Full Report
Ron Wyden, a Democratic Senator from Oregon, has introduced a draft bill that requires the Federal Communications Commission... The post Senator Wyden proposes FCC cybersecurity mandate following Salt Typhoon hack appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: Secure American Communications Act (Draft)
## Overview
This draft bill, introduced by Senator Ron Wyden, seeks to mandate the Federal Communications Commission (FCC) to finally implement binding cybersecurity regulations for telecommunications systems. These regulations are specifically intended to prevent the unauthorized interception of communications and call-identifying information, prompted by sophisticated foreign state-sponsored attacks (like the Salt Typhoon hack) against U.S. telecom infrastructure.
## Key Details
- **Issuing Authority:** U.S. Congress (Bill proposal), with implementation authority delegated to the Federal Communications Commission (FCC).
- **Effective Date:** Not yet enacted (Draft legislation). The bill mandates the FCC to implement rules that address existing 1994 requirements.
- **Jurisdiction:** United States telecommunications industry and carriers.
- **Status:** Proposed (Draft Legislation).
## Requirements
### Mandatory Requirements
1. **Implement FCC Cybersecurity Rules:** Telecom carriers must implement specific cybersecurity requirements to be designed by the FCC in consultation with CISA and the Director of National Intelligence.
2. **Prevent Unauthorized Interception:** Requirements must explicitly prevent the interception of communications or access to call-identifying information without lawful authorization by any person or entity, including Advanced Persistent Threats (APTs).
3. **Annual Testing:** Carriers must conduct testing, not less than annually, to evaluate system susceptibility to unauthorized interception of communications or call-identifying data.
4. **Corrective Measures:** Carriers must take necessary corrective measures indicated by annual testing and document the findings and actions taken.
5. **Independent Auditing:** Carriers must contract with an independent auditor (meeting FCC technical standards) to conduct an annual assessment of compliance with FCC cybersecurity rules, documenting findings, including areas of noncompliance.
6. **Submission of Documentation:** Carriers must annually submit documentation from both the annual tests and independent audits to the FCC.
7. **CEO/CISO Attestation:** Carriers must annually submit a written statement, signed by the CEO and CISO (or equivalent), certifying compliance with the FCC cybersecurity rules.
### Recommended Practices
1. **Collaboration with Agencies:** Requirements mandate consultation with CISA and the Director of National Intelligence in designing the specific rules, indicating that industry alignment with these agencies’ threat profiles is critical.
2. **Use of Secure Software (Related Proposal):** While not strictly part of this bill, proponents are also urging the government to move away from insecure proprietary software, suggesting carriers should review their own software supply chain security.
## Affected Organizations
- **Industries:** Telecommunications providers, including major carriers (e.g., Verizon, AT&T, Lumen Technologies).
- **Organization Size:** Applies to telecommunications carriers generally.
- **Geographic Scope:** United States networks.
## Compliance Timeline
- **Initial Implementation Effort:** The bill seeks to enforce requirements first necessitated by 1994 Congressional law that were never fully implemented by the FCC.
- **Timeline TBD:** Specific deadlines would be established by the FCC upon passage and enactment of the bill.
- **Final deadline:** Once enacted, the bill proposes immediate implementation phases for annual testing, auditing, and CEO attestation submissions.
## Implementation Guidance
### Assessment Phase
- **Review of 1994 Mandate:** Organizations must review the original 1994 legal requirements that the FCC is now mandated to formalize.
- **Gap Analysis:** Determine current security controls against the anticipated forthcoming FCC cybersecurity requirements (informed by CISA/ODNI expertise) regarding preventing unauthorized interception.
### Implementation Phase
- **Develop Testing Protocols:** Establish robust, recurrent testing methodologies specifically designed to reveal vulnerabilities allowing unauthorized interception of communications data or metadata.
- **Vendor/Auditor Qualification:** Identify and contract with independent auditors possessing the necessary technical expertise and independence as defined by the FCC.
### Validation Phase
- **Internal Test Documentation:** Maintain detailed records of penetration tests, red team efforts, and system hardening actions taken post-test.
- **Annual Submission Preparation:** Prepare the mandated annual packet for the FCC, including test results, audit findings, and the CEO/CISO compliance certification.
## Technical Requirements
- Cybersecurity requirements designed by the FCC, CISA, and DNI to prevent unauthorized access to communications content and call-identifying information.
- Specific focus on mitigating threats posed by APTs/state-sponsored actors.
## Penalties & Enforcement
- **Fines:** Specific fine structures are not detailed in this summary of the draft bill, but enforcement would fall under the FCC's existing regulatory authority over carriers.
- **Other Consequences:** Potential regulatory actions, public scrutiny, and enforcement actions by the FCC or DOJ for non-compliance with new mandatory rules.
- **Enforcement:** The FCC will be responsible for enforcing compliance, leveraging mandatory annual testing results and independent audit documentation submitted by the carriers.
## Related Standards
- **Internal FCC Rules:** The resulting mandatory requirements imposed by the FCC will establish the definitive compliance standard.
- **CISA/ODNI Guidance:** Compliance efforts will need to align with contemporary threat intelligence provided by CISA and the Office of the Director of National Intelligence (ODNI).
## Resources
- **Official Documentation:** Draft legislation: SECURE AMERICAN COMMUNICATIONS ACT (Link not provided in defanged format per instructions).
- **Guidance Documents:** Senate press releases from Senator Wyden detailing the rationale and intent of the bill.
- **Tools:** Organizations will likely need advanced network monitoring, auditing tools, and dedicated encryption/access control mechanisms.
## Practical Recommendations
1. **Proactive Engagement:** Telecom organizations should monitor the progression of this bill closely and begin shaping internal cybersecurity roadmaps to meet anticipated FCC mandates regarding interception prevention.
2. **Elevate Accountability:** Prepare processes for the CEO and CISO to personally attest to compliance annually, signaling that cybersecurity risk management must reach the board level.
3. **Audit Readiness:** Immediately review current testing procedures to ensure they meet the technical rigor required to detect sophisticated, nation-state intrusion techniques, as evidenced by the Salt Typhoon attacks.