In January 2025, the FCC enforced Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) to protect against a major Chinese attack at the hands of a group called Salt Typhoon. At the time, the hackers breached several telecommunications companies — at least eight — including AT&T, Verizon, and T-Mobile. The FCC move was meant to encourage telecom companies to focus on and invest in security improvements and would allow the regulator to levy fines or pursue criminal charges when the aforementioned companies failed to do as advised. However, it now appears the FCC has rescinded that ruling, saying it was originally structured based on flawed reasoning and was both unlawful and ineffective.
In the FCC’s November Open Commission Meeting, FCC Chair Brendan Carr said that the agency “worked directly with carriers who’ve agreed to make extensive, coordinated efforts to harden their networks against a range of cyberintrusions.” He explicitly recalled some of those improvements, such as accelerated security patching, reviewing access controls, disabling unnecessary outbound connections, improving threat hunting efforts, and enhancing cybersecurity for information sharing processes. Carr also made clear he voted against the January ruling to begin with, which went into effect before his assignment. He explains the law only allows for lawful wiretaps or monitoring within restricted segments of networks, rather than honoring more broad protections.
This could be bad news for U.S. wireless carrier customers as the companies are no longer obligated to continue improving security for their networks. Let’s not forget that T-Mobile knew about SIM swapping threats for years and still didn’t improve security measures. The FCC also fined the major carriers back in 2024 for illegally sharing access to customers’ location data. There is a precedent and a clear pattern of security-related negligence.
Why wireless customers should be worried
Whether the improvements have been made to infrastructure or not, one thing is clear: U.S. carriers and wireless networks remain vulnerable. There is still evidence of hacking campaigns linked to Salt Typhoon today. While hiding within the core infrastructure everyone uses, mainly wireless network access points, Salt Typhoon gathered account credentials, sensitive records, and wireless metadata for months, collecting hard-to-detect batches of personal data over the airwaves. That damage is already done and your data may be compromised, but there’s no reason not to protect yourself going forward. Moreover, if it happened once, it could happen again.
Some proponents of CALEA, such as Commissioner Anna Gomez, believe the previous FCC ruling was one of the “only meaningful regulatory responses” to the Salt Typhoon attack and threats like it. Rescinding these rules essentially allows wireless carriers to operate with impunity even with cybersecurity lapses, many of which still exist. By holding them accountable, it was more likely these companies would invest in better cybersecurity measures. Gomez also makes it clear the Typhoon attack was not a singular event. “These attempts are ongoing and so the need for a forceful response has not diminished.”
There are measures you can take to protect yourself and your family, from using a virtual private network (VPN) to remain anonymous to avoiding massive login and account breaches with a secure password manager. No, that won’t necessarily protect you completely from a network-wide attack like Salt Typhoon, but you can read up on data encryption and how to enable it or use encrypted apps on your phone.
