Gomez Slams Vote Overturning Salt Typhoon Order Ahead of FCC Meeting
FCC Commissioner Anna Gomez on Wednesday slammed the agency's move to reverse its January declaratory ruling and NPRM addressing the Salt Typhoon cyberattacks. The new FCC item, set for a vote at Thursday's meeting, would withdraw the NPRM and find that the FCC erred in affirming the legal responsibility of carriers to secure their networks under the Communications Assistance for Law Enforcement Act (CALEA).
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Commissioner Brendan Carr similarly slammed the January action before it was released by the FCC (see 2501160041).
Ten months into the current administration, “this FCC has still not put forward a single actionable solution to address the growing cybersecurity threat to our communications networks,” Gomez said Wednesday. The proposed rollback isn’t a “cybersecurity strategy. It is a hope and a dream that will leave Americans less protected than they were the day the Salt Typhoon breach was discovered.”
Salt Typhoon won’t be “the last attempt to infiltrate our networks, and without immediate action it will not be the last successful one,” Gomez said.
Industry officials said Wednesday that the result of the vote was probably never in question, with Carr and Commissioner Olivia Trusty expected to approve and Gomez to dissent. Carr said last month that the item clarifies “the substantial steps that providers have taken to strengthen their cybersecurity defenses,” independent of FCC action.
Former Democratic Commissioner Michael Copps said in an email Wednesday that the vote is “yet another march in reverse from the FCC’s mandate to protect the public interest.” The cybersecurity threats that Americans face “will only get worse as the commission blindfolds itself from evermore threats to our security,” he argued. “It’s time to make policy, not break policy.”
Former Republican Commissioner Mike O’Rielly applauded the move. The “so-called” Salt Typhoon "solutions" put forward by the last commission were “costly” and “punitive” and imposed “harmful regulatory burdens,” he said. The January ruling was based on “specious authority that would have done nothing to prevent past attacks or stop future ones.”
Rescission of the January ruling “is particularly troubling” in light of Carr's “loud and repeated concerns about Chinese infiltration of our networks,” said Public Knowledge Senior Vice President Harold Feld. “Cybersecurity requires more than thoughts and prayers. It needs rules and standards.”
He noted that in August, the 6th U.S. Circuit Appeals Court found that the broad authority vested in the FCC by Section 201(b) of the Communications Act made up for any gap left by Section 222 and therefore upheld the agency’s 2023 data breach notification rules (see 2508140052). Even if Carr believes that CALEA alone doesn’t provide the FCC with adequate authority to impose data protection rules, the agency could have sought comment “on whether Section 201(b) or some other general provision provided the necessary authority,” Feld said.
The “core problem” with Salt Typhoon “wasn’t the absence of an FCC-administered framework -- it was the inherent difficulty of securing sprawling, heterogeneous networks against a sophisticated state actor,” emailed Kristian Stout, innovation policy director for the International Center for Law & Economics. Industry already has “the strongest possible incentive structure,” since no carrier “wants Chinese intelligence services anywhere near its systems.”
USTelecom, CTIA and NCTA supported the reversal of the January ruling in a joint statement Wednesday. “ISPs have a long-standing commitment to security and work tirelessly to ensure their networks remain safe from attackers,” the groups said. “By strengthening collaboration among government, industry, and security experts, the FCC is reaffirming an approach that enhances network reliability and allows providers to respond effectively to a rapidly evolving threat landscape.”
An FCC spokesperson, meanwhile, responded Wednesday to opposition from Senate Commerce Committee ranking member Maria Cantwell, D-Wash., over the CALEA ruling reversal (see 2511180060). “The Salt Typhoon cyberattacks during the Biden Administration should never have been allowed to happen,” the spokesperson said in an email. “But rather than putting an effective and agile response in place, the Biden Administration opted instead for an illegal, ineffective, and after-the-fact action. In contrast, this FCC has worked to ensure that carriers change their cybersecurity practices and adopt new measures that harden their networks.”