In the wake of a number of high-profile cybersecurity events — from the Heartbleed bug to the Target breach — cybersecurity has become a red-hot issue in Washington, D.C. Earlier this month, in a major address delivered at the American Enterprise Institute, Federal Communications Commission Chairman Tom Wheeler announced a new cybersecurity initiative to create a “new paradigm for cyber readiness” in the communications sector.
As described by Wheeler, the FCC’s cybersecurity initiative will be led by the private sector, with the Commission serving as a monitor and backstop in the event that the market-led approach fails. In particular, the FCC will “identify public goals, work with the affected stakeholders in the communications industry to achieve those goals, and let that experience inform whether there is any need for next steps.” Chairman Wheeler stressed that the new paradigm must be dynamic, more than simply new rules, and the Commission will rely on innovation by the private sector.
The Commission’s efforts will be guided by four principles, including commitments to:
- preserving the qualities that have made the Internet an unprecedented platform for innovation and free expression, so that Internet freedom and openness is not sacrificed in the name of enhanced security;
- privacy, i.e., enabling personal control of one’s own data and networks;
- cross-sector coordination, e.g., among regulatory agencies; and
- the multi-stakeholder approach to global Internet governance and an opposition to any efforts by international groups to impose Internet regulations that could restrict the free flow of information in the name of security.
Expect FCC staff actions to be organized around the following elements:
- Information Sharing and Situational Awareness. The Commission is looking into legal and practical barriers to effective sharing of information about cyber threats and vulnerabilities in the communications space. Specifically, the Chairman noted that “companies large and small within the Communications communications sector must implement privacy-protective mechanisms to report cyber threats to each other, and, where necessary, to government authorities.” Moreover, where a cyberattack causes degradations of service or outages, the Chairman stated that “the FCC and communications providers must develop efficient methods to communicate and address th[e] risks.” To that end, the Chairman noted that the FCC is actively engaged with private sector Information Sharing and Analysis Organizations, and with other federal agencies, to improve threat information sharing and situational awareness.
- Cybersecurity Risk Management and Best Practices. Noting the work of the Communications Security, Reliability and Interoperability Council (CSRIC) in developing voluntary cybersecurity standards, Chairman Wheeler called upon communications providers to work with the Commission to set the course for years to come regarding how companies in that sector communicate and manage risk internally, with their customers and business partners, and with the government. In addition, the Commission will be seeking information to measure the implementation and impact of the CSRIC standards.
- Investment in Innovation and Professional Development. Chairman Wheeler has asked the FCC Technological Advisory Council (“TAC”) to explore specific opportunities where “R&D activity beyond a single company might result in positive cybersecurity benefit for the entire industry.” Specifically, the FCC will “identify incentives, impediments, and opportunities for security innovations in the market for communications hardware, firmware and software.” Further, the FCC will work with NIST and academia to “understand the current state of professional standard and accountability,” as well as “where the FCC might positively contribute toward further professionalization of the workforce.”
This initiative could have significant impact on telecommunications and technology companies. Cybersecurity already is a top priority for CSRIC. A new working group was established within CSRIC and work is underway to update the industry’s cybersecurity best practices. The primary goal is to align the industry’s cybersecurity activities with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework Version 1.0 released in February 2014. Industry members are encouraged to participate in the process. Based on the current timeline, CSRIC will vote to approve the new best practices in March 2015.