In a party-line vote Thursday, the Federal Communications Commission repealed Biden-era cybersecurity mandates for U.S. telecom carriers, rules explicitly crafted to thwart repeats of the devastating Chinese Salt Typhoon hacks. The 3-2 decision, led by Republican Chairman Brendan Carr, scraps requirements for network hardening that carriers decried as overly burdensome. Telecom giants like AT&T, Verizon and Lumen Technologies, hit hard by Salt Typhoon’s infiltration of wiretap systems and customer data last year, now face lighter regulatory loads amid rising nation-state threats.

The rollback, detailed in an FCC order, reverses the agency’s November 2024 directive mandating "minimum cybersecurity standards" such as locked-down customer proprietary network information (CPNI), annual certifications and breach notifications within seven days. Critics, including Democratic commissioners and senators, warn it leaves networks vulnerable. "This is a gift to our adversaries," said Sen. Maria Cantwell, the top Democrat on the Senate Commerce Committee, in a Reuters statement urging abandonment of the plan.

Salt Typhoon’s Shadow Looms Large

Salt Typhoon, tracked by Microsoft as the China-linked Salt Typhoon group, breached at least nine U.S. telecoms in 2024, accessing wiretap portals, call records and unencrypted texts of high-value government and political targets. The intrusion, part of Beijing’s broader espionage campaign, exposed metadata on millions and live traffic interception capabilities. "They owned the networks," a former National Security Council official told Bloomberg.

The FCC’s now-defunct rules stemmed from that crisis, requiring carriers to secure systems against unauthorized access and report incidents swiftly. Carriers argued the measures duplicated existing obligations under the FCC’s general CPNI rules and the Cybersecurity and Infrastructure Security Agency’s (CISA) frameworks, imposing "unnecessary" costs without boosting security. The FCC agreed, calling the prior order "unlawful" and pledging a new approach via voluntary best practices and enforcement.

Posts on X from industry watchers echoed relief. "FCC finally cuts the red tape—telcos can innovate without Big Brother mandates," one analyst posted, reflecting sentiment among carriers who lobbied heavily against the rules.

Party-Line Divide Exposes Policy Rift

Democratic Commissioners Anna Gomez and Geoffrey Starks dissented sharply. Gomez called the repeal "a dangerous step backward," per the FCC’s meeting transcript. Starks warned it "ignores the lessons of Salt Typhoon." Chairman Carr countered that the rules were "rushed and ineffective," positioning the agency for "agile" responses instead.

The vote aligns with the Trump administration’s deregulatory push. Carr, appointed interim chair post-2024 election, has spearheaded a "Delete, Delete, Delete" campaign, axing 21 obsolete rules in the same meeting. Telecom lobbying groups like USTelecom praised the move: "Overregulation stifles innovation needed to fight cyber threats," CEO Jonathan Spalter said in a statement cited by Federal News Network.

Yet security experts decry the timing. Salt Typhoon remains active; CISA reported ongoing intrusions into Southeast Asian telcos in October 2025. "Repealing these rules is like removing the locks after a burglary," TechRadar quoted a cybersecurity analyst.

Technical Deep Dive: What the Rules Did—and Didn’t

The axed mandates targeted core vulnerabilities exploited by Salt Typhoon: outdated routers, weak authentication and exposed lawful intercept systems. Carriers had to implement "traffic integrity protection" like encryption for signaling links, multi-factor authentication for admin portals and segmentation of sensitive networks. Annual CEO attestations ensured compliance, with fines up to $23,000 per violation looming.

BleepingComputer reports carriers like Verizon complied minimally, but smaller providers struggled with costs estimated at $10-50 million annually industry-wide. The FCC now eyes "tailored" guidance via its Communications Security, Reliability and Interoperability Council (CSRIC), a public-private forum.

X posts from FCC’s official account framed the repeal positively: "Improved Protection Against Cybersecurity Threats—FCC revokes prior unlawful decision for agile responsiveness." But lawmakers like Cantwell fired back on X, calling it "reckless."

Industry Implications: Costs vs. Risks

For telecoms, relief is palpable. Lumen, still remediating Salt Typhoon damage costing tens of millions, avoids ongoing audits. AT&T and Verizon, which expelled hackers by mid-2025 with FBI help, redirect resources to AI-driven defenses. "Voluntary standards work better," CTIA CEO Meredith Baker told Axios.

However, the decision amplifies reliance on CISA’s voluntary Shield framework, adopted by some carriers post-Salt Typhoon. Shield mandates patching, anomaly detection and supply chain vetting—measures Salt Typhoon evaded via zero-days in Cisco and Juniper gear. Without FCC teeth, compliance is spotty; only 40% of mid-sized carriers participate, per CISA data.

Broader market ripples: Stock prices for Verizon and AT&T ticked up 1-2% post-vote, signaling investor approval. But insurers like those covering cyber breaches may hike premiums, as Insurance Journal notes rising telecom claims.

China’s Playbook and U.S. Response Gaps

Salt Typhoon exploited telco crown jewels: SS7 signaling flaws and unpatched edge routers for metadata harvesting. Microsoft’s report linked it to China’s Ministry of State Security, with tools mirroring those in 2021 Microsoft Exchange hacks. Post-breach, the U.S. indicted 12 Chinese hackers, but attribution yielded no extraditions.

The FCC repeal shifts burden to sector-specific agencies. CISA and the FBI now lead via Joint Cyber Defense Collaborative (JCDC), sharing IOCs with carriers. Yet without mandatory reporting, gaps persist. "Telcos self-regulate poorly under pressure," a Times of India analysis warns, citing India’s similar breaches.

On X, cybersecurity pros voiced alarm: "FCC just handed Salt Typhoon a reload," one viral post read, garnering thousands of views.

Looking Ahead: Enforcement or Innovation?

Carr’s FCC promises "robust enforcement" under existing statutes like Section 222 on CPNI privacy. Recent fines, including $13 million against major carriers for prior breaches, underscore this. The agency also advances spectrum auctions and contraband cellphone jammers, balancing deregulation with security.

Industry insiders eye CSRIC 6.0 for new guidelines by mid-2026, potentially incorporating zero-trust architectures and AI threat hunting—tech Verizon deploys internally. "Regulation lagged innovation; this corrects course," a telecom exec told The Register.

Still, with Salt Typhoon evolving—now targeting 5G cores—the repeal tests U.S. resilience. As Beijing ramps espionage ahead of 2026 midterms, telecoms must self-defend or risk another breach exposing America’s digital underbelly.