Despite Chinese Hacks, Trump’s FCC Votes to Scrap Cybersecurity Rules for Phone and Internet Companies
In a 2-1 vote, the Trump-led FCC has reversed Biden-era cybersecurity mandates for phone and internet providers, just months after the Salt Typhoon Chinese hacks exposed vulnerabilities in major US telecoms. Critics warn this leaves networks exposed to state-sponsored threats, while industry groups applaud the deregulation. Explore the vote details, key reactions from lawmakers like Sen. Gary Peters, and implications for national security in this in-depth analysis.
WASHINGTON — The Federal Communications Commission (FCC), under new leadership appointed by President Donald Trump, has voted to dismantle cybersecurity requirements for major U.S. phone and internet providers. The decision, passed Thursday in a narrow 2-1 party-line vote, comes amid heightened concerns over foreign espionage following a major breach by Chinese hackers last year. Democratic Commissioner Anna Gomez dissented sharply, arguing the rollback weakens defenses at a critical time. As telecom giants like AT&T and Verizon face ongoing scrutiny, the move signals a shift toward voluntary industry measures over federal enforcement. (58 words)
The Vote: A Swift Reversal on Telecom Safeguards
The FCC’s open meeting on November 20 marked a pivotal moment for U.S. telecommunications policy. Chairman Brendan Carr, a Trump appointee, and fellow Republican Commissioner Olivia Trusty backed the order to rescind rules adopted in January 2025 under the Biden administration. Those rules, enacted just days before Trump’s inauguration, mandated that carriers secure their networks against unauthorized access and submit annual certifications on cybersecurity risk management plans.
The targeted regulations stemmed from the Communications Assistance for Law Enforcement Act (CALEA), a 1994 law originally designed to facilitate lawful surveillance. The Biden FCC reinterpreted Section 105 of CALEA to impose enforceable cybersecurity standards, allowing for fines or criminal penalties for non-compliance. Carr, who opposed the original ruling, called it a “legally erroneous” overreach that ignored court precedents on “interception” definitions. During the meeting, FCC Cybersecurity Division Chief Leon Kenworthy echoed this, labeling the mandates “redundant” given industry self-improvements.
This isn’t the first deregulatory push from the new FCC. Since Trump’s return, the agency has prioritized reducing what it views as burdensome regulations, but critics say this particular rollback risks national security in an era of escalating cyber threats.
Salt Typhoon: The Chinese Hacks That Sparked the Rules
The backdrop to this drama is the “Salt Typhoon” campaign, a sophisticated cyberespionage operation attributed to China’s Ministry of State Security. Uncovered around September 2024, the hacks infiltrated at least nine U.S. telecom firms, including AT&T, Verizon, and Lumen Technologies. Attackers exploited vulnerabilities in lawful intercept systems—tools carriers must maintain for FBI wiretap requests—gaining access to call records, text metadata, and even audio from high-profile targets.
According to the FBI, the breach affected over 600 organizations across 80 countries, making it one of the most damaging telecom intrusions in history. U.S. officials reported that hackers snooped on communications of political figures like then-candidate Trump, Vice President JD Vance, Sen. Chuck Schumer (D-NY), and staff from Kamala Harris’s campaign. The intrusion overlapped with broader attacks on sectors like government, transportation, and military infrastructure, as detailed in a Cybersecurity and Infrastructure Security Agency (CISA) alert.
Data from the campaign underscores the scale: Millions of Americans’ metadata was exposed, with wiretap systems serving as a backdoor for espionage. Then-CISA Director Jen Easterly and National Security Advisor Jake Sullivan endorsed the January rules as a “critical step” against China’s “well-resourced” cyber program. Yet, the Trump FCC argues these voluntary post-hack fixes by providers—such as accelerated patching and enhanced threat hunting—render federal rules unnecessary.
Industry Cheers, But Lawmakers Sound Alarms
Reactions split sharply along partisan and stakeholder lines. The NCTA—The Internet & Television Association, representing telecom giants, hailed the vote as eliminating “prescriptive and counterproductive regulations.” In a statement, NCTA emphasized that carriers have voluntarily boosted information-sharing with the government and formed the Communications Cybersecurity Information Sharing and Analysis Center (C2 ISAC) to coordinate defenses.
