A vote this week by the FCC, reported by Federal News Network, may rescind the broadband cybersecurity rules the agency adopted in January following the massive Salt Typhoon hacks. Those rules had used a reinterpretation of the Communications Assistance for Law Enforcement Act (CALEA) to assert the agency’s authority to require telecoms to secure their networks. The agency says the prior effort “exceeded the agency’s authority and did not present an effective or agile response” to the threats.

This is more than a procedural shift. If the rules are rescinded, it signals the FCC moving away from broad, mandatory cybersecurity requirements and toward a model of voluntary collaboration with providers. That matters because Salt Typhoon was no small event—it penetrated U.S. telecom networks, has been described as “the worst telecommunications hack in our nation’s history,” and revealed deep vulnerabilities in routing, network management, and trusted-connections.

For defenders, industry leaders, and policy makers, the takeaway is clear: regulatory frameworks for critical communications infrastructure are in flux at exactly the moment the threat landscape is intensifying. It is an element of risk management that can’t be ignored. Monitoring voluntary commitments, assessing whether collaboration models deliver, and ensuring that basic hygiene (patching, network segmentation, privilege controls) remains enforced despite the regulatory retrenchment is now part of the solution. Without that, the same channels that were exploited in Salt Typhoon might remain exposed.