Internet Providers Can Monitor Their Own Cybersecurity Standards, Says Trump’s FCC

Internet service providers and wireless carriers will no longer be required to meet minimum cybersecurity standards after a vote by the Federal Communications Commission on Thursday.

The FCC voted 2-1 along party lines to reverse a January ruling — passed four days before President Donald Trump’s inauguration — that required providers to issue an annual certification demonstrating that they have “created, maintained, and implemented a cybersecurity risk management plan.”

The rules apply to a wide range of businesses, including mobile operators, internet service providersradio stations and even television channels.

The new requirements were largely a response to the Typhoon Salt cyberattackin September last year, in which hackers linked to the Chinese government broke into the networks of U.S. internet providers like AT&T, Verizon and Lumen, owner of CenturyLink and Quantum Fiber. The attackers gained access to call and text message metadata from millions of customers and allegedly captured audio recordings of people involved in the Harris and Trump campaigns.

“It’s such a terrible idea. It lays out the red carpet for another attack,” Cooper Quintin, a senior technologist at the Electronic Frontier Foundation, told CNET. “I can’t overstate the impact of Salt Typhoon. It gave them access to the communications of every American. It affected everyone, and there were no consequences to the telecommunications companies other than the need to generate a regular report.”

So why revisit the rules now? FCC Chairman Brendan Carr said the rules are unnecessary because longtime providers have already “demonstrated a strengthened cybersecurity posture” in the year since the Salt Typhoon attacks.

The move is the latest chapter in Carr’s “Delete, Delete, Delete” agenda, which aims to end “Washington’s regulatory assault.”

Democrats’ objections came quickly. Mark Warner, vice chairman of the Senate Select Committee on Intelligence, said eliminating the requirements “leaves us without a credible plan to close the gaps exposed by Salt Typhoon, including fundamental failures such as the reuse of credentials and the lack of multi-factor authentication for highly privileged accounts.”

In a letter to Carr earlier this week, Sen. Maria Cantwell said Typhoon Salt allowed the Chinese government to “geolocate millions of individuals” and “record phone calls at will,” noting that the incident targeted nearly every American.

“You have now proposed rescinding this requirement after intense lobbying from telecom operators whose networks have been breached by Chinese hackers,” Cantwell said.

Carr dismissed those objections at this morning’s meeting, saying, “Doing anything just so we can say we did something is not the answer.” »

Blair Levin, former FCC chief of staff and telecommunications industry analyst at New Street Research, told me he found Carr’s position counterintuitive.

“If you look at the FCC as being the protector of the public interest in modern communications, the idea that you don’t have a role in cybersecurity seems intentionally heavy-handed to me,” Levin said.

The ruling is a major victory for telecommunications companies, which have lobbied for the rules to be repealed. In a letter sent to the FCC last month, industry groups argued that decades-long collaboration between industry and government on cybersecurity meant the rules were not only unnecessary: ​​They “significantly undermine this system and make our networks less secure.”

When I read this quote to Quintin, he laughed and dismissed it with a seven-letter word.

“If having to tell someone what their cybersecurity situation is makes that person less safe, then their cybersecurity is terrible,” he said.

Don’t miss any of our unbiased technical content and lab reviews. Add CNET as your preferred Google source.

How to protect yourself from future cyberattacks

The FCC is taking a step back from monitoring the security of our networks, which means it’s never been more essential to practice good cybersecurity yourself. While Salt Typhoon targeted government officials, ordinary Americans could be at risk from future attacks.

“The concern for you or me is more about scams and cybercrime,” Quintin said, emphasizing that SIM swap attacksIntercepting two-factor authentication codes and scammers impersonating your bank or healthcare provider could become more common.

Here are some steps you can take now to protect yourself and mitigate potential harm:

Set strong passwords and always use multi-factor authentication. Your passwords must all be unique and long, with a variety of special characters, letters and numbers. If this seems impossible to remember, it should be. A good password manager will do the heavy lifting for you. If you learn that one of your passwords has been compromised in a breach, change it as soon as possible.

Beware of phishing attacks. Data breaches give criminals a great opportunity to use your personal information against you by sending fraudulent emails, text messages, or social media messages. Do not click on links from senders you do not recognize, and be extremely skeptical of distributing money or personal information to any person or company you have not verified.

Monitor your financial accounts. It’s always a good idea to keep a close eye on your bank accounts and credit cards, but especially when you are informed that your personal information has been exposed. You can also set up account alerts to notify you whenever a large transaction is made.

Use a VPN. If you are concerned about another Salt Typhoon attack from a foreign government or anyone else, the best thing you can do to ensure your connection remains private is to use a reliable VPN. Look for advanced features like obscuration, Tor over VPN and a double VPN, which uses a second VPN server for an additional layer of encryption. You can also install a VPN on your router directly so that all your traffic is automatically encrypted.