On Capitol Hill, however, Democrats decried the decision. Sen. Gary Peters (D-MI), ranking member of the Senate Homeland Security Committee, expressed being “disturbed” by the rollback of “basic cybersecurity safeguards,” warning it would “leave the American people exposed.” Sen. Maria Cantwell (D-WA), top Democrat on the Senate Commerce Committee, accused the FCC of yielding to “heavy lobbying” from breached carriers in a pointed letter to Carr. She noted that AT&T and Verizon have yet to fully disclose evidence of intruder removal, despite her June requests.
Even some Republicans voiced past support for stronger standards. Sen. Mike Rounds (R-SD) had backed telecom cybersecurity mandates during the 2024 fallout. Sen. Ron Wyden (D-OR) went further, blasting the move as “waving the white flag on cybersecurity” and leaving Americans “unprotected against foreign spies.” The House recently passed a bill mandating an interagency response group led by CISA, highlighting bipartisan concern over China’s tactics.
- Key Vote Breakdown: 2-1 (Republicans Carr and Trusty in favor; Democrat Gomez against).
- Affected Rules: Annual risk management certifications and CALEA-based network security mandates.
- Hack Scale: 9+ U.S. firms breached; 150+ high-profile targets monitored.
- Industry Commitments: Faster patching, access control reviews, and expanded federal data-sharing.
- Pending Legislation: House bill for CISA-led China hack task force.
Broader Implications for U.S. Cyber Defenses
This FCC decision fits into the Trump administration’s broader philosophy of deregulation and private-sector leadership in cybersecurity. Carr has advocated for “agile and collaborative” approaches via partnerships, rather than “inflexible” mandates. Providers must still comply with general CALEA obligations and emerging voluntary frameworks, but without enforceable teeth, enforcement relies on goodwill.
Experts like Blair Levin, a former FCC chief of staff and New Street Research analyst, called Carr’s stance “counterintuitive,” arguing that post-Salt Typhoon breaches demand accountability, not trust in self-policing. The rollback could embolden adversaries; Chinese hackers have since resurfaced in attacks on satellite providers like Viasat, per recent reports. Moreover, with no federal cybersecurity baseline for telecoms—unlike sectors like finance or energy—the U.S. risks fragmented protections.
Globally, the move contrasts with allies’ responses. The UK’s National Cyber Security Centre and EU counterparts have tightened telecom rules post-Salt Typhoon. Domestically, it raises questions for the 2026 FCC agenda, especially as quantum computing threats loom and 5G/6G rollouts expand attack surfaces.
Dissent and the Path Forward
Commissioner Gomez’s dissent carried emotional weight, describing the scrapped rules as the FCC’s “only meaningful effort” since Salt Typhoon. “Handshake agreements without teeth will not stop state-sponsored hackers,” she said, urging enforceable frameworks to “harden networks against future attempted cyberattacks.” Her words echoed broader frustrations: The Trump White House has yet to issue a public response to the hacks, fueling perceptions of a softer stance on Beijing.
Looking ahead, the FCC plans targeted enforcement and rulemaking, per Carr. But with agency staff turnover amid Trump’s downsizing—many operating divisions are depleted—the path remains unclear. Telecoms face pressure to prove their voluntary pledges, while lawmakers may push oversight hearings.
In the end, this vote underscores a high-stakes debate: Can industry innovation outpace nation-state threats without government oversight? As cyber risks evolve, the answer could define U.S. resilience.
For more details, read the full TechCrunch report here.
Follow the discussion on X: TechCrunch post.
Conclusion
The FCC’s rollback of telecom cybersecurity rules, despite the Salt Typhoon breaches, prioritizes deregulation but invites scrutiny over enforcement gaps. With industry vows to self-regulate and lawmakers demanding accountability, the decision tests U.S. cyber posture against rising Chinese threats. Ultimately, bridging partisan divides will be key to safeguarding networks without stifling innovation.