Around a year after the infamous and unprecedented Salt Typhoon espionage campaign hit more than eight telecom companies, the communications infrastructure sector still has a ways to go in addressing future threats from nation state actors.

However, government and private sector officials are still determining how, exactly, communications infrastructure companies can best prevent and defend against these threats. This was put on full display during a recent hearing this week by the Senate Committee on Commerce, Science, and Transportation’s Subcommittee on Telecommunications and Media.

“As a nation, the stark reality is we are not currently positioned to provide for a comprehensive defense of our nation—nor the very communications systems or networks that American companies help operate—and we do not appear prepared to undertake the actions needed to do so,” said Jamil Jaffer, founder and executive director of the National Security Institute and NSI Cyber and Tech Center, during the hearing on Tuesday.

The Typhoon Firestorm A Year Ago

It’s easy for major security events to get lost in the constant drone of breaches, ransomware attacks, and other incidents that happen daily - but last year’s public revelations about the breaches by Salt Typhoon across several telecom companies had a very profound impact across the U.S. government.

Major telecom firms like AT&T, Verizon, and T-Mobile were wrapped up in the campaign, and government officials said actors were likely able to access U.S. government employee communications - though classified communications were apparently not compromised. The hack was widespread enough that FBI officials reportedly told Americans to use encrypted messaging apps for calls and texting.

At the time, the hack brought telecom security measures under scrutiny, with officials like Sen. Ron Wyden stressing that telecom companies need to be accountable for “their lax cybersecurity and their failure to secure their own systems.”

FCC’s Security Rules For Telecoms: Moving Forward, Then Back

One of the more potentially impactful government reactions to the breach came in January 2025, when the FCC issued a new ruling under the Biden administration that would require telecom companies to implement security measures under Section 105 of the Communications Assistance for Law Enforcement Act (CALEA).

However, in late November, the FCC under the Trump administration reversed this ruling, calling it “unlawful and ineffective” in a statement: “Today’s action follows months-long engagement with communications service providers where they have demonstrated a strengthened cybersecurity posture following Salt Typhoon,” according to the FCC’s statement. The statement didn’t go into detailed specifics on where exactly those security improvements were happening.

During Tuesday’s hearing, Robert Mayer, the senior vice president of cybersecurity and innovation with USTelecom-The Broadband Association, called the regulation “a prescriptive, static, bureaucratic approach to a problem,” saying “it doesn’t solve the environment we’re in today.” 

“Our members meet—and very often exceed—cybersecurity requirements as conditions for authorization to provide services, bid on government contracts, and participate in government programs, as well as to ensure customer trust in the competitive global marketplace,” argued Mayer.

Still, critics of the FCC reversal worry that there won’t be any accountability for communications companies when it comes to implementing even basic security measures. During Tuesday’s heading, Debra Jordan, former chief of the Public Safety and Homeland Security Bureau, said she has not seen any rules proposed by the FCC in place of the old ones.

“I have seen that… Industry has committed or said that they’ll take extensive steps, but… there’s no assurances,” said Jordan. “We don’t know what those extensive steps are. Communications networks are large, complex, and they require significant measures to be taken to secure them. So without some sort of accountability regime, we don’t really know what they’re doing, how effective it is, or how widespread those measures will be.”

What’s Next?

Despite differences of opinion over the effectiveness of enforcing security measures in the telecom space, there’s one thing everyone can agree on: the industry is under increasing pressure by threat actors, and the impact across the government and on everyday Americans is very real.

Private and public sector officials alike proposed various differing measures to improve communications infrastructure security during Tuesday’s hearing, from the need for an incentive-based model to a “cultural shift.” For Jordan, tools like the NIST Cybersecurity Framework can provide a good standard for all telecom providers, but there is also a need to make sure that communications infrastructure is upgraded.

“And lastly, verification must be part of trust,” said Jordan. “I agree that it’s critical for industry to own the implementation of cyber risk management and that collaboration among government and industry stakeholders is key. But trust without verify is an incomplete solution. We must establish a verification regime to ensure the security of our nation’s communications infrastructure from the largest to the smallest providers.”

The need for continued public-private collaboration – including information sharing – was also top of mind for several officials who sounded off during the hearing.

“Information sharing benefits should be secure, confidential, and free from fear of liability or regulatory consequences,” said Daniel Gizinski, president of Satellite and Space Segment at Comtech Telecommunications. “This principle is essential to building trust and strengthening the entire ecosystem. Ensuring that this collaboration includes both industry and government perspectives is critical in an era where sophisticated attacks are common.”

  • Recent Posts

  • Recent Comments

    No comments to show.