A Parting CyberQuest

On Dec. 5, 2024, the Federal Communications Commission (FCC) Office of the Chairwoman issued a press release and accompanying fact sheet attempting to assert a broad new cybersecurity regulatory authority by creatively conjoining news coverage revelations of network hacking with an abstruse provision in a 1994 act on lawful interception. It was one day after the national security community collectively released extensive guidance on mitigating the related well-known hacking vulnerabilities—which was never mentioned by the FCC. Several weeks later, the FCC summarily declared cybersecurity authority over an array of U.S. telecommunications infrastructure to impose new regulations that include creation and notification of cybersecurity risk management and supply chain security plans. The designated incoming FCC chair published his strong objections. The next day, the White House published a related cybersecurity executive order (which was subsequently deleted). Although the FCC assertion attempt is certain to fail, the events underscored a continuing need in law and operational practices for instituting effective infrastructure cybersecurity.

The Event Timeline

In early 2023, Trend Micro published reports of a nation-state advanced persistent threat group it named “Earth Estries” that it believed had been operating since at least 2020. In November 2024, another Trend Micro report revealed and explained the full scope of the group’s exploits, including vulnerabilities and attack vectors.

A joint statement by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on Nov. 13, 2024, made known the extent of the exploits into compartmentalized telecommunications infrastructure. On Dec. 4, 2024, CISA, the National Security Agency (NSA), FBI, and the Five Eyes agencies (except for the U.K.) released a comprehensive joint guidance publication. The guidance provided a highly detailed analysis of the Earth Estries exploits, including specific product vulnerabilities and a multi-part cybersecurity best practices guide for hardening their networks against exploits of malicious actors. The guidance publication covered several practices it had recently placed in international technical standards and expanded in specific vendor product areas such as routers. However, the guidance is extensive, with complex access, monitoring, and auditing requirements that are difficult to implement—especially for large telecom providers dealing with national networks and multiple generations of equipment.

The U.K. national security community, which opted out of the joint guidance, instead favored a more achievable, mandatory series of steps outlined in a U.K. Telecommunications Security Code of Practice (CoP). Unlike the joint guidance publication, the U.K. CoP avoids onerous auditing and places the burden equally across providers. It requires a specified provider official to provide evidence to the national security agencies that they have prescribed risk management processes in place. The CoP is enforced via OFCOM compliance regulations that do not exist in the United States.

Just before a change of administrations, the FCC on Jan. 15 adopted a Declaratory Ruling and Notice of Proposed Rulemaking that conflated the two-year-old proceeding on securing emergency messaging systems with the FCC chair’s December proposal to use an obscure Communications Assistance for Law Enforcement Act (CALEA) lawful interception provision to unilaterally assume broad new jurisdiction to adopt new FCC rules. Providers are required to do two things. They must “create, update and implement” (a) a cybersecurity plan and (b) a “supply chain risk management plan.” These plans must then be notified to the FCC through its Network Outage Reporting System.

The FCC Assertion of Authority

Former FCC Chairwoman Jessica Rosenworcel proposed a “Declaratory Ruling finding that section 105 of the Communications Assistance for Law Enforcement Act (CALEA) affirmatively requires telecommunications carriers to secure their networks from unlawful access or interception of communications” and “require[s] communications service providers to submit an annual certification to the FCC attesting that they have created, updated, and implemented a cybersecurity risk management plan, which would strengthen communications from future cyberattacks.”

The term “affirmatively requires” is authority creationism.

The plain language and historical purpose of CALEA Section 105 clearly does not support such a finding. Rather, Section 105 requires only that a provider “ensure that lawful interception … effected within its switching premises can be activated with lawful authorization and intervention of an individual employee in accordance with [FCC regulations.]”

