FCC to establish cyber certification program

Tuesday - 5/11/2010, 6:52am EDT

WFED's Jason Miller

Click to hear the report on The Federal Drive

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

The Federal Communications Commission wants to establish a cybersecurity certification program for private sector telecommunications networks.

In a Federal Register notice released today, the FCC says the undertaking would be voluntary for broadband and other communication service providers.

"The Commission's goals in this proceeding are to increase the security of the nation's broadband infrastructure, promote a culture of more vigilant cyber security among participants in the market for communications services, and offer end users more complete information about their communication service providers' cyber security practices," the FCC writes in the notice.

The commission wants vendors to answers numerous questions about how such a program would work, what security criteria should be included, whether they have at the legal authority to even create such a certification program and more.

"The security of the core communications infrastructure - the plumbing of cyberspace - is believed to be robust," the FCC states. "Yet recent trends suggest that the networks and the platforms on which Internet users rely are becoming increasingly susceptible to operator error and malicious cyber attack."

PandaLabs reports that in 2009 it detected more new malware than in any of the previous 20 years. It also reports that in 2009, the total number of individual malware samples in its database reached 40 million, and that it received 55,000 daily samples in its laboratory, and this figure has been rising in recent months.

FCC chairman Julius Genachowski asked the commission's Public Safety and Homeland Security Bureau to analyze the agency's preparedness to handle a major cyber emergency.

The bureau recommended several actions, including motivating companies to harden their networks.

Additionally, the recently completed National Broadband Plan recommended the FCC establish such a voluntary certification program that creates market incentives for the firms to improve their cybersecurity. This would replace the six-year-old Network Reliability and Interoperability Council's work to issue cyber best practices.

Under the proposed program, the voluntary certification program would be run by either the FCC or a qualified third party, the notice states.

"Those providers whose networks successfully complete the assessment may then market their networks as complying with stringent FCC network security requirements," the notice states. "For example, in proposing this program, the Commission hopes to create a significant incentive for all providers to increase the security of their systems and improve their cyber security practices. Would the program envisioned meet this goal? Would such a program create an economic incentive that will lead service providers to implement best practices? Would it create incentives for small communications service providers? Would it create disadvantages for smaller communications service providers or present barriers to new entrants? If it does create such disadvantages and/or barriers, what can be done to mitigate such effects, if anything?"

The FCC also wants to know who would the program cover-all communication service providers, just Internet Service Providers or other types of telecommunication companies?

The criteria for the voluntary program would potentially address four areas: secure equipment management, updating software, intrusion prevention and detection and intrusion analysis and response.

The commission wants to make the private sector responsible for developing and maintaining the security criteria, accrediting auditors to conduct assessments and maintain a database of service providers who meet the standards.

"Additionally, the commission seeks comment on whether the auditors should also be private-sector entities," the notice states. "If so, in order to prevent conflicts of interest, should the commission prohibit the program's auditors from being affiliated, or having other relationships, with any of the entities with responsibility for the various other aspects of the certification program or entities that are participating in the program? The commission seeks comment on whether significant private-sector involvement of this sort would serve the security goals of this program and thereby serve the public interest."

Comments on the notice are due on or about Sept. 13.

(Copyright 2010 by FederalNewsRadio.com. All Rights Reserved.)