WASHINGTON — Lawmakers debated how best to combat and prepare for the next cyberattack from foreign adversaries at a Senate Commerce Subcommittee on Telecommunications and Media hearing on Tuesday.
The hearing comes after Federal Communications Commission (FCC) Chairman Brendan Carr rolled back Biden administration cybersecurity regulations on telecommunications companies in November, made in the wake of the Salt Typhoon cyberattack last year.
Salt Typhoon is a group linked to the Chinese government whose goal is to hack into American networks and steal personal and classified data. The group led a years-long campaign to hack American telecommunications companies and steal data from prominent officials, including from President Donald Trump and Vice President JD Vance, during the 2024 presidential campaign for counterintelligence purposes.
Sen. Ben Ray Luján (D-N.M.) called out the FCC and Trump for removing regulations and signing an executive order in January that dismantled the Cyber Safety Review Board (CSRB) created under former President Joe Biden. CSRB investigated the Salt Typhoon attacks until it was dismantled earlier this year.
“There’s still a lot we don’t know about the damage done by the Salt Typhoon attacks. In fact, President Trump fired the board that was investigating the attack,” Luján said. “But what we do know is that rolling back protections and requirements to harden our networks is putting us on a dangerous path, and it will not prevent or mitigate attacks like this in the future.”
Sen. Gary Peters (D-Mich.) pushed back on witness Robert Mayer, the senior vice president of cybersecurity and innovation at USTelecom. Peters said that USTelecom pushed the FCC to roll back efforts that “require telecommunications providers to have a cybersecurity plan and then stick to it.”
“Officials say… cybersecurity is a priority, but at the same time, they’re basically gutting all of our cybersecurity institutions,” Peters said. “From rolling back the FCC rule to ignoring their own guidelines regarding the handling of America’s most sensitive personal information, as well as pushing out cybersecurity experts all across government, firing the people who know what needs to be done.”
Mayer emphasized that regulating telecommunication networks is not as effective as encouraging innovation.
“We have a very sophisticated adversary, and the way to deal with this is collaboration with government, partnership with government, [and] accountability,” Mayer said. “We’re making progress, and we shouldn’t stifle that or kill that with a compliance regime where you have 40 to 70 percent of your practitioners doing paperwork. We need to focus on the threat.”
Sen. Ted Cruz (R-Texas) supported Carr’s efforts to roll back regulations of telecommunications companies.
“Our challenge, therefore, is to secure communications infrastructure effectively without creating excessive and useless regulation that stifles the very innovation that gives our competitive edge,” Cruz said.
Daniel Gizinski, the president of the satellite and space communications segment at Comtech, argued that a public-private partnership would allow the designers and builders of communication systems to give important input on closing security holes because they “have the best view of what the vulnerabilities are.”
“The application of well-intended checklists on defense systems often aren’t designed with the end system architecture in mind,” Gizinski said. “Having that in-depth, open conversation has been incredibly valuable in securing other systems that we’ve built and delivered over the years.”
Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University’s Antonin Scalia Law School, told lawmakers that rather than regulating telecommunications companies, they should strive for an incentive-based approach through public-private partnerships because regulations will ultimately lead to companies doing the “minimum necessary at the latest time possible.”
“If, on the other hand, you incentivize people to do the right thing… they’re more likely to line up your boards, your CEOs, everybody’s going to be in the same room because they’re going to say, look, we get a benefit by doing these things,” said Jaffer. “To me, that’s a more effective way to get to the goal you want.”
However, former FCC Chief of the Public Safety and Homeland Security Bureau Debra Jordan warned that providers still need to be held accountable for basic cyber hygiene that would prevent attacks from happening so easily.
“We must establish a verification regime to ensure the security of our nation’s communications infrastructure from the largest to the smallest providers. We’ve seen time and again through outage and enforcement investigations, where providers have not implemented even some of the most basic cyber hygiene uniformly across their networks, such as changing default passwords,” Jordan said.
Published in conjunction with 
