Telecoms Asked to Devise Cybersecurity PlansFCC Chairman Outlines Alternative to New Regulations
The U.S. federal government's top telecommunications regulator is proposing a "new regulatory paradigm" by calling on communications providers to step up and assume new responsibilities to manage cyber risks.
Federal Communications Commission Chairman Tom Wheeler outlined in a June 12 speech his vision for relying on industry and the market as an alternative to implementing new regulations. He described a voluntary initiative to help secure information networks operated by telecommunications companies and Internet service providers.
Wheeler said the new paradigm must be based on private-sector innovation and the alignment of private interests, such as return on investment, with public interests, such as public safety and national security.
"It needs to be more dynamic than rules, and - this is a key point - it needs to be more demonstrably effective than blindly trusting the market," he said. "... The bottom line is that this new paradigm can't be 'happy talk' about good ideas - it has to work in the real world. We need market accountability on cybersecurity that doesn't exist today, so that appropriately predictive and proactive investment is made to improve cyber readiness."
The largest U.S. broadband provider, Comcast, says it and other Internet service providers are up to the task to work with the FCC. "We have and will continue to be committed to taking a leadership role in establishing practices that meet the dynamic and ever-changing nature of these threats," Myrna Soto, Comcast Cable senior vice president and chief information and infrastructure security officer, says in a statement.
Wheeler, though, hinted that the FCC could adopt cybersecurity regulations if industry fails to adopt effective IT security best practices. "While I am confident that it will work, we must be ready with alternatives if it doesn't," he said.
Acknowledging Anti-Regulatory Milieu
Allan Friedman, research scientist at George Washington University's Cybersecurity Policy Research Institute, says Wheeler's remarks were tailored to the anti-regulatory environment that has embraced Washington. Like the White House, Friedman says, the FCC chairman acknowledges the inability of government to impose new regulations on industry.
"That said, it was nice to hear him stress that this was not simply a laissez-faire approach," says Friedman, co-author of the recently published book, Cybersecurity and Cyberwar: What Everyone Needs to Know. "While he didn't come outright and say that the market had failed, he noted repeatedly that the natural direction of the free market would not take things in the right direction. His interest in preserving other options is good, but the threat of regulatory action following poor industry cooperation only works if it is credible."
The FCC, through an advisory panel, is tailoring the initiative to conform to the Obama administration's cybersecurity framework to protect the nation's critical infrastructure, including the communications sector. "The framework's success will rely on proactive risk management, not reactive compliance with a cybersecurity to-do list," Wheeler said.
Central Pillars for New Paradigm
The FCC chairman proposed three central pillars in building the new regulatory paradigm:
- Information sharing and situational awareness. "Companies large and small within the communications sector must implement privacy-protective mechanisms to report cyberthreats to each other, and, where necessary, to government authorities," he said. "And for cyber-attacks that cause degradations of service or outages, the FCC and communications providers must develop efficient methods to communicate and address these risks."
- Cybersecurity risk management and best practices. In 2011, an FCC advisory panel identified best practices relating to domain name security, Internet route hijacking and an anti-bot code of conduct. "These standards, if implemented broadly, would harden our nation's communications backbone against cyberthreats with potentially wide-scale industry implications," Wheeler said, adding that the FCC will soon seek information to measure the implementation and impact of industry-defined best practices. "If you can measure it, you can manage it."
- Investment in innovation and professional development. Collaborating with academia and communications technology stakeholders, the FCC will identify incentives, impediments and opportunities for security innovations in the market for communications hardware, firmware and software. The FCC also must work with academia and NIST to evaluate the maturation of the nation's cybersecurity workforce.
Wheeler said the communications sector is at a critical juncture, and an industry-based solution to address the growing cyberthreat is the right approach. "The question is: Will this approach work?" he asked. "We are not Pollyannas. We will implement this approach and measure results. It is those results that will tell us what, if any, next steps must be taken."