Earlier this month, in the waning days of Jessica Rosenworcel’s tenure as Chair of the Democrat-led FCC, the FCC released a Declaratory Ruling concluding that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications carriers to secure their networks from unlawful access and interception of communications. Effectively, the FCC determined that CALEA can serve as a hook for additional rules addressing emergent cybersecurity issues.

The Commission also adopted a Notice of Proposed Rulemaking (NPRM) that would apply cybersecurity and supply chain risk management obligations to a broader set of providers.

Commissioners Carr and Simington dissented from the Declaratory Ruling and NPRM. While Chairman Carr frequently references cybersecurity threats, particularly those stemming from state-sponsored actors in the People’s Republic of China (PRC), it is unclear whether the new GOP-led FCC will allow the Declaratory Ruling and NPRM to stand or will pursue another course of action.

Background.  Enacted in 1994, CALEA requires telecommunications carriers and manufacturers of telecommunications equipment to ensure that law enforcement agencies have necessary surveillance capabilities of telecommunications equipment, facilities, and services. Notably, under the “substantial replacement” provision of CALEA, the FCC has interpreted the term “telecommunications carrier” for purposes of CALEA to include facilities-based broadband Internet access service (BIAS) and interconnected VoIP providers. [1]

Declaratory Ruling.  Previously, the FCC found that Section 105 of CALEA requires telecommunications carriers to avoid the risk that suppliers of untrusted equipment will illegally intercept or surveil a carrier’s switching premises without its knowledge.[2] In the Declaratory Ruling, the Commission imposed an affirmative duty on “telecommunications carriers” (again, including BIAS and iVoIP providers) to secure their networks, and clarified that telecommunications carriers’ responsibilities under CALEA extend to their equipment as well as network management practices.

The FCC concluded that carriers are obligated to prevent interception of communications or access to call-identifying information by any means other than pursuant to a lawful authorization with the affirmative intervention of an officer of the carrier acting in accordance with FCC rules. In adopting the Declaratory Ruling, the Commission puts carriers on notice that all incidents of unauthorized interception of communications and access to call-identifying information amount to a violation of the carrier’s obligations under CALEA.

Within this context, the FCC concluded that Congress has authorized the Commission to adopt rules requiring telecommunications carriers to take steps to secure their networks.

Notice of Proposed Rulemaking.  In its NPRM, the FCC proposes to apply cybersecurity requirements to a broad set of service providers, including facilities-based fixed and mobile BIAS providers, cable systems, wireline video systems, wireline communications providers, satellite communications providers, commercial mobile radio providers, covered 911 and 988 service providers, and international section 214 authorization holders, among others (Covered Providers).

The Commission proposes that Covered Providers would be obligated to create and implement cybersecurity and supply chain risk management plans. The plans would identify the cyber risks the carrier faces, as well as how the carrier plans to mitigate such risks. Covered Providers would also need to describe their organization’s resources and processes to ensure confidentiality, integrity, and availability of its systems and services. The plans would require annual certification and be submitted in the Network Outage Reporting System (NORS).

[1] Telecommunications carrier includes:

A person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire; A person or entity engaged in providing commercial mobile service . . . ; A person or entity that the Commission has found is engaged in providing wire or electronic communication switching or transmission service such that the service is a replacement for a substantial portion of the local telephone exchange service and that it is in the public interest to deem such a person or entity to be a telecommunications carrier for purposes of CALEA.

47 CFR § 1.20002(e).

[2] Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs; Huawei Designation; ZTE Designation, WC Docket No. 18-89; PS Docket Nos. 19-351 and 19-352, Report and Order, Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423, 11436-37, para. 35 (2019).