FCC Reverses Stance on Telecom Cybersecurity Mandates, Sparking Security Concerns for AT&T, T-Mobile, and Verizon Customers

In a 2-1 vote on November 20, 2025, the Federal Communications Commission (FCC) rescinded a January 2025 ruling that had imposed legal obligations on major telecommunications carriers to secure their entire networks against unauthorized access and interception. The decision, which affects providers like AT&T, T-Mobile, and Verizon, removes a key layer of federal oversight implemented in response to the China-linked Salt Typhoon hacking campaign. While FCC Chairman Brendan Carr hailed the move as a correction of "flawed legal analysis" that would foster more flexible industry-led security, Democratic Commissioner Anna M. Gomez and lawmakers decried it as a risky rollback amid ongoing threats from state-sponsored hackers. The change has left consumers and experts questioning the robustness of protections for their personal data and communications.

The Original Ruling: A Response to Salt Typhoon Breaches

The January 2025 declaratory ruling stemmed from the Communications Assistance for Law Enforcement Act (CALEA), a 1994 law originally designed to ensure carriers could facilitate lawful wiretaps. Under the Biden-era FCC, it was interpreted to require telecom providers to treat cybersecurity as a statutory duty, extending protections beyond wiretap systems to the full network infrastructure. This included annual certifications of risk management plans and measures to prevent "unlawful access or interception of communications."

The impetus was the Salt Typhoon operation, a multi-year espionage campaign attributed to Chinese hackers that infiltrated over 200 U.S. telecom networks, including AT&T, Verizon, T-Mobile, Lumen Technologies, and others. Disclosed in October 2024, the breaches allowed hackers to access court-authorized wiretap data and potentially eavesdrop on high-profile targets, prompting U.S. officials to advise encrypted app use for sensitive communications. The ruling aimed to close vulnerabilities in routers, VPNs, and perimeter devices exploited in the attacks.

A companion Notice of Proposed Rulemaking (NPRM) sought to codify specific practices, such as regular audits and threat information sharing. Carriers welcomed the intent but lobbied against the mandates, arguing they were overly broad and redundant with voluntary efforts coordinated by the Cybersecurity and Infrastructure Security Agency (CISA).

The Reversal: Deregulation or Reckless Retreat?

The FCC's new order, led by Trump appointees Carr and Commissioner Olivia Trusty, revokes both the declaratory ruling and the NPRM, asserting the prior interpretation exceeded CALEA's scope by imposing "inflexible and ambiguous" requirements on non-wiretap network segments. Carr emphasized that carriers have since Salt Typhoon implemented "additional cybersecurity controls," including access reviews, tool deployments, and enhanced CISA collaboration, rendering federal mandates unnecessary and potentially counterproductive.

Industry groups like CTIA, NCTA, and USTelecom praised the decision, calling the old rules "prescriptive and counterproductive" that could stifle innovation. The FCC highlighted alternative measures, such as a new council on national security and targeted rules for submarine cables requiring risk plans for licensing.

Commissioner Gomez dissented sharply, labeling the rollback a "hope and a dream" that leaves Americans "less protected" against persistent threats like Salt Typhoon, which she described as part of a "broader campaign" by state actors. She argued that voluntary measures lack enforcement "teeth" to deter sophisticated adversaries.

Stakeholder Reactions: Alarm from Lawmakers, Relief from Carriers

The decision drew immediate bipartisan criticism from Congress. Sen. Maria Cantwell (D-Wash.), in a letter to Carr dated November 22, expressed "deep concern" that the reversal signals "weakness on national security," noting carriers like Verizon and AT&T had failed to fully document remediation efforts post-Salt Typhoon. Sen. Gary Peters (D-Mich.), ranking member of the Senate Homeland Security Committee, called it "disturbing," warning it exposes the public to undue risk.

Cybersecurity advocates echoed these worries. Evette Gomez of the Public Interest Network urged retention of the rules, stating "handshake agreements" won't halt infiltrations. Consumer groups like the Benton Institute for Broadband & Society highlighted potential vulnerabilities for everyday users, whose call records and metadata could be intercepted without mandated safeguards.

Carriers and their lobbies, however, welcomed the flexibility, committing to ongoing voluntary enhancements like information sharing and asset hardening. AT&T, T-Mobile, and Verizon have not issued public statements, but industry filings indicate they view the change as aligning with their proactive postures.

AspectOriginal Ruling (Jan 2025)Current Status (Nov 2025)Legal ObligationCarriers must secure full networks under CALEARescinded; no broad mandateRequirementsAnnual certifications, risk plans, threat preventionVoluntary; targeted rules (e.g., cables)Response to Salt TyphoonDirect countermeasures for breachesRelies on industry-CISA collaborationCriticismsSeen as vague/burdensome by carriersViewed as insufficient by lawmakers/experts

Implications for Consumers and National Security

For the 300 million-plus customers of AT&T, T-Mobile, Verizon, and other providers, the rollback shifts reliance from enforceable standards to self-regulation, potentially heightening risks of data breaches or surveillance. Salt Typhoon's legacy—compromised wiretap systems and possible intercepts of officials' communications—remains unresolved, with U.S. agencies still hunting remnants.

The FCC insists its approach promotes "continuous adaptation" over static compliance, but skeptics warn it could invite exploitation by actors like China, Russia, or cybercriminals. As one analyst noted, "In telecom, where one breach can expose millions, voluntary isn't always voluntary enough."

With potential congressional oversight hearings in 2026 and ongoing CISA collaborations, the decision's long-term effects hinge on industry follow-through. For now, it underscores the delicate balance between regulation and innovation in safeguarding America's digital lifelines.