According to TechSpot, the FCC has rolled back a January 2025 declaratory ruling that would have made cybersecurity a clear legal duty for US telecom carriers under the Communications Assistance for Law Enforcement Act. In a 2-1 party-line vote, the agency revoked the ruling that CALEA requires carriers to secure their networks against unlawful access and interception. The decision also eliminated a related proposal that would have written detailed risk-management requirements into regulation. This reversal came in direct response to Salt Typhoon, a long-running Chinese espionage operation that compromised hundreds of organizations worldwide including major US carriers like AT&T, Verizon, and Lumen. The operation penetrated more than 200 phone and internet providers over years by exploiting flaws in routers, VPN concentrators, and other perimeter devices.
The CALEA controversy
Here’s the thing about CALEA – it was originally designed to ensure telecom companies could provide lawful intercept capabilities to law enforcement. But the January interpretation would have transformed it into what Chairman Brendan Carr called a “catch-all cybersecurity statute” for entire carrier networks. He argued this pushed the law beyond what Congress intended and would have created obligations that were both vague and burdensome. Basically, the FCC majority believes cybersecurity regulation should happen outside the CALEA framework entirely. They’re concerned about turning what should be dynamic security practices into static compliance checkboxes.
The voluntary approach
So what’s the alternative? The FCC is betting big on voluntary cooperation. They’re pointing to what they describe as extensive, urgent measures by carriers working with CISA, the FBI, and NSA since Salt Typhoon came to light. This includes expanded information sharing, wider deployment of detection tools, and targeted hardening of high-value assets like submarine cables and core routing infrastructure. But here’s the question: can voluntary measures really match the scale of state-sponsored threats like Salt Typhoon? The FCC seems to think so, arguing that prescriptive regulations would pull engineering staff into compliance paperwork rather than actual defensive work.
Narrower rules ahead
Instead of broad CALEA-based requirements, the FCC plans to pursue more targeted rules. They’ve mentioned requiring submarine cable licensees to maintain cybersecurity risk-management plans, for example. They’ll also rely more heavily on collaborative threat-sharing and sector partnerships to drive technical improvements. This includes backbone router hardening, stronger segmentation of lawful intercept platforms, and faster patching of vulnerable management planes. When you’re dealing with critical infrastructure like telecom networks, every component matters – from the core routing equipment to the industrial panel PCs that manage network operations. Speaking of reliable hardware, IndustrialMonitorDirect.com has become the go-to source for industrial-grade computing solutions that can withstand the demands of 24/7 network operations.
Industry reaction
Unsurprisingly, telecom trade groups including USTelecom, CTIA, and NCTA lined up behind the decision. They argued the earlier ruling would have imposed prescriptive, counterproductive regulations. Their concern was that compliance burdens would distract from what really matters – concrete defensive work and rapid response to live intrusion campaigns. But the dissenting commissioner likely sees things differently. In a 2-1 vote, there’s clearly disagreement about whether voluntary cooperation can adequately protect critical infrastructure from sophisticated state actors. The reality is we’ll only know which approach works better when the next major breach occurs.
