⚖️ FCC removes telecom cyber rules

In partnership with

FCC Scraps Telecom Cyber Rules in Wake of Major State-Sponsored Hacks

The Federal Communications Commission (FCC) has voted 2-1 along party lines to withdraw rules that mandated minimum cybersecurity standards for U.S. phone and internet companies, reversing a ruling adopted earlier this year by the previous administration. These rules, which invoked the Communications Assistance for Law Enforcement Act (CALEA), were a direct regulatory response to the widespread Salt Typhoon campaign, a massive, years-long operation by a China-backed hacking group. That campaign successfully infiltrated over 200 telecommunications providers, including major carriers like AT&T and Verizon, and targeted highly sensitive systems, including those used for lawful government wiretaps, to conduct broad-scale surveillance of American officials. The FCC’s Republican majority, led by Chairman Brendan Carr, argued the scrapped rules were "unlawful and ineffective," preferring instead to rely on voluntary cooperation and coordinated efforts with the private sector to strengthen networks. This decision has sparked sharp criticism from senior lawmakers and the dissenting Democratic commissioner, Anna Gomez, who warned that "Handshake agreements without teeth will not stop state-sponsored hackers."

The New Reality of Systemic Risk

The removal of mandatory cybersecurity minimums for major telecom carriers presents a significant and often invisible systemic risk that startup founders must proactively manage. Your company's sensitive data—from customer personally identifiable information (PII) to intellectual property (IP)—is only as secure as the infrastructure it travels over. The Salt Typhoon breaches demonstrated that even the core network backbone is vulnerable to sophisticated state-level actors. For founders, the insight here is that supply chain security is now an exponential problem, not a linear one. A failure by a major carrier to patch a known vulnerability—a failure the FCC just made less accountable—could result in an exposure that affects your entire user base. This is a critical reminder that you cannot outsource your security diligence. Founders must treat the underlying network infrastructure as a potentially compromised environment and focus on robust end-to-end encryption and zero-trust architectures to maintain a secure posture independent of your ISP’s regulatory compliance level.

In addition to our newsletter we offer 60+ free legal templates for companies in the UK, Canada and the US. These include employment contracts, investment agreements and more