FCC warns telecoms to bolster defenses against China hackers or face fines

Federal Communications Commission Chairwoman Jessica Rosenworcel has drafted plans to regulate the cybersecurity of telecommunications companies as the federal government faces pressure to respond to a massive compromise of U.S. phone networks by Chinese government hackers.

If implemented, the plans would put phone network operators on warning that the FCC could pursue financial penalties against them if they do not do enough to protect their networks. It would be the first time that the agency has asserted such powers under federal wiretapping law.

“While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks,” Rosenworcel said in an exclusive statement to The Washington Post.

Washington, D.C., has been reeling from revelations of the wide-scale hacks, by a group dubbed Salt Typhoon, which Sen. Mark R. Warner (D-Virginia), chairman of the Senate Intelligence Committee, recently called the “worst telecom hack in our nation’s history.” Warner said the companies still have not expelled the hackers, a statement echoed this week by U.S. officials who warned concerned users to turn to encrypted messaging services.

Rosenworcel circulated her draft to fellow FCC commissioners on Thursday, a day after she attended a Senate briefing on the hacks alongside Director of National Intelligence Avril Haines and officials from the FBI and the Cybersecurity and Infrastructure Security Agency.

On Wednesday, Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, said the Salt Typhoon hack of “at least eight” American telecommunications companies was “part of a global Chinese campaign that has affected dozens of countries around the world.”

“We believe that this campaign against telecoms has been underway for some time, likely one to two years,” said a senior administration official, adding that the number of countries targeted was in the “low couple of dozens.” The official spoke on the condition of anonymity under ground rules set by the White House.

The FCC activity comes after calls from lawmakers, including Sen. Richard Blumenthal (D-Connecticut), for the agency to take immediate action based on its existing legislative authority to oversee the telecommunications industry. The FCC has often been divided over the years over how heavily to regulate the sector, with Republican commissioners and industry executives often arguing in favor of a light-touch approach.

The Communications Assistance for Law Enforcement Act, or CALEA, was passed in 1994 to require telecom carriers to ensure they can facilitate lawful requests by federal authorities to intercept communications in criminal investigations. It also required that the companies protect those communications and the infrastructure they ride on from unauthorized parties gaining access.

Rosenworcel said the FCC’s authority in this matter comes from Section 105 of CALEA, a single sentence that stipulates, without elaboration, that telecommunications carriers should ensure systems security “in accordance with regulations prescribed by the Commission.” As one of the measures, she is seeking to require network providers to submit an annual certification to the FCC that they are implementing a cybersecurity risk management plan.

In addition to imposing fines, the FCC could coordinate with other agencies to pursue criminal penalties against carriers deemed too careless on cybersecurity.

The FCC chairwoman’s move is significant, said James A. Lewis, director of the strategic technologies program at the Center for Strategic and International Studies, a Washington think tank. He said he expected it to be adopted by Republican commissioners, including the incoming chairman, Brendan Carr, a staunch China hawk.

While the FCC’s five commissioners remain divided along party lines on many issues, there has been a growing bipartisan consensus at the agency to adopt a more aggressive interpretation of its authority to act to thwart China’s hackers. That improves the chances that Rosenworcel’s draft will be passed in her waning term and that the measures will not be reversed under Carr.

Carr said in a statement on X on Wednesday that the Salt Typhoon intrusion was a “serious and unacceptable risk” to U.S. national security.

“It should never have happened,” Carr said. “I will be working with national security agencies through the transition and next year in an effort to root out the threat and secure our networks.”

Under the first Trump administration, the FCC began a “rip-and-replace” program to remove Chinese-made phone network gear from U.S. networks as a potential security threat. Rosenworcel has continued under Biden’s presidency to tighten FCC regulations with an eye on China-based network hackers, including launching a review in November of the security of undersea cables.

While CALEA was not passed as a cybersecurity measure, per se, Lewis said, “it makes sense” that the FCC would use it for that purpose because “one of the parts of this massive Chinese effort” was hacking for information on whom the U.S. government was seeking to surveil. “In some ways, the Chinese triggered this because they were going after intercept requests,” he said.

Biden administration officials said voluntary efforts to protect against aggressive Chinese hacking activity have fallen short.

“We’ve had for the last decade voluntary public-private partnership efforts,” Neuberger told The Post in a recent interview. “But we continue to see successful breaches, and in many cases, as with ransomware attacks, we continue to see pretty basic cybersecurity practices not being followed.”

With China’s hackers becoming even more brazen, pre-positioning themselves in U.S. critical networks, “we need to lock our digital doors,” Neuberger said.

The White House has been regularly convening telecom executives to discuss the threat and ways to counter it. At the most recent meeting last month, the executives and cybersecurity experts discussed “the need to make real changes” to “reduce the blast radius” of cyber compromises, she said in a call with reporters on Wednesday.

Cyber requirements can make a difference, Neuberger said. After the Colonial Pipeline ransomware attack in 2021 shut down one of the nation’s largest energy pipelines for several days, creating a national security scare, the Transportation Security Administration issued a series of security directives, and today, all of the country’s several dozen critical pipeline companies are in compliance, she said.

Similar directives were subsequently issued for rail and aviation sectors, and the compliance rates in those industries are now at 68 and 57 percent respectively, she said.