Full Report
The Salt Typhoon hack against US telecommunications firms has prompted the FCC to suggest stricter security rules to protect the sector from future cyber threats
Analysis Summary
# Regulation/Compliance: Proposed FCC Cybersecurity Rules for US Telecoms
## Overview
This document summarizes the proposed actions by the US Federal Communications Commission (FCC) to significantly expand cybersecurity requirements for telecommunications firms in the United States, spurred by the "Salt Typhoon" cyber-attack attributed to state-sponsored foreign actors (PRC). The proposals involve mandatory risk management plans, annual certification, and clarification of existing legal obligations regarding network security.
## Key Details
- **Issuing Authority:** Federal Communications Commission (FCC).
- **Effective Date:** Not specified; contingent on the adoption of the Notice of Rulemaking and Declaratory Ruling. The Declaratory Ruling, if adopted, would take effect immediately.
- **Jurisdiction:** United States telecommunications carriers.
- **Status:** Proposed (Notice of Rulemaking and Declaratory Ruling issued; pending public comment and Commission vote).
## Requirements
### Mandatory Requirements
1. **Cybersecurity Risk Management Plans (Proposed via Notice of Rulemaking):** Telecommunications firms could be required to **create, update, and implement** comprehensive cybersecurity risk management plans annually.
2. **Annual Certification (Proposed via Notice of Rulemaking):** Firms may face an **annual certification requirement** related to the implementation of their cybersecurity risk management plans.
3. **Securing Networks (Proposed via Declaratory Ruling):** Clarification that current law (Section 105 of CALEA) creates a **legal obligation** for telecommunications carriers to actively **secure their networks against unlawful access and interception**.
### Recommended Practices
1. **Public Comment Participation:** Organizations are encouraged to participate in the public comment period to provide feedback on the proposed compliance framework and suggest further enhancements.
2. **Proactive Defense Enhancement:** Organizations should use the current period to immediately review and enhance cybersecurity defenses in anticipation of potential new mandates, given the ongoing threat landscape.
## Affected Organizations
- **Industries:** Telecommunications firms/carriers operating within the US.
- **Organization Size:** Not explicitly defined, but applicable to entities subject to FCC jurisdiction as telecommunications carriers.
- **Geographic Scope:** United States.
## Compliance Timeline
- **Date:** Public comment period open (implied starting shortly after December 6, 2024).
- **Date:** Notice of Proposed Rulemaking and Declaratory Ruling available for a vote by the five Commission members **at any moment**.
- **Final deadline:** Full compliance required contingent on the final adoption and subsequent specified implementation phase following a Commission vote.
## Implementation Guidance
### Assessment Phase
- Review existing cybersecurity risk management plans against anticipated annual certification requirements.
- Analyze current network safeguards to identify vulnerabilities exploited in incidents like Salt Typhoon, specifically regarding protection against unlawful access and interception as per CALEA implications.
### Implementation Phase
- Develop robust processes for the annual creation, updating, and formal implementation of documented risk management plans.
- Prepare systems and documentation necessary to support an annual certification of these plans.
### Validation Phase
- Establish internal audit mechanisms to ensure the cybersecurity risk management plans are actively functioning and updated according to proposed future rules.
## Technical Requirements
- Specific technical controls are not detailed in this initial proposal summary, but the focus will be on hardening networks to prevent **unlawful access and interception**. This implies enhanced technical safeguards around access control, intrusion detection, and network segmentation.
## Penalties & Enforcement
- **Fines:** Not specified in the article for non-compliance with the *proposed* rules. However, regulatory non-compliance with FCC mandates generally carries significant financial penalties.
- **Other Consequences:** Failure to comply with the declared obligation under CALEA (if the ruling is adopted) could result in legal action based on existing statutory penalties for violating CALEA provisions.
- **Enforcement:** Enforcement will fall under the FCC’s existing regulatory and enforcement authority, potentially acting on vulnerabilities exposed in critical infrastructure attacks like Salt Typhoon.
## Related Standards
- **Legal Framework:** Communications Assistance for Law Enforcement Act (CALEA), specifically Section 105.
- **General Guidance:** While not explicitly mentioned, compliance with the proposed risk management plans is likely to draw upon best practices from frameworks such as NIST Cybersecurity Framework (CSF).
## Resources
- **Official Documentation:** FCC Notice of Rulemaking and Declaratory Ruling (must be sourced directly from the FCC official releases).
- **Guidance Documents:** Public comments once solicited by the FCC.
- **Tools:** Not specified.
## Practical Recommendations
1. **Monitor FCC Docket Closely:** Immediately track the progress of the Notice of Rulemaking and Declaratory Ruling.
2. **Update Risk Plans:** Begin drafting or updating current cybersecurity risk management documentation to satisfy the expected structure of an annual, certifiable requirement.
3. **Review CALEA Compliance:** Analyze current network architecture against potential interpretations of CALEA Section 105 concerning securing networks against illicit interception.
4. **Engage Publicly:** Submit comments during the public consultation period to influence the final scope and deadlines of the forthcoming rules.