The internet is having a five-alarm week and the only agency you would hope could turn on the water came by with a hose and no bucket. With high-profile breaches hitting DoorDash and Logitech and a 15.7 Tbps DDoS slamming Microsoft Azure, the Federal Communications Commission voted to repeal rules requiring telecom carriers to have (and affirm) robust network security programs. It is a head-spinning move at exactly the time that critical infrastructure requires stronger standards, not fewer.
Regulators maintain that industry self-policing and market incentives can do the work. But attacks have been so voluminous and intense — and their spillover effects into everyone else’s payments, logistics and cloud services so great — that they certainly do appear to matter.
What the FCC Repealed in Telecom Security Rules
Centrally at issue are rules that mandated carriers to implement formal, documented security practices preventing unauthorized access to their networks, introduce officials responsible for security measures and self-certify compliance with the FCC. These requirements were intended to turn security into a board-level responsibility instead of just a best-effort guarantee. By yanking them, the agency is moving risk back to voluntary frameworks and post-incident accountability.
Industry groups had long sought to eliminate such prescriptive mandates, arguing they duplicate other frameworks and impose costs with no obvious commensurate benefit. Critics of the changes argue that getting rid of explicit obligations undermines a baseline for companies that power the backbone of U.S. communications.
Why the Timing Could Not Be Worse for Security
Consider the week’s tape. DoorDash acknowledged a breach that compromised sensitive customer information. Logitech announced a breach that is affecting customer information. Meanwhile Microsoft disclosed a mammoth 15.7 Tbps attack volume on one of its own Azure services that it attributed to the Aisuru botnet — the very same threat family blamed for a record-breaking 22 Tbps blast at Cloudflare in recent months. These are not theoretical risks but rather ongoing efforts to grind down the infrastructure that supports commerce, healthcare and government.
The numbers support the feeling of crisis. In October 2020, IBM Security’s most recent Cost of a Data Breach study pegged the global average breach cost to be around $4.88M, and Verizon’s DBIR says that 68% of breaches involve human factors (phishing or stolen creds or just plain ol’ making mistakes in the presence of said inconsistent baseline controls). Carriers aren’t responsible for every incident, but when they let something slip through, the blast radius can bisect everyone who’s part of their ecosystem.
What Security Experts Say About the FCC Rollback
Cyber officials have been calling for more, not less. CISA advocates for basic controls — such as enabling multifactor authentication by default, quickly patching internet-facing systems and making DDoS mitigation preparations. NIST’s Cybersecurity Framework details risk management that is most effective when measurable and auditable — exactly what certification requirements sought to impose.
Privacy and consumer groups like the Electronic Frontier Foundation and Public Knowledge say that by removing required attestations, potential customers have a fog around basic hygiene — encryption at rest and in transit, zero-trust segmentation and third-party risk controls. With no specific requirements, it makes it more difficult for customers, partners and regulators to assess whether “secure” is based on deployed controls or just intentions.
How Carriers and Cloud Will Feel the Impact
Big providers will still follow NIST, or ISO 27001 and SOC audits to make the enterprise customer happy. The discontinuity is at the fringe — regional operators, resellers and supply chain partners where enforcement historically was a function of FCC-required governance and annual certifications. Fewer guardrails mean it’s more likely that a misconfigured edge device or old system ends up being the pivot point for the next routing leak, data theft and nation-state foothold.
Ironically, the broader tech industry is going the other way. Content and cloud platforms are driving default encryption, confidential computing and automatic key rotation. Overseas governments are clamping down on requirements under regimes such as the EU’s NIS2, which treats telecom as critical infrastructure to be managed for risk and reported when failures occur or fines will be issued. The U.S. is now gambling that voluntary alignment will be enough while its adversaries industrialize their tooling.
A Better Path Forward for Telecom Security Oversight
There’s a middle ground, between strict checklists and trust-me. Policymakers could:
- Require outcome-based attestations to accepted standards such as NIST CSF and SP 800-53 that are validated by objective audits.
- Require transparent metrics — mean time to detect and respond, patch latency on internet-facing assets and multi-factor adoption rates — reported in confidence to regulators and in aggregate public reporting.
- Align telecom requirements with those in CISA’s playbook for the critical infrastructure community, such as conducting tabletop exercises and joint DDoS readiness assessments with cloud and content delivery service providers.
- Strengthen and formalize supply chain controls, including software bills of materials and vendor security attestations for network gear and managed services.
The Bottom Line on Rolling Back Telecom Security
Attacks are multiplying industry to industry, and telecom is core to everything that moves. Lowering the bar on security requirements might reduce paperwork, but it also takes away the pressure that translates best practices to standard ones. With the internet this hot, that extinguisher can’t be optional.
