The National Broadband Plan (the “Plan”) makes a number of recommendations to promote and strengthen cybersecurity and to protect critical broadband infrastructure, in an effort to increase consumer confidence, trust and broadband adoption. The Plan first recommends an active federal role in creating public-private cybersecurity partnerships, development of machine-readable repositories with actionable real-time information on cybersecurity threats, expansion of cybersecurity educational and training programs, coordinated cybersecurity assistance to help foreign countries develop expertise in this area, and increased Federal Communications Commission (FCC) participation in domestic and international fora addressing cybersecurity. With respect to other FCC-specific steps, the Plan sets out for the FCC several key tasks to foster cybersecurity, including:
- Working with the executive branch to issue within 180 days of the Plan a cybersecurity “roadmap” identifying the five most critical cybersecurity threats and establishing a two-year plan for addressing the threats
- Working with Internet service providers (ISPs) to build robust cybersecurity protection and defenses into networks used by businesses and individuals who lack access to cybersecurity resources
- Initiating FCC proceedings to (a) extend FCC Part 4 outage reporting rules to broadband ISPs and interconnected voice over Internet protocol (VoIP) providers, (b) inquire into the resilience, reliability and preparedness of broadband networks, and (c) explore whether and how to encourage voluntary efforts by broadband providers to improve cybersecurity
- Establishing a IP network cybersecurity information reporting system
- Jointly creating with the National Communications System (NCS) priority network access and routing for broadband communications to protect time-sensitive, safety-of-life information needed by public safety providers
- Funding a wireless test bed for evaluating network security
The Plan seeks to secure the most vulnerable broadband facilities and data transfers from cyber threats, such as espionage, disruption and denial of service attacks. Noting that the proliferation of IP-based communications requires stronger cybersecurity, and that disasters and pandemics can cause sudden disruptions of normal IP traffic flow, the Plan recognizes that broadband networks must be held to high standards of reliability, resiliency and security.
Cybersecurity also is critical to consumer online security (preventing viruses, spam and malware) especially given the extent to which spam can often contain threats such as password-stealing malware directed at,e.g., banking and financial accounts. The global, borderless nature of the Internet has lead to the emergence of new categories of threats that can come from anyone, anywhere in the world, at any time. The Plan seeks to protect the Internet and provide cybersecurity as both an economic and national security priority.
Currently, the Department of Homeland Security (DHS), the Department of Justice (DOJ) and the executive branch take the lead in promoting cybersecurity, while other agencies like the National Security Agency (NSA), the Department of Defense (DoD), the National Institute of Science and Technology (NIST), the National Science Foundation (NSF) and the FCC have all had active roles. DHS leads federal cybersecurity activities in particular, supported by numerous efforts such as the OnGuard Online program and DOJ legal actions. Many of the Plan’s recommendations in this area focus on leveraging these existing roles, expanding their focus, and public-private cybersecurity partnerships, while others set forth specific steps the FCC can take to facilitate these efforts.
Recommendations for federal agencies
The Plan urges an active federal government role in developing public-private cybersecurity partnerships by having the executive branch develop protocols with major industry sectors for the sharing of cybersecurity information, threats and incidents in a non-attributable manner, while also working with the Small Business Administration (SBA) to develop a cybersecurity resource program in conjunction with state and local governments to develop partnerships for small and medium enterprises as well.
The Plan also seeks to enlist the public and private sectors to ensure the security of Internet Information Sharing and Analysis Centers (ISACs) and to expand them beyond the financial services sector (FS-ISAC), information technology sector (IT-ISAC), and state and local governments (the Multi-State ISAC, or MS-ISAC).
Next, the Plan recommends that the executive branch develop, in collaboration with relevant regulatory authorities via a process led by the White House Cybersecurity Coordinator, machine-readable repositories containing actionable real-time information on cybersecurity threats (including viruses, spam, IP address blacklists and other indicators). It also suggests that the executive branch expand educational and training programs and career paths—including increasing current funding—to build workforce capability in cybersecurity.
Further, noting that it will be crucial to engage international counterparts, the Plan recommends that the executive branch develop a coordinated foreign cybersecurity assistance program to assist foreign countries to develop legal and technical expertise to address cybersecurity, similar to assistance provided in the areas of counternarcotics and human trafficking, and that other federal agencies with relevant expertise work collaboratively with foreign counterparts. At the same time the Plan indicates the FCC will increase its participation in domestic and international fora addressing international cybersecurity.
Finally, the Plan suggests that Office of Management and Budget build on its Federal Desktop Core Configuration and Trusted Internet Connections initiatives by accelerating technical actions to secure federal government networks, including speeding implementation of Internet Protocol Version 6 throughout the federal government, and efforts to secure the Internet’s routing system.
Recommendations for FCC action
The Plan recommends that the FCC issue within 180 days a cybersecurity “roadmap” that identifies the five most critical cybersecurity threats to communications infrastructure and its end users, and establishes a two-year, milestone-aided plan to address those threats. The Plan also states the FCC’s intent to work with ISPs to build robust cybersecurity protection and defenses into networks offered to businesses and individuals who lack access to cybersecurity resources, with the expectation that the federal government will provide technical assistance to ISPs participating in the program. In addition, the Plan states that there is a critical need for more consumer education on what threats they face, how to protect their connections and where to turn in case of emergency.
The Plan contemplates other FCC proceedings as well. They include commencing a proceeding to expand the FCC’s Part 4 outage reporting rules to include broadband ISPs and VoIP providers, begin an inquiry into the resilience and preparedness of broadband networks under a set of physical failures (both malicious or non-malicious) and under severe overload, including extraordinary events such as bioterrorism attacks or pandemics. Another proceeding would involve commencement of an FCC inquiry on the reliability and resiliency standards being applied to broadband networks, and to explore what actions it should take to bolster reliability.
The FCC also proposes to create a voluntary cybersecurity certification system that provides market incentives for upgrades and education, including “all measures that will promote confidence in the safety and reliability of broadband communications.”
To respond effectively to cyber attacks, the Plan recommends that the FCC and DHS create an IP network cybersecurity information reporting system (CIRS) to mirror the existing Disaster Information Reporting System, for monitoring system cyber events affecting communications infrastructure, with the FCC to facilitate sharing but maintain ISP proprietary information as confidential. In addition, the NBP also suggests the FCC and NCS leverage their Government Emergency Telecommunications Service (GETS) and the Wireless Priority Service (WPS) experience to jointly create priority network access and routing for broadband communications to protect time-sensitive, safety-of-life information needed by public safety providers.
Finally, cybersecurity also factored into the Plan’s recommendation that NSF, in consultation with the FCC, fund a wireless test bed for evaluating the network security needed to provide a secure broadband infrastructure to permit empirical assessment of radio systems and the complex interactions of spectrum users, and that a request for proposal (RFPs) be made to build and assess a network test bed that is sufficiently secure.
The FCC will be releasing a series of notices to launch each of its future proceedings.