FCC Terminates Telecom Cyber Rules Enacted After Salt Typhoon Exploit

The FCC has officially terminated the cybersecurity regulations for telecommunications companies that were enacted following the Salt Typhoon cyber-espionage campaign, which targeted major U.S. telecom providers and resulted in large-scale theft of metadata and sensitive communications. This move was made through a 2-1 vote and reverses rules set up in January 2025 that required annual risk-management certifications and the implementation of basic security controls by telecom firms.​

Background: Salt Typhoon Exploit

The Salt Typhoon incident refers to a series of attacks attributed to a Chinese state-sponsored group that infiltrated major U.S. carriers, including Verizon, AT&T, T-Mobile, and others. Attackers gained prolonged access to core systems used for lawful intercept, allowing them to collect metadata, call records, text message information, geolocation, and even communications involving high-profile government figures.​

FCC’s Reasons for Rollback

• The FCC described the previous cybersecurity rules as “legally erroneous and ineffective at promoting cybersecurity,” arguing the mandates provided vague guidance and imposed a burdensome compliance standard without delivering clear security improvements.​

• Instead of prescriptive regulations, the commission now favors a targeted, collaborative approach—claiming private carriers have voluntarily improved their cybersecurity posture since the attacks through enhanced access controls, patching, and information-sharing with federal agencies.​

• Telecommunications companies lobbied against the mandates, saying operational flexibility and voluntary measures are preferable to strict government oversight.​

Ongoing Security Concerns

Despite these voluntary improvements, critics—including FCC Commissioner Anna Gomez and several U.S. Senators—warn that reversing enforceable requirements leaves telecom networks vulnerable to state-sponsored attacks. They point out that the Salt Typhoon breach demonstrated voluntary security measures were not sufficient to deter sophisticated threats, and the lack of standards could hinder efforts to hold companies accountable in future incidents.​

Summary of Regulatory Changes

The FCC’s rollback represents a dramatic shift from strict cybersecurity regulation to an industry-led model, even as threats to critical infrastructure persist.​

Rescinding the telecom cybersecurity rules immediately increases the risk of foreign and criminal intrusion into U.S. communication networks, as baseline regulatory protections are no longer enforced. Experts warn that telecommunications infrastructures are now more exposed to nation-state hackers and advanced persistent threats, like those seen in the Salt Typhoon attacks.​

Key Security Risks

• Lowered baseline protections: Without mandatory security standards, telcos are left to voluntarily implement controls, potentially leading to inconsistent security practices and gaps across the industry.​

• Increased espionage and data theft: Nation-state actors may attempt renewed or ongoing exploitation, targeting sensitive communications, metadata, and geolocation—especially given previous breaches allowed access to wiretap records and calls of government officials.​

• Delayed detection and response: Regulatory rollback may slow incident identification and remediation, as there is no longer a uniform obligation for incident reporting, detection criteria, or federal oversight.​

• Supply chain and cross-border impact: The risk extends to any entity relying on U.S. telecom infrastructure, including international users, financial institutions, government agencies, and critical service providers.​

Prominent lawmakers and officials have stated that rolling back these rules could embolden adversaries and leave Americans less protected against sophisticated cyber threats, making critical networks more vulnerable to future attacks.​