What just happened? The FCC has rolled back an effort to make cybersecurity a clear legal duty for US telecom carriers under the Communications Assistance for Law Enforcement Act, or CALEA. In a 2-1 party-line vote, the agency revoked a January 2025 declaratory ruling that CALEA requires carriers to secure their networks against unlawful access and interception. It also pulled a related proposal that would have written detailed risk-management requirements into regulation.
Chairman Brendan Carr said the earlier interpretation pushed CALEA beyond what Congress intended and would have led to cybersecurity rules that were too expansive on paper but weak in real-world impact. The January move, he argued, sought to turn a law intended to guarantee lawful intercept capabilities into a catch-all cybersecurity statute for entire carrier networks, imposing obligations he viewed as both vague and burdensome.
The now-abandoned CALEA reading was drafted in direct response to Salt Typhoon, a long-running espionage operation linked to China that compromised hundreds of organizations worldwide, including major US carriers and network operators.
US and allied security agencies have described Salt Typhoon as heavily focused on network-edge infrastructure, with operators exploiting flaws in routers, VPN concentrators, and other perimeter devices to gain persistent footholds in backbone networks, enabling lateral movement into connected systems.
In the United States, investigators say Salt Typhoon penetrated more than 200 phone and internet providers over a period of years, including Tier-1 and national mobile operators such as AT&T, Verizon, and Lumen.
The majority argued that the January framework risked locking carriers into static, checkbox-driven compliance programs that would fall behind rapidly evolving attack techniques, rather than encouraging continuous adaptation to new threats.
They pointed instead to what they describe as extensive, urgent, and coordinated voluntary measures by carriers working with CISA, the FBI, the NSA, and other agencies since Salt Typhoon came to light.
Those efforts include expanded information sharing, wider deployment of updated detection tools across backbone and access networks, and targeted hardening of high-value assets such as submarine cables, core routing infrastructure, and exposed management interfaces.
Under this approach, FCC leaders say they will pursue narrower, more targeted rules outside the CALEA framework, such as requiring submarine cable licensees to maintain cybersecurity risk-management plans. They also intend to rely more heavily on collaborative threat-sharing and sector partnerships to drive technical improvements, such as backbone router hardening, stronger segmentation of lawful intercept platforms, and faster patching of vulnerable management planes.
Telecom and wireless trade groups, including USTelecom, CTIA, and NCTA, lined up behind the decision to dismantle the CALEA-based requirements. In a joint statement, they argued that the earlier ruling would have imposed prescriptive, counterproductive regulations that risked pulling engineering and security staff into compliance paperwork rather than concrete defensive work and rapid response to live intrusion campaigns.