The FCC urges telecommunication providers to implement cybersecurity best practices in response to the Salt Typhoon hack and increased ransomware attacks.
On January 29, 2026, the Federal Communications Commission (FCC) issued a Public Notice strongly recommending telecommunication service providers “to implement cybersecurity best practices to protect their networks from the introduction of malware, including ransomware” in the light of recent events demonstrating “that some U.S. communications networks are vulnerable to cyber exploits that may pose significant risks to national security, public safety, and business operations.” The notice specifically references Cyble’s Telecommunications Sector Threat Landscape Report 2025, which found that since 2022, ransomware attacks on the industry have nearly quadrupled, with 69% of these ransomware attacks being aimed at the Americas.
While the FCC’s Notice does not mention the incident by name, the historic Salt Typhoon hack of late 2024 first drew a spotlight on cybersecurity in the telecommunications sector and is likely a contributing factor to the advisory. The Chinese state-sponsored hack compromised the infrastructure of at least eight US firms (including AT&T, Verizon, and T-Mobile), and exposed the cellular metadata of many, if not all, Americans. One official from the Federal Bureau of Investigation (FBI) who supervised investigations into the hack, Cynthia Kaiser, said she “can’t imagine any American was spared given the breadth of the campaign,” a year after the investigations started.
The hack led to calls for stronger cybersecurity in telecommunication, with Oregon Senator Ron Wyden (D) blocking Trump’s nominee for the Director of the Cybersecurity and Infrastructure Security Agency (CISA) until the agency released an earlier 2022 report on the security of this sector to the public. Before Wyden blocked Sean Plankey’s confirmation, the FCC enacted a rule in January 2025 requiring telecom operators to secure their networks and published a notice of proposed rulemaking that would require companies in the industry to create and implement cybersecurity management plans.
Unfortunately, these efforts do not seem to have precipitated much change in cybersecurity posture for communications providers. By late November 2025, the FCC rescinded these cybersecurity rules for these providers, claiming that the January decision “was both an unlawful and ineffective attempt to show that the agency was taking some type of action on cybersecurity issues…it neither responded to the nature of the relevant cybersecurity threats nor was it consistent with the agile and collaborative approach to cybersecurity that has proven successful.” The choice was criticized by some, with Sen. Maria Cantwell (D.Wash) telling the FCC Chairman Brendan Carr that “I am concerned that your move to drop cybersecurity requirements on carriers is part of a pattern of weakness on national security issues.”
It’s true that national cybersecurity has not been at its strongest in recent months. In December 2025, before the FCC’s Public Notice, Salt Typhoon activity was uncovered again, this time targeting congressional staff emails. These staffers worked in departments that addressed foreign affairs, intelligence, and policy on China - holding potentially valuable information for an espionage campaign. It’s still not clear to the public how impactful this last hack was, but awareness of how persistent the group is may have motivated the FCC’s new emphasis on security for communications providers.
The Public Notice lists eight best practices for preventing and mitigating ransomware attacks:
- Creating a Cybersecurity Risk Management Plan with incident response teams and clear role distributions
- Routinely updating and patching software, disabling unnecessary features
- Implement Multi-Factor Authentication (MFA)
- Set up scheduled data backup processes
- Teach employees about cybersecurity awareness and security principles
- Use “zero trust” architecture and network segmentation to control network access
- Continuously check for vulnerabilities by using detection and protection processes and staying up to date on threat intelligence
- Weigh third-party risk to limit threats entering the controlled infrastructure
In addition to these best practices, the notice also outlines instructions for responding to a ransomware attack:
- Use your Cybersecurity Risk Management Plan to stay organized
- Limit the spread of ransomware by finding out what areas are affected and isolating them
- Record evidence from affected devices
- Use clean backups to restore data
- Report the incident
There are detailed directions for reporting the incident depending on the result of the attack, like compromised customer proprietary network information or a network outage. Even if the attack does not lead to a reporting requirement, the instructions encourage reporting it to the FCC Operations Center, federal law enforcement resources like the Internet Crime Complaint Center, alongside the FBI and USSS, and federal asset response resources, like CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Following these instructions, the notice concludes with additional resources: links to other cybersecurity guidelines from federal organizations, together with the National Institute of Standards and Technology’s Cybersecurity Framework and CISA’s Known Exploited Vulnerabilities Catalog.
While the FCC’s Public Notice does not have the same power as any rules that the Commission enacts, the guidelines may be enough to inspire better cybersecurity policies in the telecommunications space. In any case, communications security may be in the headlines for a while longer, as reports emerge that AT&T and Verizon are dodging inquiries about their response to the disastrous Salt Typhoon hack, obscuring the nation’s true cyber preparedness.