CALEA is implemented cooperatively by the FBI and the FCC. The FBI Operational Technology Division provides resources for CALEA implementing capabilities, including collaboration with allies and participation in industry standards bodies. CALEA was followed a few months later in Europe by a 1995 European Council Resolution that enables lawful interception to prevent crime, including fraud and terrorism. Legacy telecom providers and eventually the internet quickly implemented CALEA’s provisions. Essentially every country has similar legislation and designated agencies that are engaged in providing for lawful interception capabilities, with complex arrangements for bilateral and multilateral cooperation: for example, the Home Office in the U.K., the BfV in Germany, and the Interior Ministry in France. The Section 105 activation security capabilities are principally undertaken in a few specialized industry bodies, especially the ETSI Technical Committee on Lawful Interception.

Nowhere in the FCC Office of the Chairwoman releases is there any mention of years of ongoing work by industry and government in this sector, nor any of the obviously significant collaborative work of the U.S. national security community and allies over the past two years on the FCC referenced attacks. Because—over several decades—the FCC participated in almost no cybersecurity or lawful interception industry activities and acquired minimal staff subject matter expertise and neglected taking any action, the FCC assertions seemed opportunistic. This creative opportunism was also made obvious by the fact that the advanced persistent threat attacks had occurred worldwide in many kinds of networks and devices over many years. The appearance of opportunism was exacerbated by two prominent facts—neither the cited attacks nor the necessary steps to prevent them were specific to either the U.S. or to lawful interception implementations. Many countries were facing the same threats that involved entire telecommunications infrastructures.

This is not the first time the FCC expanded its jurisdiction by interpreting CALEA statutory provisions. In 2006, the commission expanded CALEA to encompass Voice over Internet Protocol and internet access services by interpreting the definition of telecommunications carrier as it evolved with new technologies. On judicial appeal in a split court, Judge David Sentelle’s opinion supported the FCC action by relying on the Chevron doctrine’s deference to the agency’s expertise. The action also occurred at a period of significant post-9/11 security concern.

However, the Supreme Court discarded Chevron last year in its Loper Bright Enterprises v. Raimondo ruling. This decision established precedent for the U.S. Court of Appeals for the Sixth Circuit’s Jan. 2 ruling striking down another of the FCC’s expansive assertions of authority to enact net neutrality regulations.

The commission’s creation of a far-reaching new cybersecurity regulatory regime based on a strained reading of a CALEA provision is certain to fail judicially. The new administration’s pick for FCC chair, Brendan Carr, also objected to expanding FCC cybersecurity authority based on CALEA Section 105.

Meeting National Infrastructure Cybersecurity Needs

Addressing the constantly scaling challenges of cybersecurity has been ongoing in the U.S. federal government for the past 60 years. Following three years of collaboration after digital packet networks for connecting computers was conceived, NSA and RAND went public with the resulting threats in April 1967. The substantive work to address cybersecurity threats over the past decades has ensued predominantly in agencies other than the FCC—collectively the national security community that includes NSA, the FBI, and recently CISA—and the international collaborative activities in which they engage. The expertise resides in those communities, not the FCC, and becomes highly relevant going forward. The principal exception involves the radio sector, which was the original basis for the FCC’s formation and has extensive, explicit statutory authority and enacted licensing and equipment certification regulations that include cybersecurity features.

The perennial missing piece here is the ability of the U.S. national security community to impose cybersecurity regulatory requirements on public network infrastructure and service providers. Minimally, every provider should be implementing the globally well-known Critical Security Controls that emerged from industry and NSA collaboration over many years. The controls are a set of continually evolved, prioritized best practices used to strengthen cybersecurity posture.

The EU now implements similar measures and more through an array of new regulatory requirements for all public and critical infrastructures and services. The U.K. telecommunication regulatory authority implements similar practices through its Telecommunication Security Code. Essentially every nation worldwide follows similar practices.

The implementation of comprehensive U.S. public network infrastructure cybersecurity has been lacking for decades for lack of Congress sorting out the issues of competence and regulatory jurisdiction following major service provisioning technological change. The U.S. is perhaps the only country that has failed to resolve this essential cybersecurity requirement conundrum and instantiate a solution in organic law. Providers need to not only demonstrate an effective risk management framework but also implement network resilience by design and continuing critical security controls. It seems late to be making those changes now, and the FCC’s unilateral pursuit of authority here through a summary declaration of authority is a reminder of the continuing need.