In December 2024, the White House’s Deputy National Security Adviser for Cyber and Emerging Technology confirmed that foreign actors, sponsored by the People’s Republic of China, infiltrated at least nine U.S. communications companies. The attacks, allegedly conducted by China’s state-sponsored Salt Typhoon hacking group, compromised sensitive systems, and exposed vulnerabilities in critical telecommunications infrastructure.

All communications service providers across the U.S. are at risk to this threat, especially those located near a U.S. military facility. To combat this threat, it is important for communications service providers to adopt and implement cybersecurity best practices in alignment with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework 2.0 and/or the Cybersecurity and Infrastructure Security Agency’s (CISA) Cross-Sector Cybersecurity Performance Goals.

In response to the Salt Typhoon threat, in January of this year, the FCC adopted a Declaratory Ruling and a Notice of Proposed Rulemaking to affirm and increase the cybersecurity obligations of communications service providers. The Declaratory Ruling clarifies that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) creates legal obligation for telecommunications carriers to secure their networks against unlawful access and interception. Telecommunications carriers’ duties under section 105 of CALEA extend not only to the equipment they choose to use in their networks, but also to how they manage their networks. Such carriers must work to prevent any unauthorized interception or access into their network (and maintain records thereof). This requires basic cybersecurity hygiene practices such as:

• Implementing role-based access controls;
• Changing default passwords;
• Requiring minimum password strength; and
• Adopting multifactor authentication.

Falling short of fulfilling this statutory obligation may include failing to patch known vulnerabilities or not employing best practices that are known to be necessary in response to identified exploits.

The Notice of Proposed Rulemaking, if adopted, would require providers to adopt and implement cybersecurity and supply chain risk management plans as well as certify compliance with these plans annually to the FCC. The proposed rule would apply to a wide array of providers including facilities-based providers, broadcast stations, television stations, cable systems, AM & FM commercial radio operators, TRS providers, satellite communications providers, and all international section 214 authorization holders. Participants of the FCC’s Enhanced A-CAM Program and NTIA’s BEAD Program are already subject to this requirement.

Ultimately, more FCC regulation is coming. At the same time, cyber incidents are increasing. Communications service providers should consider creating both a cybersecurity and supply chain risk management plan as well as a cybersecurity incident response plan. Such plans should reflect industry best practices outlined in federal guidance documents as described above.

In addition, carriers should review their cybersecurity liability insurance policies to ensure they have sufficient coverage. It’s also critical to review and update vendor and partner contracts for security and supply chain risk management clauses to include provisions for incident response, liability, and retention of information.

Finally, communications service providers should also consider engaging legal counsel to assist their efforts in ensuring that they are adequately protected.

Womble Bond Dickinson has developed a cybersecurity retainer that captures the requirements and proactive procedures necessary to meet the regulations, protect your networks and deal with the fallout of cybersecurity breach including insurance recovery and class action litigation from a cybersecurity data breach.