In response to vulnerabilities exposed in U.S. telecommunications networks during the Salt Typhoon cyberattack, which was state sponsored by the People’s Republic of China, the FCC is taking action to affirm cybersecurity obligations of communications service providers. First, the Commission is circulating a draft Declaratory Ruling that would clarify that Section 105 of the Communications Assistance for Law Enforcement Law (CALEA) creates a legal obligation for telecommunications carriers to secure their networks against unlawful access and interception. The Declaratory Ruling also clarifies that telecommunications carriers’ duties extend not just to the equipment they use but how they manage their networks.
The FCC is also circulating a Notice of Proposed Rulemaking that proposes an annual certification requirement for communications service providers to: (1) create, update, and implement cybersecurity risk management plans; and (2) certify compliance with these plans to the FCC. The NPRM also seeks comment on expanding cyber requirements across a range of communications providers and identifying ways to enhance cyber defenses for communications systems.