FCC Warns Telecoms of Fourfold Ransomware Surge. Your Communications Supply Chain Is Exposed.

The FCC's Public Safety and Homeland Security Bureau issued a formal advisory on January 29, 2026 warning telecom providers to strengthen ransomware defenses. The commission cited a fourfold increase in ransomware attacks on telecom firms globally between 2022 and 2025. It disclosed that it became aware over the past year of ransomware incidents involving small-to-medium sized communications companies that disrupted service, exposed information, and locked providers out of critical files.

Why This Matters Beyond Telecoms

Telecom providers are foundational infrastructure. When a small or mid-sized telco gets locked out of critical systems, the disruption cascades into every business that depends on their network. Your SIP trunks, your MPLS circuits, your SD-WAN underlay, your cellular connectivity for field operations. All of it runs through providers whose security posture you probably have not assessed in the past 12 months.

The FCC's advisory is voluntary. It does not create new regulatory requirements. But it signals heightened regulatory scrutiny. Organizations that experience a ransomware incident through a telecom provider may face questions about whether they implemented reasonable vendor risk management, even though the FCC's measures are technically optional.

The Salt Typhoon Backdrop

The FCC's urgency is rooted in the 2024 Salt Typhoon campaign, where Chinese government hackers breached multiple U.S. and foreign telecom firms. Experts acknowledge it will be difficult, and in some cases impossible, for telecom companies to fully secure networks that are often patchworks of old, poorly maintained systems. Senator Ron Wyden pushed the FCC to impose mandatory cybersecurity requirements and for the DOJ to investigate potential criminal violations by Salt Typhoon victims.

The voluntary advisory is the FCC's compromise position. Mandatory requirements may follow if the industry does not respond.

What the FCC Prescribes

The advisory recommends developing a cybersecurity risk management plan with assigned responsibilities and response protocols. It calls for regular patching and software updates, disabling unnecessary features, enabling multi-factor authentication, segmenting networks, implementing zero trust architecture, monitoring for supply chain vulnerabilities in third-party vendors, backing up data, training employees, and testing incident response plans regularly.

None of this is novel. The significance is that the FCC is now telling the telecom industry to do what most enterprises already expect from their cloud and SaaS vendors.

What Enterprise Security Teams Should Do Now

Your telecom providers are part of your attack surface. If you are running risk assessments on cloud vendors and SaaS providers but not your communications infrastructure partners, that is a gap.

Ask your telco vendors directly. What is your ransomware incident response plan? When was it last tested? What third-party access do you grant? Do you segment customer traffic from management networks? The FCC just told you the threat has quadrupled. Your vendor questionnaire should reflect that.

For organizations with redundant telecom providers, verify that your failover actually works if your primary provider goes dark for 72 hours. For organizations without redundancy, this advisory is your business case to build it.

The risk: a provider outage that takes your business offline because you treated telecom as a utility instead of a managed risk.