I've spent 20 years in the CISO, CIO, and CTO chair. I've seen regulatory overreach. I've complained about compliance burdens that added cost without adding security. I understand the argument against government mandates.
This isn't that.
This week, the FCC voted 2-1 to eliminate cybersecurity requirements for telecommunications carriers. Requirements that were implemented in January 2025 specifically because Chinese state-sponsored hackers had spent years living inside our nation's communications infrastructure through a campaign called Salt Typhoon.
Let me say that again. We caught nation-state hackers inside the systems that carry our phone calls, our text messages, and our government's wiretap operations. We implemented baseline security requirements. And then we removed them because the companies that got hacked found compliance "burdensome."
As a security professional, this is infuriating. As an American, it's terrifying.
What actually happened
Salt Typhoon wasn't a smash-and-grab operation. It was a long-term espionage campaign by Chinese government-backed hackers that compromised at least nine major US telecommunications companies, including AT&T, Verizon, Lumen Technologies, T-Mobile, Charter Communications, Consolidated Communications, and Windstream.
The hackers accessed core systems that the federal government uses for court-authorized wiretapping. They intercepted communications from senior government officials. They had broad access to call records and metadata affecting millions of Americans.
This wasn't theoretical. This was real. This happened. And as of October 2025, CISA reported that Salt Typhoon activity is still ongoing in telecom networks.
In response, the FCC implemented new requirements under the Communications Assistance for Law Enforcement Act (CALEA). These requirements were straightforward. Create a cybersecurity risk management plan. Submit annual certifications proving compliance. Treat network security as a legal obligation.
That's it. That's what was "too burdensome" for companies making billions of dollars operating critical national infrastructure.
The argument that doesn't hold water
FCC Chairman Brendan Carr called the previous requirements "neither lawful nor effective" and claimed they weren't "consistent with the agile and collaborative approach to cybersecurity that has proven successful."
Proven successful? Where exactly?
Chinese hackers lived in these networks for years under the "voluntary" approach. The "agile collaboration" didn't detect them. Industry self-policing didn't prevent the largest telecommunications breach in American history.
Commissioner Anna Gomez, the lone dissenting vote, put it plainly. "If voluntary cooperation were enough, we would not be sitting here today in the wake of Salt Typhoon. Partnership and collaboration that carry no enforceable accountability are insufficient by design."
Senator Maria Cantwell was even more direct, noting that the rollback came "after heavy lobbying from the very telecommunications carriers whose networks were breached by Chinese hackers."
Read that again. The companies that failed to prevent the breach successfully lobbied to remove the requirements designed to prevent the next one.
Why self-regulation fails here
I've been on both sides of the compliance argument. I've fought against checkbox security that adds cost without adding protection. I've argued for risk-based approaches over prescriptive mandates.
But telecommunications infrastructure is different. And the economic incentives explain why voluntary compliance will never be enough.
When a telco gets breached, who bears the cost? Not the shareholders. The stock price might dip temporarily, but telecommunications is effectively an oligopoly. Customers can't easily switch. The breach affects national security, citizen privacy, and government operations, but none of those externalities show up on the quarterly earnings call.
When the downside of failure is absorbed by the public and the upside of cutting corners goes to the company, voluntary compliance is a fantasy. Every competent economist knows this. Every experienced security professional has lived it.
The free market argument works when consumers can make informed choices and companies bear the consequences of their failures. Neither condition exists in telecommunications security.
What this actually signals
To China, Russia, Iran, and every other nation-state adversary with offensive cyber capabilities, the message is clear. If you breach enough American companies, those companies will lobby their way out of accountability.
To security teams inside telecommunications companies, the message is equally clear. The pressure to invest in security just dropped. The budget you were fighting for just got harder to justify. The executive who was reluctantly supporting your program just got permission to deprioritize it.
To the American public, who depend on these networks for everything from personal communication to emergency services to financial transactions: your security is not a legal obligation. It's a business decision. And when security costs money and breaches cost nothing, business decisions trend in predictable directions.
What happens now
The FCC says it will rely on "voluntary commitments" from carriers and "collaborative engagement" with industry. Chairman Carr points to ongoing efforts like accelerated patching, access control reviews, and threat hunting improvements.
Those are all good things. They're also things that companies should have been doing before Salt Typhoon. They're things that clearly weren't being done at adequate scale, given that Chinese hackers had years of access.
The difference between "we promise to do better" and "we must prove we're doing better" is accountability. Without mandatory reporting, without annual certifications, without the threat of enforcement, these commitments have the same binding force as a New Year's resolution.
Some industry observers suggest we wait for CSRIC 6.0 guidelines in mid-2026, which might incorporate zero-trust architectures and AI-driven threat detection. Might. In mid-2026. Eighteen months after removing the only concrete federal requirements we had.
The pattern I've seen before
In 20 years of security leadership, I've watched this cycle repeat across industries. A major breach exposes systemic failures. Regulators propose requirements. Industry lobbies against them as too burdensome. Requirements get weakened or removed. Another breach happens. Repeat.
The difference this time is the scale of the failure and the criticality of the infrastructure. This isn't a retailer losing credit card numbers. This is nation-state adversaries inside the systems that carry America's communications, including law enforcement wiretaps.
If we can't require basic security hygiene for telecommunications companies after the largest telecom breach in history, when exactly would such requirements be justified?
What I'm asking you to do
If you're a security leader: document everything. Build your case for investment anyway. When the next breach happens, and it will, someone's going to ask what we knew and when we knew it. Make sure your organization's leadership understood the risks.
If you're in telecommunications security: I'm sorry. Your job just got harder. The executive support you needed just evaporated. Keep fighting anyway.
If you're a policymaker: this decision will age poorly. The House just passed a bill requiring an interagency response to Salt Typhoon. Push for legislation that puts security requirements where regulatory interpretation can't remove them.
If you're an American citizen: contact your representatives. This isn't a partisan issue. Chinese hackers intercepted communications from officials across the political spectrum. The only beneficiaries of this rollback are telecommunications shareholders and foreign intelligence services.
I'm not usually one for doom and gloom. Security is about managing risk, not eliminating it. We accept tradeoffs every day.
But this isn't a tradeoff. This is removing proven-necessary safeguards because the companies that failed to prevent the breach found compliance inconvenient. This is regulatory capture in its purest form.
After 20 years, I thought I was too cynical to be surprised. I was wrong.
This is the kind of decision that makes the job harder for every security professional and America less safe for every citizen.