NEWS BRIEF
In the wake of recent cyberattacks against U.S communications companies by foreign actors, the Federal Communications Commission proposed new cybersecurity rules on how telecommunication companies should secure their networks.
“The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said Chairwoman Jessica Rosenworcel in a statement last week. “As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses.”
Under the proposed requirements, which has been shared as a Declaratory Ruling with the other members of the commission, telecommunications carriers would need to secure their networks from unlawful access or interception of communications, and to submit annual certifications to the agency confirming that they have created, updated, and implemented a cybersecurity risk management plans in place to fortify their defenses against future attacks. The proposal focuses on a “modern framework to help companies secure their networks,” the chairwoman said.
“The FCC is creating a forcing function to prioritize risk management and cybersecurity, which will also drive modernization in a lot of useful ways,” Trey Ford, chief information security officer at Bugcrowd, said in an emailed statement. “The FCC will appreciate the challenges that Corporate Directors and the SEC have been wrestling with – how inventory, score, and treat cyber risks – and the challenges in communicating what needs done, when, and how.”
The Chinese-state sponsored hacker group Salt Typhoon hit several internet service provider networks in the U.S. earlier this year, compromising targets at organizations including Verizon, AT&T, and Lumen. The carriers have not yet successfully evicted the attackers from their networks and the intelligence community is still trying to determine the scope and impact of the attacks.
As one of the largest, most egregious cyberattacks, a large number of call records, including phone numbers, call types and duration, have been compromised. Salt Typhoon also intercepted the calls and messages of government officials and politicians.
Last week, CISA issued guidance with the National Security Agency (NSA), and the FBI to the telecom industry on how to handle the threat. The new guidance includes best practices and recommendations on quickly detecting threat activity, improving visibility, reducing existing vulnerabilities and limiting the attack surface. It also highlighted ways to harden Cisco network gear.
After a classified briefing in the Senate, Sen. Ron Wyden introduced legislation this week to require the FCC to create, along with the Cybersecurity and Infrastructure Security Agency and the Director of National Intelligence, specific digital security standards designed to prevent unauthorized interceptions. The proposed bill would require telecoms to conduct annual tests of the safety measures and work to patch any uncovered vulnerabilities, as well as tap an outside auditor to carry out yearly assessments of compliance with the cybersecurity rules. With Congress poised for recess soon, it is unclear if there will be any immediate action on this legislation.
If the FCC proposal is adopted, the Declaratory Ruling would take effect immediately. The draft Notice of Proposed Rulemaking would seek comment on cybersecurity risk management requirements and on additional ways to strengthen the cybersecurity posture of communications systems and services.
About Author
