Carr Says FCC Overstepped in Addressing Salt Typhoon Attacks
FCC Commissioner Brendan Carr slammed the FCC’s forthcoming enforcement action in response to the Salt Typhoon cyberattacks, which China's Ministry of State Security allegedly perpetrated. Industry officials note that the disagreement between Carr, who takes the FCC's helm next week, and departing Chairwoman Jessica Rosenworcel points in part to a long-standing divide between FCC Republicans and Democrats about the agency's role in cybersecurity.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Carr said late Thursday he decided to issue a statement because “the agency’s current leadership has stated that they are going to break from Commission precedent and not follow the FCC’s normal procedures for processing dissenting statements in this case.” The FCC didn't comment Thursday.
The FCC released the declaratory ruling and an NPRM late in the day on Thursday. The order concludes that section 105 of Communications Assistance for Law Enforcement Act (CALEA) “affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications.” The NPRM seeks comment “on ways to strengthen the cybersecurity posture of our nation’s communications systems and services.”
“Just five days before we complete the transition to a new Administration -- when the interests of bipartisan collaboration on matters of national security should be paramount for everyone in government -- the Biden FCC decided to force a vote on a partisan, uncoordinated, and counterproductive approach to the Salt Typhoon cybersecurity threats,” Carr said. In the last years of President Joe Biden's administration, “adversaries linked” to the Chinese Communist Party “have apparently carried out the worst cyber intrusion in our nation’s history.”
No member of Congress, nor a single official in the intelligence world, “has encouraged me to vote in favor of this FCC action," Carr said: “In fact, I was told that this type of FCC regulatory action at this moment would be counterproductive and deter the productive collaboration that is necessary today.” Instead of acting to fix the problem, the agency is handing down an order that goes beyond its statutory authority to issue, he said.
FCC Republicans have long questioned the agency's authority over cybersecurity issues. Early in his term as chair during President-elect Donald Trump's first administration, Republican Ajit Pai rescinded two cybersecurity items issued under his predecessor, Chairman Tom Wheeler: a white paper on communications sector cybersecurity regulation and a notice of inquiry on cybersecurity for 5G devices (see 1702060059). Pai rechartered the FCC’s Communications Security, Reliability and Interoperability Council, though with less focus on cybersecurity (see 1704100059).
Former FCC acting Chairman Michael Copps told us he has long believed the agency “should be more involved in dealing with the serious telecommunications cybersecurity challenges confronting” the U.S. It “has the knowledge and expertise to contribute meaningfully” to U.S. work on cyberthreats and the FCC’s “governing telecom statute clearly provides the FCC with authority to concern itself with national defense,” he said. “Why the incoming leadership wants to throw a wrench into this is, to say the least, puzzling.”
Former Commissioner Mike O’Rielly referred us to his statement on X, which calls the FCC action “malarkey.” The FCC is “grasping [at] imaginary authority to impose burdens and false solutions that will raise company and consumer costs but won't stop cyber-anything,” O’Rielly said.
Carr’s objections center on how the FCC majority interprets CALEA. The agency majority “reads CALEA as also imposing an affirmative obligation on a covered provider to take certain undefined cybersecurity actions across every portion of the network -- meaning, both within and outside the switching premises,” he said: “But the FCC" and the courts "have already determined that CALEA’s ‘switching premises’ language is key to the statute’s operation.”
The divergence of views isn’t surprising, said Summit Ridge President Armand Musey. “Democrats frequently lean toward taking a more proactive regulatory approach, whereas Republicans are often more cautious about the limits of government agency authority,” Musey emailed. He added, “Republicans have been particularly concerned about government intrusion on individual privacy, the heart of CALEA.” The timing is “interesting,” he said: “Rosenworcel seems eager to knock out some final accomplishments before the end of her term, while Carr probably doesn't want his hands tied by additional late decisions.”
Despite "pens down" letters from Congress, “there are always a few last minute items that the outgoing chair pushes out to the complaints of the incoming,” emailed Harold Feld, Public Knowledge senior vice president. Feld said the complaints are unlikely to impact Carr’s relationships with the two remaining FCC Democrats, Geoffrey Starks and Anna Gomez. “Pai released the 2021 Broadband Report claiming to have closed the digital divide on Jan. 19 [2021] -- almost literally as he was walking out the door. I can see Carr being annoyed … but this isn't unusual.”
“The FCC is neither the exclusive nor primary expert on cybersecurity policy,” emailed Seth Cooper, Free State Foundation director-communications policy studies. The 6th U.S. Circuit Court of Appeals (see 2501020047) decision vacating the FCC’s April net neutrality order shows the limits of FCC authority, he said.