US telecoms carriers would be required to implement minimum cyber security standards and ensure their systems are not susceptible to hacks by nation-state attackers – like Salt Typhoon – under legislation proposed by senator Ron Wyden (D-OR).
The Secure American Communications Act [PDF], if signed into law, would require the Federal Communications Commission to issue binding rules for telecom systems, following what Wyden calls the FCC's "failure" to implement security standards already required by federal law.
He's referring to the CALEA of 1994 – aka the Communications Assistance for Law Enforcement Act – which required telecom providers to design their systems to comply with wiretapping requests from law enforcement.
The law also requires providers to secure their own systems against unauthorized interception – such as Chinese spies, who we recently learned did access these systems to steal communications and other sensitive information. While the feds haven't disclosed whose calls and texts were accessed by Salt Typhoon, the victims reportedly included president-elect Donald Trump and his VP pick JD Vance, people working for current VP Kamala Harris's presidential campaign, and other high-ranking political figures.
"It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cyber security rules," Wyden asserted in a statement.
"Telecom companies and federal regulators were asleep on the job and as a result, Americans' calls, messages, and phone records have been accessed by foreign spies intent on undermining our national security," he continued. "Congress needs to step up and pass mandatory security rules to finally secure our telecom system against an infestation of hackers and spies."
Wyden's proposal gives the FCC one year to design specific security requirements in consultation with the head of the US Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence.
The legislation doesn't specify what these safety measures should include, other than they must "prevent the interception of communications or access to call-identifying information without lawful authorization by any person or entity, including by an advanced persistent threat."
It would also require the carriers to conduct annual testing to evaluate whether these systems are working as intended. If they're not, then the carriers must fix the issues. Further, telcos would need to hire an independent auditor to conduct an annual assessment of compliance with FCC cyber security rules, and submit the results of the audits to the commission.
Outgoing FCC chair Jessica Rosenworcel has also proposed rules that would require the nation's carriers to safeguard their infrastructure against illicit access or interception of communications.
Wyden's proposal follows legislation the senator introduced earlier this year that would require the government to adopt secure communications software. He also proposed a bipartisan bill in 2023, which would have blocked the export of US citizens' personal information to unfriendly nations, making it more difficult for foreign spies to target Americans for hacking and spying. That proposal never made it out of committee. ®