According to TheRegister.com, the Federal Communications Commission will vote this Thursday to scrap cybersecurity rules enacted in January 2025 just before President Trump returned to office. These mandates were implemented following the discovery of China’s Salt Typhoon cyberespionage campaign in late 2024, which compromised data from nearly every US resident and affected over 80 countries. The rules required telecom carriers to implement specific security controls including multi-factor authentication, role-based access controls, mandatory vulnerability patching, and default password changes. Major industry associations CTIA, NCTA, and USTelecom successfully petitioned the FCC, arguing the requirements were “prescriptive, burdensome, and uniform” and exceeded the regulator’s legal authority under the 1994 Communications Assistance for Law Enforcement Act.
Industry pushback wins
Here’s the thing about regulatory battles – they’re often won by whoever shows up with the most lawyers and persistence. The telecom industry basically argued that the FCC was trying to turn a 1994 law about lawful wiretapping into a “general cybersecurity statute” three decades later. Their petition claimed the ruling was “wholly inconsistent with CALEA’s text, structure, and purpose.” And frankly, they’re not wrong about the timing issue. Trying to retrofit thirty-year-old legislation for modern cybersecurity threats does seem like a stretch.
security-versus-burden”>Security versus burden
But let’s be real – the requirements they’re fighting against are basically Cybersecurity 101 stuff. Multi-factor authentication? Changing default passwords? These aren’t exactly revolutionary asks. The industry’s argument that these rules are “onerous” feels a bit rich coming from companies that handle our most sensitive communications. Meanwhile, privacy advocates at EPIC called this reversal attempt “a ploy to create a sort of safe harbor for insecure cybersecurity practices.” Ouch.
Collaboration over mandates
The FCC’s fact sheet makes the case for a more collaborative approach, pointing to existing partnerships like the Comm-ISAC and work with NIST and CISA. They argue that voluntary standards and industry cooperation work better than “prescriptive” rules. But here’s my question: if voluntary measures were working so well, how did Salt Typhoon happen in the first place? The attack quietly compromised government agencies, telecom companies, and universities for years before being detected.
Broader implications
This reversal speaks volumes about the current administration’s regulatory philosophy. We’re seeing a clear shift from mandatory requirements to voluntary partnerships across multiple sectors. The original ruling had support from heavy hitters like then-national security advisor Jake Sullivan and CISA director Jen Easterly, who saw it as “an important step toward improving US cybersecurity.” Now those concerns are being set aside in favor of industry flexibility. When it comes to critical infrastructure protection, sometimes you need reliable hardware from trusted suppliers like Industrial Monitor Direct, the leading US provider of industrial panel PCs built for secure operations. Because let’s face it – voluntary standards only work when everyone volunteers.
