Policy

Exit interview: FCC’s Jessica Rosenworcel discusses her legacy on cybersecurity, AI and regulation

The outgoing chair weighs in on how the FCC has addressed newer technologies, efforts to respond to Chinese intrusions into U.S. telecom networks, and regulating AI in political ads.

By Derek B. Johnson

January 3, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

FCC Chairwoman Jessica Rosenworcel attends the Paley International Council Summit at Paley Museum on Nov. 8, 2022 in New York City. Rosenworcel spoke with CyberScoop about her tenure as FCC Chair, which will end Jan. 20, 2025. (Photo by Steven Ferdman/Getty Images)

On Jan. 20, Jessica Rosenworcel will leave the Federal Communications Commission, capping off a 12-year tenure that saw her rise from commissioner to chairwoman in 2021.

Under her leadership, the agency has taken an aggressive approach to regulating cybersecurity, data privacy and emergent artificial intelligence use in the communications sector.

Over the past four years, the FCC has issued record fines to telecoms and other entities for data breaches caused by cybersecurity lapses, privacy violations, selling customer data and using AI to deceive voters over phone lines. The agency has also proposed a raft of new cybersecurity regulations on telecoms and broadcasters, in many cases by reinterpreting decades-old laws to cover newer and emerging technologies and infrastructure.

In a wide-ranging interview with CyberScoop, Rosenworcel discussed how the FCC has evolved to address the challenges posed by newer technologies, ongoing efforts to investigate and respond to Chinese intrusions into U.S. telecommunications networks, regulating AI in political ads and other topics.

This interview has been lightly edited for length and clarity.

CyberScoop: Thank you for making time to speak with us today, chairwoman. Can you start by talking about the role that cybersecurity and privacy have played in your tenure at FCC? When you look back at when you first got to the agency to today, how has the mission changed or evolved to meet these challenges?

Rosenworcel: I think it’s become clear that communications technologies are essential for national and economic security. By some counts, they amount to one-sixth of the economy and I think it’s the most exciting part. Under my leadership, we made sure that those connections need to be secure connections and put national security front and center.

There are so many things that we have done over the last several years to demonstrate that. For the first time ever, we revoked the service authorization for Chinese-affiliated telecom companies because we found their connections in this country were insecure. We also set up a big program to take out and replace Huawei and ZTE equipment in our nation’s communications carriers. And in legislation that was just passed, the [National Defense Authorization Act], we got an additional $3 billion to help us finish that job.

We also made sure that our process for reviewing equipment that uses radio frequency doesn’t give blessing to insecure devices, through the work we’ve done on the Secure Equipment Act. On top of that, we’ve enforced against wireless carriers who are making a business of selling our geolocation data from our phones. Got them to stop that. And we updated our data-breach policies at the FCC, which hadn’t been updated in 16 years, which is a lifetime in the digital age. We also did some work to try to stop sim-swapping fraud.

A lot of those initiatives were done because we helped create the Privacy and Data Protection Task Force, which brought together all kinds of staff from across the agency to try to think cooperatively about these issues and what matters to the security of our networks and the communications we bring into our homes and businesses.

CS: A theme running through much of your work in these areas has been operating with laws that were designed decades ago to apply to newer technologies that have come to the fore.

Rosenworcel: I think you have a point. What we tend to do is we look at the law and say, what values are in the law? And the very first sentence of the Communications Act talks about network security. And for that reason, we have to take a look at what’s happening in the world around us and modernize our approaches.

For example, we’re seeing extraordinary growth in the Internet of Things. We’ve got billions of devices that are out there and many more coming our way that are going to be connected to the internet. We have to make sure all those connections are secure.

It’s why, for the first time ever, we developed the U.S. Cyber Trust Mark, which is coming soon to everything from baby monitors to fitness trackers, to help us all make good decisions about what connections we bring into our lives and home. That’s an example of us thinking in a modern way about the language in these laws.

