industry.
Supporters of the rollback within the FCC argue that voluntary collaboration with agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and industry-led efforts can achieve similar resilience without imposing compliance burdens on carriers. They further point to the Telecommunications Sector Coordinating Council (TSCC) and Information Sharing and Analysis Centers (ISACs) as more agile frameworks for addressing cyber threats.
However, some stakeholders warn that this deregulation could leave critical infrastructure more exposed to state-sponsored cyber activity. While the Salt Typhoon attack involved sophisticated actors, it highlighted lapses in basic security hygiene and coordination—issues the 2024 rules sought to address.
What Comes Next for U.S. Telecom Cybersecurity
The repeal vote may reset federal oversight approaches but raises questions about readiness.
With the future of FCC cybersecurity rules hanging in the balance, the vote will likely shape how U.S. communications infrastructure handles cyber risks moving forward. If the rule is rescinded, telcos will regain autonomy in determining how to manage threats, but without the federally mandated accountability that followed the Salt Typhoon breach.
For cybersecurity professionals in the telecom sector, this potential rollback signals a shift in regulatory expectations. Despite longstanding calls for mandatory cybersecurity baselines across critical infrastructure sectors, the FCC’s move may prioritize industry discretion over government-enforced compliance.
As one of the first major tests of post-attack cyber policy, the FCC’s upcoming decision could also set a precedent for how responsive—or deferential—future regulations will be in the face of documented threats and geopolitical challenges.
