The Federal Communications Commission ("FCC") is seeking industry and public comment on whether it should take further steps to ensure that the U.S. communications industry is sufficiently prepared for cybersecurity threats.
The Commission last raised this question several years ago when it appointed an advisory committee of industry, public safety, and consumer representatives to develop recommendations for best practices in lieu of regulatory requirements. The voluntary recommendations ("Recommendations"), released in 2012 by the FCC's Communications Security, Reliability, and Interoperability Council, focused on remediating security oversights, gaps, and outdated practices that facilitate malicious use of networks and network services. Among other things, the Recommendations included:
- Adoption of an Anti-Bot Code of Conduct to educate users and mitigate the effects of botnet activity on ISP networks;
- Increased implementation of the Domain Name System Security Extensions ("DNSSEC") to allow internet users to validate the identify of websites; and
- Measures to prevent IP route hijacking—the routing of traffic through potentially untrustworthy networks.
In its July 25, 2014, Public Notice ("Notice," available athttp://www.fcc.gov/document/pshsb-seeks-comment-csric-iii-cybersecurity-best-practices), the FCC requests input from ISPs, the internet community, and consumer groups to help assess whether the Recommendations are being implemented, and to comment on their effectiveness and the lessons learned from any such implementation. The Notice reiterates that a wide range of stakeholders, including leading ISPs, participated in the development of the Recommendations and publicly committed to implementing them, and it describes the Notice as an effort to develop "proactive private sector-driven" risk management. At the same time, however, the Notice pointedly observes that the vulnerabilities described in the Recommendations continue to be exploited, adding urgency to the need for their immediate implementation or for potential "alternative approaches" (i.e., federal regulation).
The Recommendations and the recent Notice indicate the Commission's desire to improve cybersecurity through collaboration rather than regulation, thus avoiding the lengthy and at times cumbersome process that often accompanies rulemaking. The Notice highlighted FCC Chairman Tom Wheeler's desire to avoid a "prescriptive regulatory approach" that is incapable of addressing the complexity and pace of change inherent in matters related to the internet. At the same time, however, the Chairman's stated preference for the approach of collaboration rather than regulation comes with the caveat that any industry-led security regime must be "more demonstrably effective than blindly trusting the market." This Notice can be seen as an early attempt to allow the industry to build its track record under the FCC's voluntary collaboration approach, as well as to signal the type of transparency and accountability that may be expected to support such a voluntary framework.
The Notice seeks comment on several specific questions, which will assist the FCC in evaluating the effectiveness of the Recommendations thus far:
- What progress have stakeholders made in implementing the Recommendations?
- What barriers have stakeholders encountered in implementing the Recommendations?
- What significant success stories or breakthroughs have been achieved in implementing the Recommendations?
- What are stakeholders' views and/or plans for full implementation of the Recommendations?
- How effective are the Recommendations at mitigating cyber risk when they have been implemented?
- Given the experiences gained in the past two years, are there alternatives to full implementation that could be more effective than full implementation at mitigating cyber risk posed by botnets, DNS vulnerabilities, routing infrastructure vulnerabilities, and source address spoofing? On what basis do stakeholders believe that these alternatives are more effective than the Recommendations? Do stakeholders undertake qualitative or quantitative evaluations of the effectiveness of these various approaches, or both?
Other federal agencies have increased their oversight of cybersecurity-related matters, including the Federal Trade Commission and the Securities and Exchange Commission. The FCC's Notice provides interested parties a unique opportunity to assist the Commission in determining whether it should do the same. Comments are due by September 26.