- The rescinded January 2025 ruling stemmed from a hacking campaign — known as “Salt Typhoon” — that compromised several major telecoms.
- The FCC now says it will rely on more targeted, flexible measures rather than prescriptive cybersecurity rules — a shift that cybersecurity experts warn may create inconsistent protection across networks.
What happened: FCC votes 2–1 to repeal 2025 telecom cybersecurity ruling
Earlier this month, the FCC voted 2–1 to overturn a declaratory ruling issued in January 2025 which had required U.S. telecommunications carriers to secure their networks from unauthorised access or interception. Under that ruling, the carriers had been legally obliged to strengthen network defences — a response to a wave of cyber-attacks attributed to the Salt Typhoon hacking campaign, which had breached several major firms including Verizon and AT&T.
The repeal was spearheaded by the current Federal Communications Commission (FCC) chair, Brendan Carr, who argued that the prior order “exceeded the agency’s authority” and failed to deliver a sufficiently effective or adaptable cybersecurity framework. The commission’s published justification notes that many carriers have since taken steps to harden their infrastructure independently — prompting regulators to replace the blanket requirement with more “targeted” and “flexible” rules, for instance requiring submarine-cable operators to implement cybersecurity risk-management plans.
Also read: Paramount settlement with Trump criticized by FCC commissioner
Also read: FCC commissioners Simington and Starks step down
Why it’s important
The repeal comes at a precarious moment for telecom security. The Salt Typhoon campaign was not a minor intrusion — according to critics, it infiltrated more than 200 telecom and internet companies across the U.S., allegedly compromising call records, intercepting lawful-intercept systems, and enabling large-scale surveillance operations. By rescinding broad baseline requirements, the FCC risks leaving gaps in protection that could be exploited by state-backed hackers or cyber-criminals.
Cyber-security experts have voiced concern. For example, the CISO of a major security firm argued that mandatory rules had driven real improvements: deployment of zero-trust architectures, better network segmentation, and more rigorous supply-chain vetting. Removing those requirements, she warned, “creates a patchwork of defences across interconnected networks — guaranteeing that adversaries will exploit the weakest links.”
On the other hand, proponents of the repeal — including large carriers — argue that the original rules were overly prescriptive and costly, that many providers have already strengthened their defences, and that more flexible, risk-based regulation is preferable.
This turn of events raises critical questions: if baseline protections are no longer mandatory, how will oversight and enforcement work in practice? Will individual carriers maintain robust security voluntarily — or will competitive pressure and cost concerns lead to uneven protection across networks? In an age of growing sophistication in cyber threats, the potential consequences for consumer data privacy, national security and trust in communications infrastructure should not be underestimated.
