The Federal Communications Commission is warning telecommunications companies to regularly patch their systems, enable multifactor authentication and segment their networks to avoid falling victim to ransomware attacks.
“Recent events show that some U.S. communications networks are vulnerable to cyber exploits that may pose significant risks to national security, public safety, and business operations,” the FCC’s Public Safety and Homeland Security Bureau said in a Jan. 29 alert.
The alert said the FCC “has become aware” over the past year “of ransomware incidents involving small-to-medium sized communications companies that disrupted service, exposed information, and locked providers out of critical files.”
The commission also cited recent data showing that the number of ransomware attacks on telecom firms globally increased fourfold between 2022 and 2025.
The FCC’s alert describes how ransomware actors operate, lists best practices for thwarting them and explains how to respond to an intrusion. The incident response section offers guidance on reporting attacks to the government, including how to contact the FCC, the FBI and other agencies.
Among the advice in the alert is a recommendation to monitor for supply-chain vulnerabilities, which account for a significant number of intrusions into critical infrastructure networks. “Evaluating the cybersecurity practices and monitoring the vulnerability of third-party vendors reduces the risk of threats that occur outside the provider’s controlled infrastructure,” the FCC said.
Companies should also regularly back up data, train employees and test incident-response plans, the commission said.
An appendix to the alert lists best practices produced by the FCC’s public-private Communications Security, Reliability, and Interoperability Council, including requiring validation of software patches, enforcing strong passwords and adopting the least-privilege principle for network access.
Growing concern
The cybersecurity risks facing telecommunications firms received significant attention in 2024, when it became known that Chinese government hackers had breached a range of U.S. and foreign telecom firms as part of the Salt Typhoon campaign. Experts say it will be difficult, if not impossible, for telecom companies to fully secure networks that often are patchworks of old, poorly maintained systems.
Some policymakers have pushed the FCC and other agencies to do more to hold telecoms accountable for their security lapses. Sen. Ron Wyden, D-Ore., has said he will block the confirmation of President Donald Trump’s nominee to lead the Cybersecurity and Infrastructure Security Agency until CISA releases a 2022 report on vulnerabilities in the telecom sector. Wyden has also pushed for the FCC to impose new cybersecurity requirements on telecoms and for the Justice Department to investigate potential criminal violations by Salt Typhoon victims. (Wyden speculated that the companies might have breached their obligations — under the Communications Assistance for Law Enforcement Act and the False Claims Act — to protect sensitive data and accurately describe their cybersecurity postures.)
The Trump administration has gone in the opposite direction. In November, the FCC abandoned a Biden-era legal interpretation that would have increased telecoms’ cybersecurity obligations.
