FCC throws down cyber gauntlet to communications industry

Friday - 6/13/2014, 4:47am EDT

Listen to Jason Miller's interview on the Federal Drive

Download mp3

The Federal Communications Commission is challenging telecommunications providers to work more closely with the agency to improve the nation's cybersecurity. FCC Chairman Tom Wheeler said it's not a matter of creating new regulations, but developing a plan to share the responsibility to protect the country's networks.

Wheeler wants to build on the initial success of the critical infrastructure cybersecurity framework mandated by the White House and overseen by the National Institute of Standards and Technology. The White House released the framework in February, and officials say implementation and acceptance has been slow and steady.

While the framework covers the telecommunications sector, among many others, Wheeler said he is trying to go one step further.

"We are therefore challenging private sector stakeholders to create a 'new regulatory paradigm' of business-driven cybersecurity risk management," Wheeler said Thursday at the American Enterprise Institute's Center for Internet, Communications and Technology Policy event on cybersecurity in Washington. "This new paradigm must be based on private sector innovation, and the alignment of private interests in profit and return on investment with public interests like public safety and national security. It needs to be more dynamic than rules, and — and this is a key point — it needs to be more demonstrably effective than blindly trusting the market."

He said companies do not go to market using cybersecurity as a selling point to the consumer. But with the ever-increasing threats and attacks, telecommunications companies and others in this sector must make predictive and proactive investments to improve cyber readiness.

Many in the telecommunications sector already make these investments. Whether it's Verizon or AT&T or CenturyLink, they know the value of data and what happens from a market perspective if their networks go down.

Can't wait for market adjustments

Wheeler said as more and more devices are connected to the Internet, the dangers and potential harm increases. That's why the FCC believes it needs to take a different approach than just relying on the market to adjust to the problems.

Wheeler said this new shared approach will be guided by four principles.

"First and foremost is the commitment to preserving the qualities that have made the Internet an unprecedented platform for innovation and free expression. That means we cannot sacrifice the freedom and openness of the Internet in the name of enhanced security," he said. "Second is our commitment to privacy, which is essential to consumer confidence in the Internet. We believe that when done right, cybersecurity enables digital privacy-personal control of one's own data and networks. Third is a commitment to cross-sector coordination. We cannot address these threats in one-sector or one-agency silos. Particularly among regulatory agencies, we must coordinate our activities and our engagement with our sector stakeholders. Fourth, we continue to support the multi-stakeholder approach to global Internet governance that has successfully guided its evolution, and we will oppose any efforts by international groups to impose Internet regulations that could restrict the free flow of information in the name of security."

Wheeler said he hopes this approach will become a useful template for others and increase the cyber accountability of the providers.

While a bulk of this effort will be done by the private sector, Wheeler is changing the FCC's makeup to play a similar role as that of NIST when it developed the cyber framework.

First off, Wheeler said this cyber effort will be led by Adm. Dave Simpson, the FCC's chief of the Public Safety and Homeland Security Bureau.

Wheeler also created a new position of chief counsel for cybersecurity. Clete Johnson, former staff member of the Senate Intelligence Committee, is filling this role. He will help Simpson navigate the legal and strategic considerations.

Additionally, Wheeler said Jeff Goldthorp, who has worked on these issues at the commission for more than a decade, rounds out the three-person team.

Wheeler said the agency bureau chiefs and office heads are working with Simpson to "bake" cyber into the DNA of the commission. He said the commission's activities going forward will need to consider vulnerabilities and impacts from cyber early on and throughout the FCC processes.

Measuring and management

Along with a new team and an agencywide focus, Wheeler said there are three central pillars to this effort.

The first one is situational awareness and information sharing.

"We are examining the legal and practical barriers to effective sharing of information about cyber threats and vulnerabilities in the communications sector," he said. "In order to protect companies and consumers against malicious cyber attacks and intrusions, companies large and small within the communications sector must implement privacy-protective mechanisms to report cyber threats to each other, and, where necessary, to government authorities. And for cyber attacks that cause degradations of service or outages, the FCC and communications providers must develop efficient methods to communicate and address these risks."