The Federal Communications Commission (FCC) has approved new regulations designed to crack down on robocalling and protect telecommunications networks from cyberattacks. The regulations, which were passed unanimously by commissioners, aim to strengthen telecom companies' 'Know Your Customer' requirements for verifying callers' identities.
Strengthening Know Your Customer Requirements
Among the potential solutions being considered are requiring telecoms to verify a customer's name, address, government ID, and alternative phone numbers prior to enabling their service. This move is intended to prevent bad actors from infiltrating US phone networks. FCC Chair Brendan Carr stated that under current rules, some telecoms "do the bare minimum" to verify callers and have "become complicit in illegal robocalling schemes."
Carr noted that as the FCC has continued to investigate the problem of illegal robocalls over the last year, it has become clear that some originating providers are not doing enough to vet their customers. This has allowed bad actors to infiltrate US phone networks, highlighting the need for more effective identity verification measures.
Current Rules and Challenges
Current rules require telecoms to take "affirmative, effective" measures to verify callers and block illegal calls. However, in practice, this system has largely relied on self-attestation from the companies. Because a single call can traverse multiple networks, carriers must also often rely on identity verification performed by other telecoms.
For example, the telecom that transmitted thousands of false robocalls imitating then-President Joe Biden during the 2024 New Hampshire presidential primary initially reported to the FCC that they had the highest level of confidence in the identity of those using the phone numbers. However, this turned out to be false, as the robocallers spoofed a well-known former state Democratic Party official.
Closing Loopholes and Enforcing Penalties
The commission is also interested in finding ways to better enforce Know Your Customer rules, including tying penalties to the number of illegal calls that were placed. Since 1999, the FCC has traditionally granted blanket authorization for domestic carriers to operate interstate telecommunications services within US borders.
However, another rule passed by the commission would formally end this practice for foreign companies on the FCC's covered entity list. The list bans a small number of foreign companies based in Russia or China from selling their equipment in the US on national security grounds.
Carr noted that equipment from those companies often winds up in US products by providing services that don't fall under the current legal definition of international telecommunications authority. This loophole has allowed foreign companies to circumvent US security measures, highlighting the need for more effective regulation.
Cybersecurity Threats and Network Security
Commissioner Olivia Trusty, who helped lead the development of the rule, stated that cybersecurity threats facing telecom networks today "exceed those of any recent era" and that updates must be made to modernize and harden networks. Trusty emphasized the importance of re-examining policies that permit access to US networks to ensure that frameworks originally designed to promote economic growth are not exploited in ways that jeopardize national and economic security.
The FCC also passed a third measure that would refuse to recognize any testing or equipment lab based overseas that does not have a reciprocity agreement in place with US-based labs. This rule builds off efforts last year to prohibit telecoms from relying on testing and certification labs that are owned or operated by foreign adversarial countries like China or Russia.
This move led to the FCC withdrawing or denying certification of 23 overseas labs, highlighting the need for more effective regulation and oversight of foreign companies operating in the US telecom sector.
Source: CyberScoop