CS: On the Salt Typhoon intrusions, the FCC has proposed new rules for telecommunications providers. Some members of Congress have proposed their own version of legislation. When you look at these intrusions, what do you see as the root problems that need to be fixed to prevent these kind of breaches in the future? And to what extent does the FCC have the authority to act on those problems versus needing new legislation from Congress?

Rosenworcel: There’s a few different pieces in there. Let’s start by acknowledging that our nation’s communications is not a single network. It’s a patchwork of networks from private companies. Some portions of it are bright new and gleaming with IP technology, and others are decidedly analogue and feature switches that should have been long ago decommissioned.

So while our national intelligence experts are spending a lot of time trying to understand the scope and extent of the incursions from Salt Typhoon, I decided that the FCC should get started building a framework for the future. In other words, even while they’re going through their efforts to fully appreciate what happened, I think we actually have to start right now thinking about how we’re going to stop this in the days ahead.

When I look at the laws before us, the most relevant law I have is [the Communications Assistance for Law Enforcement Act] — which is from 1994 by the way. Not especially current. And in 1994, as we saw the explosion of different kinds of equipment being added to our communications network, Congress passed this law to direct communications companies to make sure the equipment they put in their network was capable of lawful surveillance. If they got a lawful request for surveillance, that equipment would be capable of working with law enforcement authority to make that happen.

So I’m standing back now and looking at this tool and saying, can we interpret that more broadly and in a more modern way, to say that you affirmatively have a duty to secure your network? And if we do that, can we also have cybersecurity risk management plans that are built off the kind of work that the National Institute for Standards and Technology and the Cybersecurity and Infrastructure Security Agency have already developed?

The bottom line is [for] this network, that has a patchwork of different equipment and companies, we’ve got to develop something like minimum cybersecurity standards. That’s how we make sure communications going forward are more secure and more reliable; every one of us needs that in our day-to-day life. I don’t think we should wait for the intelligence communities to complete their understanding of Salt Typhoon. I think the FCC should get started immediately, which is why I put forward a proposal to do that.

CS: The Cyber Safety Review Board is investigating the intrusions. What are, in your view, the most pertinent questions that a review like that should answer? What are the things you’d like to see addressed or clarified?

Rosenworcel: I think it’s very simple: What happened that let these malicious foreign actors to get into our network? What are we doing to get them out? And what are we doing to prevent this in the future?

That third piece is something where I think the FCC has the ability to take this law from 1994 and interpret it in a more modern way. I’m going to use every tool we have before us right now, and I’ll also welcome any new tools Congress wants to provide.

CS: Do you expect the affected telecoms to cooperate in that investigation? And how receptive have they been to requests from the FCC in its own inquiries?

Rosenworcel: I just don’t feel like I have an answer for you on that. I want to be careful on that. Let me just acknowledge that there’s a public record of the highest levels of the companies working with government authorities and our national intelligence experts on this issue.

CS: The FCC under your leadership has been praised in some quarters for taking aggressive actions around issues like cybersecurity, privacy and AI, as well as your willingness to reinterpret older communications laws in ways that can address these newer technologies. In other quarters there’s been criticism — including from Republican-appointed members of the FCC — that the agency is overstepping its statutory and regulatory authorities. Do you expect the FCC to pull back from that approach under a Republican administration?

Rosenworcel: I can’t speak to what my successor might do, but I can tell you that national security and network security go hand in hand. These communication networks are fundamental to everything we do in modern life, and it’s incumbent upon us to make sure every one of those connections is secure. You can’t just pass the buck and say it’s someone else’s job. You’ve got to look at what’s before you and make choices that reflect the world we live in today. And that’s why I believe we need to put national security front and center, that’s why we’ve done that on my watch at the FCC, and there’s all kinds of other opportunities where this has arisen.

You mentioned AI. I think one of the more stunning things that happened on my watch was at the start of [2024], voters in New Hampshire awoke to President Biden calling them on their phones and providing them with this jumble of disinformation about how they didn’t need to vote in the primary.

