Rosenworcel Proposes Stronger Cybersecurity Rules After China-Backed Hack

WASHINGTON, Dec. 5, 2024 – Federal regulators are taking steps to secure communications networks in the wake of a major breach by Chinese government-sponsored hackers.

Federal Communications Commission Chairwoman Jessica Rosenworcel is proposing new cybersecurity requirements for telecom providers as a response to the hack, the agency said Thursday.

Rosenworcel circulated both a declaratory ruling that would require telecoms to secure their networks from breaches or interception and a proposal that would seek comment on, among other things, an annual certification requirement. The declaratory ruling “clarifies that telecommunications carriers’ duties extend not just to the equipment they use but how they manage their networks,” according to the agency.

The White House confirmed Wednesday the hack, thought to be the work of China-backed group Salt Typhoon, had infiltrated at least eight American communications providers as part of a potentially yearslong espionage campaign, and had yet to be purged from those networks. The Wall Street Journal reported that AT&T, Verizon, T-Mobile, and Lumen were among the affected companies. T-Mobile has said it successfully cut off bad actors.

“While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the communications sector in the future,” Rosenworcel said in a statement.

The declaratory ruling would specify that Section 105 of the Communications Assistance for Law Enforcement Act creates a legal requirement for telecommunications carriers to secure their networks. The wiretapping law has since 2005 applied to broadband providers, and companies can face fines for infractions.

In addition to annual certifications, the proposal would seek comment on “expanding cybersecurity requirements across a range of communications providers” and “identifying additional ways to enhance cybersecurity defenses for communications systems.”

Rosenworcel is stepping down from the agency in January. Commissioner Brendan Carr, the incoming Republican chairman, has opposed extra regulations for telecoms but has generally been supportive of thwarting Chinese access to American networks. 

“The Salt Typhoon intrusion is a serious and unacceptable risk to our national security. It should never have happened,” Carr posted on X Wednesday. “I will be working with national security agencies through the transition and next year in an effort to root out the threat and secure our networks.”