The Federal Communications Commission has adopted a declaratory ruling requiring telecommunications providers to secure their networks against cybersecurity threats.
The ruling, for which the FCC currently seeks public comment, will also require wireless carriers to submit annual certification to the commission, proving that they have a cybersecurity risk management plan in place.
“There is a pressing national security and public safety need to take additional measures to safeguard our nation’s communications systems from real and present cybersecurity threats. The federal government must be able to maintain communication capabilities to fulfill its most critical and time-sensitive missions under any circumstances,” the FCC says.
The declaratory ruling was adopted in response to the recent Chinese hacking of at least nine wireless carriers in the US. The attacks have been attributed to a Chinese-state sponsored threat actor named Salt Typhoon.
According to the commission, successful cyberattacks on telecom providers could have damaging effects on other critical infrastructure, as each sector depends on communications to support its operations.
The ruling finds that section 105 of the Communications Assistance for Law Enforcement Act (CALEA), which was enacted in 1994, affirmatively requires telecommunications carriers, which include broadband internet providers and VoIP providers, “to secure their networks from unlawful access to or interception of communication”, the FCC announced.
Previously, the FCC ruled that, under section 105 of CALEA, telecom carriers were required to prevent suppliers of untrusted equipment from illegally activating interceptions without the carriers’ knowledge, and the new ruling extends those duties to how carriers manage their networks.
“We reiterate the Commission’s previous conclusion that section 105 of CALEA affirmatively obligates carriers to take action to prevent all unauthorized interception and access to call-identifying information within their networks, whether by law enforcement or by other parties,” the FCC notes in a notice of rulemaking (PDF).
The notice also proposes cybersecurity and supply chain risk management requirements that will be applied to several types of service providers, including radio broadcasting stations, television stations, cable systems, satellite and wireline communications providers, MVNOs, VoIP providers, covered 911 and 988 service providers, and other entities.
All covered entities will be required to establish and implement cybersecurity and supply chain risk management plans tailored to their needs and aligned to NIST standards, and to ensure the confidentiality, integrity, and availability of their systems and services, while their executive leaders will be required to endorse those plans, the FCC says.
The commission is seeking comment on these and other requirements, on whether the covered entities should routinely assess their implementation of the plans, on whether they should submit an annual certification attesting the adoption and implementation of these plans, and on whether they should make these plans available to the commission upon request.
The FCC says that the declaratory ruling takes effect immediately, while the comment period will end 30 days after the ruling and notice are published in the Federal Register.
Related: Treasury Levels Sanctions Tied to a Massive Hack of Telecom Companies and Breach of Its Own Network
Related: Cambodia Delays Controversial Internet Gateway
Related: UK Telecom Companies Face Big Fines Under New Security Law
Related: Senators: CIA Has Secret Program That Collects American Data
