The Federal Communications Commission (FCC) is preparing to repeal a Biden-era ruling that mandated internet service providers (ISPs) to secure their networks under the Communications Assistance for Law Enforcement Act (CALEA). FCC Chairman Brendan Carr stated that the original ruling ‘exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats.’ Carr emphasized that the vote, scheduled for November 20, comes after ‘extensive FCC engagement with carriers’ who have already taken ‘substantial steps’ to strengthen their cybersecurity defenses.
The ruling was initially issued in January 2025, responding to attacks by China, including the Salt Typhoon infiltration of major telecom providers such as Verizon and AT&T. The Biden-era FCC found that the CALEA, a 1994 law, ‘affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications.’ The commission’s order clarified that ISPs must not only secure the equipment they use but also ensure the management of their networks is secure. A draft of the order set for vote in November can be found here (PDF).
Analysts suggest that this decision reflects a growing trend in regulatory policy shifts, particularly in response to cybersecurity challenges. While the ruling had been intended to ensure robust network security, the FCC’s move to rely on voluntary commitments by telecom providers raises concerns about the adequacy of such measures compared to mandatory compliance. This shift may have significant implications for the cybersecurity landscape and the responsibilities of ISPs in protecting national infrastructure.