Last-Minute FCC Cybersecurity Ruling

At the final meeting of the Jessica Rosenworcel FCC, the agency adopted a Proposed Rulemaking to address the Chinese and other cybersecurity attacks against US networks. The order includes some startling statistics. Verizon said it has collected and analyzed over 914,000 cybersecurity incidents and 235,000 breaches in the last fifteen years. There are several citations claiming that cyberattacks doubled in 2024.

The order would have widespread implications, and the FCC estimated it would impact 69,575 communications providers. This wouldn’t just cover ISPs and telcos, but would apply to cellular companies, satellite companies and earth stations, radio stations, television stations, VoIP providers, commercial radio operators, MVNOs, and 911 providers.

The gist of the proposal is that all communications providers would have to submit an annual certification that they have created and implemented a cybersecurity and supply chain risk management plan. Specifically:

  • Cybersecurity plans would have to be actionable, not just a written plan.
  • Plans would have to be certified by top management.
  • While providers can hire outside help to develop the plan, the provider is still fully liable for any failure to protect against cyberattacks.
  • The supply chain risk management would put providers on notice to not buy electronics from questionable counties and sources.
  • The plans would be due quickly for large companies and would give smaller providers up to a year to submit a plan.
  • The FCC recognizes this will be costly and estimated a cost of $10,000 to create a plan.

It’s not likely that this proposal will survive in the current form. Incoming Chairman Brandon Carr criticized the plan for being ineffective and for relying on questionable authority, such as CALEA, in citing the FCC’s authority. However, Carr has been quoted saying that the Chinese Salt Typhoon attacks are the worse cyber security intrusion in the nation’s history.

It seems likely that the FCC under Chairman Carr will take a different approach. This will be an interesting challenge for a new FCC that is clearly in favor of lowering regulations. It’s hard to think that the nation’s networks can be protected and bolstered without new regulations that require communications companies to actively protect networks and infrastructure.

The last-minute proposed approach would rely on annual certification that companies are actively working to protect their networks. It will be interesting to see if the new FCC has something stronger in mind.

Leave a Reply