In June, we described Chairman Wheeler’s “new paradigm” for addressing cybersecurity threats to the communications industry through voluntary, but “demonstrably effective” measures. As we predicted, the FCC has now taken one early step by seeking comments on the implementation and efficacy of certain cybersecurity best practices recommended by the Communications Security, Reliability and Interoperability Council (“CSRIC”) in March of 2012. These recommendations addressed ways to prevent distributed denial of service (DDoS) attacks, curb domain name fraud, and strengthen the security of the Internet inter-domain routing infrastructure. CSRIC’s recommended best practices can be found here (for Working Groups 5, 6, & 7). The FCC wants to hear from Internet Service Providers (“ISPs”) and the broader Internet community about the implementation of these recommendations or about suggested alternative approaches. Comments are due September 26th.
The FCC notes that it has not received feedback to date on the implementation and effectiveness of these recommended risk management best practices. In the meantime, the vulnerabilities these practices were intended to address continue to be exploited, including what the FCC describes as recent DDoS attacks of “unprecedented scale.” The information the FCC hopes to receive will help to better inform current CSRIC efforts to create “measurable, accountable cyber assurances across a wide variety of IP-based communications technologies and services.”
The FCC’s request for information is an early step in its effort to develop a voluntary, private-sector driven risk management framework for the communication sector. Chairman Wheeler has indicated, however, that should the private sector fail to develop and implement a robust set of transparent and measurable practices, the FCC will consider some form of regulation. As the Chairman stated in his June speech: “We believe there is a new regulatory paradigm where the Commission relies on industry and the market first while preserving other options if that approach is unsuccessful.”