The U.S. Federal Communications Commission cancelled its post Salt Typhoon cybersecurity mandate for carriers after a 2-1 vote on November 20, 2025. The order reverses a January ruling that tied network security duties to CALEA and would have required yearly cybersecurity plan attestations.
Republican leadership said the legal basis was weak and the approach too rigid for fast moving threats. The agency pointed to recent cooperation with carriers on patching, access controls, and threat hunting. Industry groups welcomed the shift, citing flexibility in how risk is managed under other federal partnerships, and in internal programmes.
Salt Typhoon was a large, China‑linked espionage campaign that reached deep into U.S. telecom networks last year. Investigators described long term access that targeted routers and signal paths. Canadian officials later warned that similar techniques touched domestic telecom devices in early 2025. The policy response in Washington now pivots from mandates to collaboration. The vote, and its timing, keep security choices closer to boards and operators.
Order leans on voluntary measures
At the open meeting, FCC Chair Brendan Carr said, “The Declaratory Ruling that we reconsider today was neither lawful nor effective.” He argued the earlier move misread CALEA and lacked focus on concrete vulnerabilities.
Staff described commitments by major carriers to accelerate patching, tighten outbound connections, and expand government information sharing. Supporters said these steps mirror how other sectors manage cyber risks without one size fits all rules. The Commission also withdrew a related rulemaking that would have set minimum practices.
Opposition formed quickly on Capitol Hill and inside the agency. Democratic Commissioner Anna Gomez dissented, warning about weaker accountability if reporting ends. Senate Commerce leaders flagged gaps in oversight and evidence that intruders are fully removed.
In a letter ahead of the vote, Sen. Maria Cantwell wrote, “our efforts should be focused on further enhancing the cybersecurity of our critical infrastructure networks, not rolling back existing protections.” The split highlights a broader debate over whether voluntary pledges are enough after a high impact breach.
Cross border risk and capital effects
The repeal changes compliance cadence more than day to day engineering. Carriers may keep spending on monitoring tools, router hardening, and incident response, but attestations drop from the workplan. Procurement teams can time upgrades to operational risk rather than fixed filing dates. Insurers and lenders may still ask for proof of controls before renewing cover or closing financings. That can anchor investment choices even without a federal checklist.
Interconnection with U.S. backbones remains a live risk for Canadian operators. Traffic often crosses borders through shared routes and submarine cables. Joint advisories from security agencies this year detailed router level tactics that evade normal logs and persist across reboots. Those notes encouraged specific hunts and firmware checks, steps many carriers already deploy. Coordination between Ottawa and Washington will shape how threats are shared in real time.
Industry groups said the agency acted to restore flexibility and keep pace with changing attacks. The trade associations for broadband, wireless, and cable called out the Commission’s decision as the product of collaboration in “a dynamic cybersecurity landscape.”
Watch for congressional oversight, and for targeted FCC measures tied to narrow assets, such as subsea systems or lawful intercept functions. Any fresh incidents could quickly reset the policy balance. For now, the centre of gravity sits with voluntary controls, audits, and bilateral threat sharing.