In response to a recent rise in foreign and state-sponsored attacks threatening critical communications infrastructure, FCC Chairwoman Jessica Rosenworcel has proposed a new mandate to protect communications systems. Technological advances and geopolitical conflict contribute to attacks like recent attacks targeting massive telecommunications organizations.
The telecommunications sector is crucial to national security due to the need for secure channels for communications and information exchanges. Telecommunications and telecommunications infrastructure providers are valuable targets for state-sponsored actors to steal sensitive data, disrupt crucial operations, or establish a persistent presence within organizations.
The Threat Landscape
Recent incidents of state-sponsored threat groups launching attacks on U.S. organizations have highlighted the need for action. The Chinese hacking group known as Salt Typhoon targeted at least eight U.S. telecommunications and telecommunications infrastructure firms. This attack compromised many Americans’ private metadata related to phone call activity, allegedly in search of corporate IP and information on high-ranking government officials.
State-sponsored threat actors breaching U.S. telecommunications can have a significant impact on critical infrastructure and expose vast volumes of consumer data, as well as pose a threat to national security. Foreign attackers are aware of the significance of the telecommunications sector and are highly motivated to launch advanced threats to undermine telecommunications organizations and infrastructure.
Details of the Proposal
This ruling would find that section 105 of the Communications Assistance for Law Enforcement Act (CALEA) legally requires telecommunications carriers to take steps to safeguard their networks from unlawful access. Penalties for noncompliance with CALEA include fines of up to $10,000 per day and court orders to comply by a certain deadline. The proposed action also includes the requirement for communications service providers to submit annual certifications.
Telecommunications carriers would be required to secure their networks against unauthorized access and interception. They would have to submit a certification to the FCC each year to confirm that their cybersecurity risk management plan has been developed, implemented, and updated properly. These requirements would come into effect immediately if the Declaratory Ruling is adopted.
Recent threat trends and attacks on U.S. telecommunications have prompted collaboration between multiple government organizations, such as the CISA, NSA, and FBI, in an effort to increase overall security and resilience across the sector. Establishing standardized requirements for critical organizations across one or more industries requires this kind of collaboration to ensure consistency in support and enforcement across the board.
Implications for Telecommunications Providers
The proposed regulation can be helpful in establishing standards and accountability for telecommunications providers, but it will only be effective if they have the resources and support necessary to implement and maintain risk management strategies. Many organizations, especially smaller ones, may struggle to meet the requirements of the proposal without government assistance with the costs. Threat actors and technology move quickly, and maintaining a risk management strategy over time requires regular evaluation and updating to keep up with the most pressing threats.
Broader Cybersecurity Context
This initiative aligns with federal efforts to enhance critical infrastructure security with principles and objectives like using a risk-based approach, establishing minimum requirements and accountability, and exchanging threat intelligence and other pertinent information between government organizations. Telecommunications is a vital sector that can lead to severe consequences if compromised, and this proposed action could potentially have ripple effects on other critical industries. Requiring organizations to meet certain standards for cybersecurity could protect against catastrophic losses in any industry.
Expert Perspectives
Some cybersecurity experts have mixed feelings about the FCC proposal. “While the framework is solid conceptually, its success will hinge on effective implementation, government-industry collaboration, and periodic updates to address emerging threats,” according to Heath Renfrow, CISO and Co-founder of Fenix24, a Chattanooga, Tennessee-based cyber disaster recovery firm.
“The proposal is likely to pass given bipartisan urgency; however, its impact depends on addressing compliance costs and enforcement,” says Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM). “If properly defined and audited, it could improve security; otherwise, it risks becoming a symbolic measure.”
Overall, the general opinion of experts seems to be that this measure could potentially deter advanced persistent threats only if the execution and enforcement are carried out effectively. This kind of initiative will require collaboration and support at every level.
Conclusion and Forward Outlook
The proposed action by the FCC aims to establish responsibility and accountability to prevent attacks such as intrusions by foreign threat actors. It would legally require critical telecommunications and telecommunications infrastructure organizations to implement measures to protect against unlawful access to their systems; if successful, this could mean preventing catastrophic attacks that may represent threats to organization and consumer data or even national security.
As noted by experts, organizations are not likely to take steps to implement comprehensive cyber risk management plans unless the proposal is backed up by adequate accountability, enforcement, and support from the government. If regulations are clearly outlined and organizations are motivated and equipped to comply, actions like this FCC proposal could help to prevent persistent threats in the future.
