At their November meeting, the Federal Communications Commission (FCC) “took action to correct course and rescind an unlawful and ineffective prior Declaratory Ruling misconstruing the Communications Assistance for Law Enforcement Act (CALEA).” The FCC says this will strengthen the nation’s cybersecurity, but its critics say rescinding the January 2025 Declaratory Ruling will make us less safe.
Senator Maria Cantwell (D-Washington) wrote to FCC Chairman Brendan Carr before the FCC’s meeting and said: “You have now proposed to reverse this [Declaratory Rulling] after heavy lobbying from the very telecommunications carriers whose networks were breached by Chinese hackers… I am concerned that your move to drop cybersecurity requirements on carriers is part of a pattern of weakness on national security issues.”
However, the FCC’s press release about the move said, “Since January, the Commission has taken a series of actions to harden communications networks and improve their security posture to enhance the agency’s investigative process into communications networks outages that result from cyber incidents.”
But FCC Commissioner Anna M. Gomez issued a separate statement that said, “Ten months into this Administration, this FCC has still not put forward a single actionable solution to address the growing cybersecurity threat to our communications networks. Not one concrete proposal. Not one protection standard. Not one accountability mechanism.”
Both the FCC and its critics referenced the 2024 Salt Typhoon cyberattack as an important sign that the U.S. needs stronger cybersecurity. The Declaratory Ruling was enacted in January 2025 — in the final days of the Biden administration — in response to Salt Typhoon.
Was the FCC’s move good for cybersecurity? We ask an expert.
To help untangle these issues, Telecompetitor interviewed Marc Martin, a partner with Perkins Coie LLP who consults with technology companies on regulatory and transactional issues. Martin served as an FCC attorney adviser from 1991 to 1994.
Martin said he believes Cantwell and Gomez’s critiques have more to do with process than anything else. “I think what they’re saying — Cantwell in particular — was, ‘Why do we think self-governance is appropriate right now? Where is the documented evidence from these carriers that everything’s fine?’”
Martin pointed out that Salt Typhoon may have been the biggest successful cyberattack on federal government resources ever, and though large providers may believe they can police themselves, “Isn’t that what got us in this mess in the first place?”
“Verizon and AT&T in particular have a long history of being very successful at fending off regulation,” he said. “They’re a very strong influence in the halls of Washington. They employ a lot of people in districts all around the United States, and they’re very effective [at avoiding regulation]… I don’t think Cantwell was necessarily saying that’s inherently wrong. It’s more of a due diligence question.”
After the FCC’s cybersecurity ruling last month, NTCA–The Rural Broadband Association issued a statement that read, “NTCA supports the FCC’s decision to rescind the Declaratory Ruling, which was overly broad and burdensome for small broadband providers… The Commission’s previous approach would have imposed vague requirements that could have burdened rural telecommunications providers without effectively addressing threats.”
Martin is sympathetic to the burdens put on smaller providers. “Requirements are always more burdensome than the absence of them,” he said. “You have to get your head around them and figure out what it takes to comply. You probably have to work with counsel, work with engineers, and there may be a capital expenditure involved.”
But Martin said, “The Commission’s charter is not to serve the interest of any particular sector. It’s to serve the public interest. And protecting networks from foreign adversaries and other bad actors is serving the public interest right now.”
Ultimately, Martin said he doesn’t know whether the FCC’s rescinding of the Declaratory Ruling regarding cybersecurity will make consumers and companies safer.
“We’ll find out, right?” he said. “If we’re going to go forward in this fashion, hopefully nothing further will happen. But past is prologue. Something will happen, because it’s a never-ending effort for foreign adversaries and other bad actors to do the wrong thing. It’s constant. So, let’s hope our networks are secure.”