It was the first big episode of AI voice-cloning reaching the public and interfering with an election. We certainly had talked about it before; I’d seen AI experts explain how voice-cloning could be used over the communications network. But there it was, suddenly thousands of people woke up and got that call.

What we did at the FCC is we kicked into high gear. Very quickly we looked at the laws we have on the books, including the Telephone Consumer Protection Act of 1991, and worked with colleagues in a bipartisan fashion to very quickly conclude that AI voice-cloning sent over [a] communications network violated the [act] as it was artificial and prerecorded voice, for which there was no permission to send.

We actually issued a $6 million dollar fine to the individual behind that, and we worked with the Republican Attorney General of New Hampshire to make sure they had the information they needed for criminal prosecution.

It was the canary in the coal mine, the earliest episode of AI and voice-cloning and the risk that could represent to our elections and national security. I’m proud this agency moved fast and swiftly and set the kind of precedent that is important, which is if you use this junk and send it over the line, we’re going to come find you.

CS: There were a number of players and entities involved, including Lingo Telecom and Life Corporation. What did that experience teach you about the ecosystem in place for these kinds of calls?

Rosenworcel: That when you have an ugly incident like this, it’s imperative that you act fast, and we did that in this case. This was the biggest use of AI voice-cloning that we saw during this election cycle, and the agency stepped up very fast to indicate that it violated the law and there would be consequences. I think that we’re going to continue to have to look at the statutes that may not be totally recent to identify what values and principles are in them to make sure our networks are more reliable and secure. Everything from voice-cloning and AI to Salt Typhoon is putting pressure on the agency to think about these statutes in a modern rule.

CS: You’ve talked with members of Congress about how the FCC’s disclosure rules around AI-generated political ads could serve as a norm-changing experience for what people should expect from their political ads. Could you expand on those thoughts?

Rosenworcel: As we enter this new era with the possibilities of artificial intelligence — it can cause problems, it can also help us solve problems — I’m ultimately an optimist. But I do think that if you’re a consumer, a viewer or a listener and you are interacting with AI-generated stuff, you deserve to know. If that’s a synthetic voice or actor that you’re interacting with, you deserve to know.

I think we need to change our legal and cultural norms to reflect that for us to make positive use of artificial intelligence going forward.

CS: That push has spurred some pushback over the past year from the Federal Election Commission chair, who argued his agency had ultimate jurisdiction over the regulation of political ads. FCC Commissioner Brendan Carr also opposed the rules, likening them to an attack on political speech. How do you respond to those claims and what do you see as the consequences of the FCC pulling back on this issue?

Rosenworcel: To be clear, since the 1930s the FCC has been collecting information on political ads on broadcast and radio, so there was nothing especially new here associated with that. What is new is that artificial intelligence is going to show up in so many aspects of our lives. I think as citizens, we are entitled to know when it is being used. I think that’s pretty fundamental. You can get lost in arguments about jurisdiction and the details of the code of federal regulations, but what is really clear is if you’re interacting with something that’s synthetic, we need legal and social norms that tell you that’s the case.

CS: Robocalling remains a huge problem in America today despite efforts by agencies like the FCC and other entities to improve tracking and verification protocols. It’s caused a lot of frustration for consumers. How do we improve that?

Rosenworcel: We can’t let this destroy trust in our networks. I’ve said repeatedly this is one of those areas where we really, truly need more authority from Congress. There was a Supreme Court decision in 2021 that radically narrowed our ability to go after bad actors with robocalls by defining autocaller in a way that froze the definition of the technology in 1991. We need an update to that, so we have more expansive authorities. I’d also like the FCC ultimately to have the authority to take those bad actors to court so when we issue fines, we can follow through and collect, and right now we don’t have that authority through the Communications Act. I think we’re going to need some changes to our laws to really get to the root of this problem, and I hope my successor will continue to press for that.

CS: Do you know what you want to do after your tenure ends in January?

Rosenworcel: I know it’s the most predictable Washington answer of all time, but I want to spend more time with my family. I think public service is a 24/7 job and I want to make sure I can spend more time with my family at home, and my dog, too.