The US Federal Communications Commission (FCC) is looking to expanding cybersecurity requirements for US telecommunications firms following the Salt Typhoon cyber-attack which impacted at least eight US communications firms.
As part of its “decisive action” the FCC has released a Notice of Rulemaking in which communications firms could be subject to an annual certification requirement to create, update and implement cybersecurity risk management plans.
In addition, FCC Chairwoman Jessica Rosenworcel has proposed a Declaratory Ruling that would clarify that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) creates a legal obligation for telecommunications carriers to secure their networks against unlawful access and interception.
The Salt Typhoon incident saw foreign actors, state-sponsored by the People’s Republic of China (PRC), infiltrated at least eight US communications companies, compromising sensitive systems and exposing vulnerabilities in critical telecommunications infrastructure.
The attack was part of a large-scale espionage campaign. It is believed that targets included Verizon, AT&T and Lumen Technologies.
In a statement, the FCC said, “While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, the FCC can act now to strengthen cybersecurity safeguards and ensure resilience against future cyberattacks by adversaries.”
The FCC has invited the public to comment on the expanding cybersecurity requirements and identify additional ways to enhance such cybersecurity defenses.
The proposed measures have been made available to the five members of the Commission and they may choose to vote on them at any moment.
If adopted, the Declaratory Ruling would take effect immediately, the FCC statement said.
The Notice of Proposed Rulemaking, if adopted, would open for public comment the cybersecurity compliance framework, which is part of a broader effort to secure the nation’s communications infrastructure.