On January 16, 2025, the FCC released a Declaratory Ruling and Notice of Proposed Rulemaking (“Ruling” and “NPRM,” respectively) discussing measures to protect the nation’s communication systems from cybersecurity threats, emphasizing the critical nature of communication infrastructure for national security, public safety, and economic stability, and proposing proactive measures to counter escalating cyber threats.
Ruling
- Cybersecurity Threats: The Ruling underscores the growing risks from cyberattacks, particularly state-sponsored activities from nations like China and Russia. These threats target critical communication networks, including those of major U.S. providers, to enable espionage, disrupt operations, or prepare for potential conflicts.
- Legal and Regulatory Actions: Under the Communications Assistance for Law Enforcement Act (“CALEA”), the FCC concludes that telecommunications carriers are required to secure networks from unauthorized access. The FCC clarifies that telecommunications carriers’ duties under section 105 of CALEA extend not only to the equipment they choose to use in their networks, but how they manage their networks. The FCC states that carriers have an independent obligation under CALEA to prevent all incidents of unauthorized interception of communications and access to call-identifying information, not merely those carried out by law enforcement.
- The FCC notes that even though it is proposing specific rules for obligations under section 105, that carriers are still obligated to have certain basic cybersecurity practices in their communications services and systems. For example, the FCC states that basic cybersecurity practices and a failure to patch known vulnerabilities or to employ best practices that are known to be necessary in response to identified exploits would appear to fall short of carrier obligations under section 105.
- Broader Implications: The FCC highlights the interdependence of communications with other critical sectors like energy, healthcare, and transportation. Cyberattacks on communications systems can cause cascading failures across multiple industries, threatening public safety and national resilience.
NPRM
Proposed Requirements: The FCC proposes mandatory creation, implementation, and certification of cybersecurity and supply chain risk management plans for a broad range of communication service providers, such as broadband, cable, satellite, and wireless providers. These plans would include identifying risks, applying mitigation strategies, and maintaining network security integrity. Specifically, the FCC proposes the following:
- Risk Identification: Providers would be required to identify specific cybersecurity risks that could impact their systems and operations. This includes risks associated with their network infrastructure, such as vulnerabilities in mobile towers, base stations, and core networks.
- Risk Mitigation Strategies: Providers would be required to implement controls to mitigate identified risks. These proposed measures include:
- Role-based Access Controls: Restricting network access to authorized personnel based on job functions.
- Password and Authentication Protocols: Enforcing strong password policies and adopting multifactor authentication for network access.
- Vulnerability Management: Regularly identifying and patching known vulnerabilities in wireless equipment, software, and systems.
- Supply Chain Security: Providers would be required to develop strategies to manage risks associated with their supply chains. This involves assessing the trustworthiness of equipment vendors and ensuring that components used in wireless networks are not susceptible to tampering or unauthorized access.
- Network Configuration Management: Providers would be expected to maintain secure configuration practices for their wireless equipment and devices, ensuring that systems are resilient against cyberattacks.
- Regular Certification: Providers would be required to certify annually to the FCC that their cybersecurity and supply chain risk management plans have been created, implemented, and updated as necessary. These certifications would ensure accountability and compliance with the proposed regulations.
- Collaboration and Best Practices: Providers are encouraged to use resources such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) guidelines to align their practices with national cybersecurity frameworks.
The FCC seeks comment on the proposed rules, including their scope, potential costs, benefits, and application to different types of providers.
Soon-to-be Chairman Carr slammed the adoption of the Declaratory Ruling and the NPRM – calling into question whether the rules will actually take effect. A link to his statement can be found here.
Comments will be due 30 days after publication in the Federal Register.
Reply comments will be due 60 days after publication in the Federal Register.
Please Contact Us if you have any questions.