Major Reversal: FCC Abolishes Salt Typhoon Rules as Questions Emerge About FCC Chairman's Claims

The Federal Communications Commission voted Thursday to eliminate cybersecurity rules for telecommunications companies, three months after Chinese government hackers were discovered reading text messages and listening to phone calls of Donald Trump, JD Vance, and potentially millions of Americans.

The 3-2 party-line vote reversed regulations implemented in January 2025 that would have required telecom companies to use multi-factor authentication, patch known vulnerabilities, change default passwords, and submit annual cybersecurity certifications. Chairman Brendan Carr called the rules "neither lawful nor effective" and said intelligence officials told him they would be "counterproductive and deter the productive collaboration that is necessary today."

However, a review of public statements and congressional records finds no evidence supporting Carr's claim of intelligence opposition. Former National Security Advisor Jake Sullivan and Former CISA Director Jen Easterly both publicly endorsed the rules when announced, calling them "a critical step to require U.S. telecoms to improve cybersecurity to meet today's nation state threats." No intelligence official has publicly corroborated Carr's account, and he has not identified which officials from which agencies allegedly opposed the measures.

The reversed regulations were a direct response to Salt Typhoon, a Chinese espionage operation that infiltrated at least nine major U.S. telecom companies starting in 2019 but went undetected until late 2024. The hackers compromised the wiretapping systems that telecom companies maintain for law enforcement, giving Chinese intelligence access to call logs, text messages, and recorded conversations for years.

"If voluntary cooperation were enough, we would not be sitting here today in the wake of Salt Typhoon," said Commissioner Anna Gomez, who dissented from Thursday's vote. When asked about Carr's claims of intelligence community opposition, Gomez told CyberScoop that "as far as I know, the only evidence I had that there was any such engagement is from [Carr's statement] saying that it happened."

The timing of events raises additional questions. The Biden administration implemented the rules on January 15, 2025, five days before Trump's inauguration. That same day, Carr issued a statement claiming that "no member of Congress, nor a single official in the intelligence world" had encouraged him to support the rules. He has not explained when these intelligence briefings allegedly occurred or why officials would bypass the FCC Chair to lobby a dissenting commissioner.

What is documented is extensive telecommunications industry opposition. In October, lawyers representing several telecom associations argued the rules would "significantly undermine" public-private partnerships, language nearly identical to Carr's stated concerns. Senator Maria Cantwell noted that Carr proposed the reversal "after heavy lobbying from the very telecommunications carriers whose networks were breached by Chinese hackers."

The practical impact of the reversal is significant. The rules would have mandated security practices that cybersecurity experts consider fundamental baseline requirements. Former Biden administration officials said these measures would have made the Salt Typhoon operation "far riskier, harder and costlier for the Chinese." The requirements included changing default passwords that hackers exploited, implementing multi-factor authentication that could have prevented unauthorized access, and patching known vulnerabilities that remained unaddressed for years.

The Salt Typhoon breach demonstrated these gaps dramatically. Chinese intelligence operated undetected in major telecom networks from 2019 to 2024, accessing communications of government officials, political figures, and ordinary citizens. They modified backbone routers at telecommunications providers, established persistent access points throughout the infrastructure, and collected data on over a million users. AT&T's chief information security officer acknowledged that attackers succeeded where "traditional defenses are less commonly employed."

Senator Mark Warner criticized the reversal, stating that "very few, if any" of the voluntary measures Carr champions would have prevented Salt Typhoon. The hackers exploited known software flaws that had remained unpatched for years and used default credentials that were never changed, exactly the issues the reversed rules would have addressed.

The intelligence community's actual position on telecom security appears clear from their public actions. The FBI, NSA, CISA, Five Eyes allies, and agencies from Japan and European countries issued a joint cybersecurity advisory warning that Salt Typhoon was "targeting networks globally" and recommending enhanced security measures. These recommendations align with the requirements in the reversed rules, not with Carr's deregulatory approach.

Senator Cantwell has requested that Carr provide documentation supporting his claims by November 25, including "any cybersecurity assessment the FCC conducted before moving to repeal its prior ruling" and documents demonstrating the effectiveness of the FCC's voluntary collaborative approach. The Senate Commerce Committee, which has direct oversight of the FCC, has received no public response providing evidence of intelligence opposition to the rules.

The American Action Forum, a conservative think tank, acknowledged in February that while Biden's National Security Advisor endorsed the rules, "FCC Chairman Brendan Carr has indicated that members of the intelligence community have argued against the proposal." The careful phrasing "indicated" rather than confirmed reflects the absence of corroborating evidence for Carr's claims.

Meanwhile, questions persist about whether Salt Typhoon has been fully expelled from U.S. networks. While an FBI official claimed the threat had been "contained," other officials express skepticism given the group's demonstrated sophistication and the persistence of vulnerabilities in telecom infrastructure. The hackers maintained access for years without detection and could pivot through trusted connections to compromise additional networks.

The telecommunications industry maintains it has voluntarily strengthened security since the breach was discovered. Industry associations argue they have collaborated with federal agencies and adopted stronger cybersecurity measures without regulatory mandates. However, these are the same companies that failed to detect Chinese intelligence services in their networks for half a decade while using default passwords and leaving known vulnerabilities unpatched.

The FCC promises to continue working with carriers through what Carr calls an "agile and collaborative approach," though the agency provides no specifics on accountability mechanisms, measurable outcomes, or timelines for security improvements. Without enforceable standards, the commission relies entirely on the voluntary cooperation of companies whose security failures enabled one of the most significant espionage operations in U.S. history.

Senator Ron Wyden accused the administration of "waving the white flag on cybersecurity and leaving Americans unprotected against foreign spies," calling the Biden regulations "a moderate response to a five-alarm security disaster." The rules asked telecoms to implement what most security professionals consider minimum viable security practices, the digital equivalent of locking doors and changing default alarm codes.

The reversal leaves the same vulnerable infrastructure that allowed Chinese intelligence to monitor American communications for years protected only by voluntary guidelines and the good intentions of companies that couldn't detect hostile foreign intelligence services actively exploiting their networks. As debates continue about the appropriate regulatory response to Salt Typhoon, one fact remains undisputed: the telecommunications infrastructure that carries America's most sensitive communications remains vulnerable to the same attacks that succeeded before, with fewer requirements to prevent them from succeeding again.