WASHINGTON—In response to a Jan. 15 Federal Communications Commission vote to impose new cybersecurity rules, Commissioner Brendan Carr, who is slated to become the agency’s chair in the new Trump administration, has issued an unusually harsh statement criticizing the vote.
“Today, just five days before we complete the transition to a new Administration—when the interests of bipartisan collaboration on matters of national security should be paramount for everyone in government—the Biden FCC decided to force a vote on a partisan, uncoordinated, and counterproductive approach to the Salt Typhoon cybersecurity threats,” Republican Carr said in a written statement.
The so-called Salt Typhoon cybersecurity attacks involved a major security breach of U.S. telecommunications infrastructure by Chinese intelligence services. In the fall of 2024, federal authorities said hackers had breached the infrastructure of nine major U.S. telecommunications companies.
Following the reports, FCC chair Jessica Rosenworcel highlighted the severity of the threat and issued a statement on Dec. 5 saying the FCC needed to take action. She circulated a draft Declaratory Ruling to other FCC commissioners finding that section 105 of the Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications carriers to secure their networks from unlawful access or interception of communications.
Based on that authority, Rosenworcel, a Democrat, proposed that communications service providers submit an annual certification to the FCC attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks.
“The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” Rosenworcel wrote. “As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses. While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”
FCC's materials relating to Salt Typhoon can be found here.
In response to the vote on the Declaratory Ruling, which was not available on the FCC site on the morning of Jan. 16., Carr called Salt Typhoon, “the worst cyber intrusion in our nation’s history. That intrusion, which the next Administration will be left to address, represents an unacceptable risk to our national security. It should never have been allowed to happen. It now requires a serious and effective response—this FCC action is neither.”
Carr provided no specific details on what he believed to be an appropriate response, saying in general terms that “we should be working closely with the intelligence community officials and the network providers that have been targeted by this attack. We should be conveying in real time the remedial steps that are necessary to restore the integrity of our networks—and ensuring that providers are implementing them. And we should be taking a series of actions that will restore America’s deterrence and harden our networks going forward.”
He did, however, say that the FCC had chosen to “issue a decision that it does not even have the authority to adopt” and criticized CALEA as a suitable legal basis for the FCC's actions.
“Specifically, CALEA requires a covered provider to open their network within the ‘switching premises’— but only within the switching premises—to enable authorized intercepts by U.S. law enforcement,” Carr wrote. “Today, the FCC reads CALEA as also imposing an affirmative obligation on a covered provider to take certain undefined cybersecurity actions across every portion of the network—meaning, both within and outside the switching premises. But the FCC and the court of appeals have already determined that CALEA’s ‘switching premises’ language is key to the statute’s operation. The FCC’s unprecedented decision to effectively read that language out of the statute not only undermines the action it takes today, it calls into question every previous FCC action under CALEA too.”
“The FCC has taken lawful, effective, and bipartisan actions on national security matters over the past four years,” Carr concluded. “Why depart from that at the eleventh hour? For a headline? To tie the hands of the incoming Administration? … The Biden Administration has left a lot of messes for others to clean up. Add this one to the pile.”
