UPDATE, January 16, 2025: Today, Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel announced that the FCC had adopted the Declaratory Ruling proposed in December, which will require carries to secure their networks from cybersecurity attacks and other types of threats.
“Our existing rules are not modern. It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed. The time to take this action is now. We do not have the luxury of waiting,” Rosenworcel said in a statement.
The ruling takes effect immediately.
Original story follows: December 6, 2024
Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel has shared a draft Declaratory Ruling with other commissioners that finds that section 105 of the Communications Assistance for Law Enforcement Act (“CALEA”) requires carriers to secure their networks from unlawful access or interception of communications, including cybersecurity attacks.
The People’s Republic of China was the only country mentioned by name in the FCC release, which cited “real and present cybersecurity threats.”
The ruling, which would take effect immediately if adopted, requires carriers to “affirmatively” secure their networks from unlawful access or interception of communications. The Declaratory Ruling includes a proposal that would require annual certification to the FCC attesting that the carrier has “created, updated, and implemented a cybersecurity risk management plan” aimed at strengthening networks from future cyberattacks.
“The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” FCC Chair Rosenworcel said in the release.
“As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses… We need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the communications sector in the future.”
The FCC draft notice of Proposed Rulemaking would seek comment on cybersecurity risk management requirements for a wide range of communications providers. It also would seek comments on additional ways to strengthen the cybersecurity posture of communications systems and services.
The FCC has done toe-to-toe with the Chinese government before. Most notably, in 2020 the FCC’s Public Safety and Homeland Security Bureau found that vendors Huawei and ZTE had unacceptable ties to the Chinese government and demanded its equipment be removed from service providers’ networks.
Cybersecurity is a huge issue, of course, for the FCC and many others. In late October, S&P Global released a research report that found organizations that are not good at cyber vulnerability management are more likely to have broader cybersecurity issues. The firm found that companies are best off if they base remediation priorities on the probability and potential severity and damage of an exploit.
In another bit of FCC cybersecurity news, the Public Safety and Homeland Security Bureau said it has chosen UL LLC (UL Solutions) to be the Lead Administrator and a Cybersecurity Label Administrator (CLA) of the agency’s voluntary cybersecurity labeling program for wireless consumer Internet of Things (IoT) products. The program qualifies consumer smart products to display a label including a new U.S. government certification mark (“U.S Cyber Trust Mark”).
