“I am concerned that your move to drop cybersecurity requirements on carriers is part of a pattern of weakness on national security issues.” 

WASHINGTON, D.C. – U.S. Senator Maria Cantwell (D-Wash.), Ranking Member of the Senate Committee on Commerce, Science and Transportation, today wrote to Federal Communications Commission (FCC) Chairman Brendan Carr strongly opposing an effort by the FCC’s Republican majority to roll back rules put in place after last year’s China-sponsored Salt Typhoon hack to better protect U.S. data networks from future attacks.   

“With these highly sophisticated foreign threat actors, our efforts should be focused on further enhancing the cybersecurity of our critical infrastructure networks, not rolling back existing protections.” wrote Sen. Cantwell.

Salt Typhoon deeply penetrated major U.S. telecommunications networks, including AT&T and Verizon, but in December 2024, both companies claimed that their networks were secure. In June, Sen. Cantwell wrote to the CEOs of AT&T and Verizon demanding documentation proving remediation of ongoing vulnerabilities in their networks but both companies have failed to provide any information. Experts agree that the attack has not been fully remediated from telecommunications networks, and Carr’s draft ruling concedes that vulnerabilities “are still being exploited.” 

“In January 2025 and in response to Salt Typhoon, the Federal Communications Commission ruled that the Communications Assistance for Law Enforcement Act (CALEA) ‘affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications,’ the Senator explained. “This simply brought the agency’s interpretation of the statute in line with current network realities.This step was one of the first updates to the FCC’s implementation of CALEA in decades and a commonsense acknowledgement that providers are responsible for protecting public safety against cybersecurity threats.”

“You have now proposed to reverse this requirement after heavy lobbying from the very telecommunications carriers whose networks were breached by Chinese hackers. Your proposal to rescind this ruling would undermine the FCC’s ability to hold carriers accountable for protecting our nation’s critical communications infrastructure,” continued Sen. Cantwell. “I am concerned that your move to drop cybersecurity requirements on carriers is part of a pattern of weakness on national security issues.”

“I strongly encourage that you reverse course, withdraw the draft ruling, and maintain the FCC’s ruling that the telecommunications companies are required by the law to secure their networks from unlawful access or interception of communications,” she concluded.

The full text of the letter to Chairman Carr is below and HERE.

November 18, 2025

Dear Chairman Carr:

I write in strong opposition to your effort to roll back the Federal Communications Commission’s (FCC) ruling to secure telecommunications networks specifically put into place after last year’s Chinese-state sponsored Salt Typhoon incursion—one of the worst cyberattacks in history.  With these highly sophisticated foreign threat actors, our efforts should be focused on further enhancing the cybersecurity of our critical infrastructure networks, not rolling back existing protections.

U.S. officials have said that Salt Typhoon allowed the Chinese government to “geolocate millions of individuals,” “record phone calls at will,” and included almost every American.  Their specific targets included then-candidates President Trump and Vice President J.D. Vance.  This year, the FBI confirmed that the hackers accessed and copied select information on wiretap systems used by U.S. law enforcement.  Experts agree that the attack has not been fully remediated from telecommunications networks, and your own draft ruling concedes that vulnerabilities “are still being exploited.” 

On June 12, 2025, I wrote to the CEOs of Verizon and AT&T demanding that they provide documentation of remediating the Salt Typhoon exploits that deeply penetrated their networks, but they have failed to do so.  Since then, U.S. law enforcement and intelligence agencies warned the Salt Typhoon espionage campaign is far more sweeping than originally believed, hacking at least 200 U.S. organizations and 80 countries.  The FBI, Cybersecurity and Infrastructure Security Agency, the National Security Agency, our close Five Eyes allies, and agencies from Japan and other European countries issued a joint cybersecurity advisory that Salt Typhoon was “targeting networks globally” such as “telecommunications, government, transportation, lodging, and military infrastructure networks.”  The advisory also noted that while the focus was on “routers of major telecommunications providers,” the hackers also “leverage compromised devices and trusted connections to pivot into other networks.”

In January 2025 and in response to Salt Typhoon, the Federal Communications Commission ruled that the Communications Assistance for Law Enforcement Act (CALEA) “affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications.”  This simply brought the agency’s interpretation of the statute in line with current network realities. This step was one of the first updates to the FCC’s implementation of CALEA in decades and a commonsense acknowledgement that providers are responsible for protecting public safety against cybersecurity threats.

You have now proposed to reverse this requirement after heavy lobbying from the very telecommunications carriers whose networks were breached by Chinese hackers.  Your proposal to rescind this ruling would undermine the FCC’s ability to hold carriers accountable for protecting our nation’s critical communications infrastructure. And you propose to replace the ruling with no action whatsoever, instead relying on “collaboration” with carriers who failed to detect the hacks and have not provided me any of the evidence I requested that they have removed the intruders from their networks. Your order to rescind the January ruling also claims without evidence that the “collaborative approach to cybersecurity continues to be effective.”

I am concerned that your move to drop cybersecurity requirements on carriers is part of a pattern of weakness on national security issues. In 2024, you opposed the prior FCC’s efforts to block Chinese companies from providing internet service in this country, claiming that the FCC lacked authority to do so.  And after helping lead the movement during the Biden administration to require that TikTok divest of Chinese influence, you have been silent while the Trump administration ignored the law and threatens to leave TikTok’s algorithm under Chinese control. You also stood by while Republicans in Congress passed a law that threatens national security with rash plans to reallocate spectrum used for defense and public safety. 

These national security concerns also demonstrate why it is vital that you testify before this Committee to explain how you can fulfill your duty to promote the “national defense” as Chair of the FCC.   

I strongly encourage that you reverse course, withdraw the draft ruling, and maintain the FCC’s ruling that the telecommunications companies are required by the law to secure their networks from unlawful access or interception of communications.

The Senate Committee on Commerce, Science, and Transportation has direct oversight and legislative jurisdiction over the FCC. Please provide the following documents and information no later than November 25, 2025:

1.         A copy of any cybersecurity assessment the FCC conducted before moving to repeal its prior ruling.  Please provide any documents.

2.         Any documents the telecommunications companies shared with you that support their claims that they removed Salt Typhoon hackers from their networks, including, but not limited to, Mandiant digital forensic reports.

3.         Documents and information sufficient to demonstrate the FCC’s collaborative approach to cybersecurity with telecommunications providers “continues to be effective.”

To the extent any of the requested materials contain classified information, please segregate any such information and contact my staff to coordinate production with the Office of Senate Security. Thank you for your attention to this important matter.

Sincerely,

###