So, while the government was shutdown, Cyberattacks against U.S. government employees have surged by 85%, with projections indicating over 555 million attacks by the end of the month. According to Media Trust, these attacks are not just generic phishing attempts; they are targeted digital assaults aimed at exploiting the vulnerabilities of federal employees during this period of financial stress. Experts warn that the implications of these cyber threats extend beyond immediate breaches, with potential long-term consequences for recruitment and trust in government institutions. As essential employees, particularly within the Department of Veterans Affairs and the Department of Justice, continue to work unpaid, they are increasingly at risk, facing not only morale issues but also heightened threats from nation-state actors and cybercriminals.
But now that they’re back, The Federal Communications Commission has voted to remove several cybersecurity regulations that were established following significant breaches by Chinese hackers targeting major telecommunications companies. This decision, made by a Republican majority in a party-line vote, reverses a ruling that required telecoms to enhance their cybersecurity measures and submit annual risk management certifications. FCC Chairman Brendan Carr stated these rules were ineffective and claimed that voluntary efforts from carriers would better address cybersecurity threats, despite concerns from Democratic lawmakers who argue that this rollback leaves the public vulnerable.
The U.S. Securities and Exchange Commission has officially dismissed its case against SolarWinds Corporation and its Chief Information Security Officer, Timothy Brown, following a significant cyberattack linked to Russian hackers. This case, initiated in late 2023, raised alarms within the cybersecurity community after the SEC accused the company of violating securities laws by failing to disclose vulnerabilities related to the 2020 Sunburst attack. According to a joint stipulation posted by the SEC, both parties agreed to dismiss the case with prejudice, indicating a final resolution. A spokesperson for SolarWinds expressed satisfaction with the dismissal, emphasizing that it alleviates concerns among Chief Information Security Officers regarding the implications of the case on their responsibilities. This development comes after earlier discussions in July aimed at negotiating a resolution to the litigation.
Why do we care?
Attackers are getting more targeted, more opportunistic, and more aggressive — and the federal government is getting less consistent in its expectations. That’s a bad combo for anyone trying to protect customers, particularly as we need the government to handle the nation-state part of the equation.
We just watched cyberattacks spike against federal employees during a shutdown — because adversaries know stress creates openings. When federal employees go unpaid, adversaries get bold. For MSPs, the lesson is simple: social engineering risk isn’t seasonal. It’s situational
And right as that’s happening, regulators roll back mandatory telecom security rules and quietly walk away from their biggest test case on disclosure standards. When regulators get softer, the burden shifts downstream. If telecoms aren’t required to secure the edge, that fragility becomes your problem to mitigate.
So the big takeaway is this: no one’s coming to save us. The rules aren’t going to tell your customers what “good security” looks like. That’s on you.
This isn’t doom-and-gloom. It’s clarity. When regulation gets softer, insurers and auditors usually get tougher — and they’ll look straight at MSPs for the evidence. If you don’t have a defined minimum standard, you’re going to be judged against someone else’s.
So use this moment. Revisit your baseline. Lock in what’s mandatory for every customer. Explain these regulatory shifts as proof that voluntary security doesn’t work. And shore up your own internal documentation — because even though the SEC backed off in this case, customers still expect transparency and accountability from the people running their tech. This doesn’t mean security leaders are off the hook — it just means the accountability model is still undefined. And when accountability is fuzzy, customers lean harder on their MSP for clarity.
Bottom line? The threat landscape is accelerating, and the regulatory landscape is wobbling, putting MSPs in the position of a stabilizing force. Set the standard before someone else — or some incident — sets it for you.