The FCC reports...

Following recent reports involving an intrusion by foreign actors into U.S. communications networks, FCC Chairwoman Jessica Rosenworcel proposed urgent action to safeguard the nation’s communications systems from real and present cybersecurity threats, including from state-sponsored cyber actors from the People’s Republic of China.  The Chairwoman announced today that the Federal Communications Commission will act to ensure telecommunication companies are required to secure their networks.

“The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said Chairwoman Jessica Rosenworcel.   “As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses.  While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”

Chairwoman Rosenworcel has shared with her fellow commissioners a draft Declaratory Ruling finding that section 105 of Communications Assistance for Law Enforcement Act (“CALEA”) affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications.  That action is accompanied by a proposal that would require communications service providers to submit an annual certification to the FCC attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks.

If adopted, the Declaratory Ruling would take effect immediately.  In addition, the draft Notice of Proposed Rulemaking would seek comment on cybersecurity risk management requirements for a wide range of communications providers.  The proposal would also seek comment on additional ways to strengthen the cybersecurity posture of communications systems and services.

Last month, the Commission proposed cybersecurity risk management plan requirements for submarine cable landing applicants and licensees.  In addition, the Commission previously proposed that participants in the Emergency Alert System and Wireless Emergency Alerts maintain cybersecurity risk management plans.