Full Report
It would go beyond the FCC’s own proposal to regulate telecommunications carriers under federal wiretapping law. The post Wyden legislation would mandate FCC cybersecurity rules for telecoms appeared first on CyberScoop.
Analysis Summary
# Regulation/Compliance: Mandatory FCC Cybersecurity Rules for Telecoms (Wyden Proposed Legislation)
## Overview
This summary outlines proposed legislation introduced by Senator Ron Wyden (D-Ore.) that would mandate the Federal Communications Commission (FCC) to establish and enforce cybersecurity regulations for telecommunications carriers. This legislation is a direct response to sophisticated espionage campaigns, such as the one attributed to Salt Typhoon (a Chinese government-connected group), demonstrating significant vulnerabilities in U.S. telecom networks. The proposed rules aim to go beyond the FCC's existing proposals by enforcing security under the federal wiretapping law, CALEA.
## Key Details
- Issuing Authority: U.S. Senate (Proposed Legislation by Sen. Ron Wyden, D-Ore.), with FCC tasked for implementation, in consultation with CISA and ODNI.
- Effective Date: The legislation mandates the FCC to regulate cybersecurity under CALEA **within one year** of the bill's enactment.
- Jurisdiction: United States telecommunications carriers.
- Status: Proposed Legislation.
## Requirements
### Mandatory Requirements
1. **Mandated FCC Regulation:** The FCC must regulate telecommunications cybersecurity under the **Communications Assistance for Law Enforcement Act (CALEA) of 1994** within one year.
2. **Consultation:** Rulemaking must be conducted in consultation with the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI).
3. **Annual Testing:** Telecommunications companies must conduct annual testing of their systems to verify they are **"not susceptible to the interception of communications or access to call-identifying information without lawful authorization by any person or entity, including by an advanced persistent threat [APT]."**
4. **Independent Audits:** Companies must contract with independent auditors to assess compliance with the new FCC cybersecurity rules.
### Recommended Practices
*Note: Since this is proposed legislation focused on mandatory mandates, specific recommended practices are not explicitly detailed beyond the required annual testing and independent auditing mechanisms.*
## Affected Organizations
- Industries: Telecommunications carriers (phone companies).
- Organization Size: Not specified, but implied to cover all entities governed under CALEA.
- Geographic Scope: United States.
## Compliance Timeline
- Timeline Requirement: The FCC must regulate telecommunications cybersecurity under CALEA **within one year** of the legislation taking effect.
- **Final deadline**: Full compliance (including system hardening, annual testing implementation, and independent audits) would depend on the final rule promulgation timeline following passage.
## Implementation Guidance
### Assessment Phase
- **Vulnerability Assessment:** Organizations must assess their current systems to determine susceptibility to unauthorized interception of communications or call-identifying information, specifically focusing on APT-level threats.
### Implementation Phase
- Implement cybersecurity controls necessary to meet the standards established by the FCC under CALEA.
- Establish contracts with independent auditors for compliance verification.
- Develop a recurring annual testing schedule according to legislative mandates.
### Validation Phase
- Utilize **independent auditors** to rigorously assess compliance status against FCC rules.
- Annually test systems against potential interception by sophisticated state-sponsored actors (APTs).
## Technical Requirements
The core technical mandate requires systems to be hardened against:
1. Interception of communications.
2. Unauthorized access to call-identifying information.
Specific technical standards will be defined by the FCC rule-making process stemming from this legislation, incorporating input from CISA and ODNI.
## Penalties & Enforcement
The article **does not specify** the exact fines or penalty structure associated with this proposed legislation. Enforcement action would rely on the FCC utilizing its authority under the framework of CALEA.
- Fines: Not specified in the excerpt.
- Other Consequences: Failure to comply places the organization in violation of CALEA-related obligations, potentially leading to regulatory action. (Contextually, the failure leading to this legislation was attributed to potential national security risks.)
- Enforcement: Enforcement would be managed by the FCC.
## Related Standards
- **Communications Assistance for Law Enforcement Act (CALEA) (1994):** This forms the legal foundation under which the FCC is mandated to impose cybersecurity controls.
- **CISA and ODNI guidance:** The FCC must consult these agencies, implying alignment with federal cybersecurity best practices relevant to national security infrastructure.
## Resources
- Official Documentation: Wyden Draft Legislation (Search for "Secure American Communications Act Draft Legislation" Senator Wyden's office).
- Guidance Documents: FCC's existing cybersecurity proposals (mentioned as less stringent than the proposed mandate).
- Tools: Independent auditors specializing in telecommunications security compliance.
## Practical Recommendations
1. **Monitor Legislative Status:** Track the progress of Senator Wyden's proposed bill closely.
2. **Preemptive CALEA Review:** Begin a technical review of current telecommunications infrastructure to identify vulnerabilities that could allow unauthorized interception or access to call records, per the anticipated testing criteria.
3. **Audit Readiness:** Start researching and vetting independent auditors experienced in CALEA compliance and APT threat modeling.
4. **Inter-Agency Coordination:** Prepare channels for coordination with CISA and ODNI perspectives, anticipating their influence on the final FCC rules.