The U.S. Federal Communications Commission is threatening to step in with regulations if network providers don’t improve cybersecurity.
The FCC will take steps to encourage cybersecurity in the coming months, acting first as a promotor of company-led initiatives instead of a regulator, in keeping with its congressionally defined mission to promote the national defense and public safety, FCC Chairman Tom Wheeler said. But if that doesn’t lead to improvements, the agency is prepared to act.
“The challenge is that this private sector-led effort must be more dynamic than traditional regulation and more measurably effective than blindly trusting the market or voluntary best practices to defend our country,” Wheeler said during a speech at the American Enterprise Institute for Public Policy Research. “We believe there is a new regulatory paradigm where the commission relies on industry and the market first while preserving other options if that approach is unsuccessful.”
Echoing the current debate over the FCC’s authority to enforce net neutrality rules, Wheeler promised that the agency will push network operators to improve cybersecurity even as those companies move more of their traffic from the more heavily regulated analog telephone network to more lightly regulated Internet Protocol-based networks.
FCC’s expanded role into IP networks
“The FCC cannot abdicate its responsibilities simply because the threats to national security and life and safety have begun to arrive via new technologies,” he said. “If a call for help doesn’t go through, if an emergency alert is hijacked, if our core network infrastructure goes down, are we really going to say, ‘Well, that threat came through packet-switched IP-based networks, not circuit-switched telephony, so it’s not our job?’”
The FCC will push operators of U.S. communications networks to adopt cybersecurity best practices developed by the FCC’s advisory committee, the Communications, Security, Reliability and Interoperability Council [CSRIC], Wheeler said.
The FCC, in coming weeks, will look at whether network operators have implemented these 2011 recommendations, which include domain name security, Internet route hijacking measures and an antibotnet code of conduct, Wheeler said. The agency will also study whether the recommendations, where adopted, have been effective, he said.
Wheeler challenged Internet companies to focus more resources on cybersecurity risk management and on public safety, saying the results of that private effort need to be “more demonstrably effective than blindly trusting the market.”
A new private-sector focus on cybersecurity “can’t be happy talk about good ideas—it has to work in the real world,” he added. “We need market accountability on cybersecurity that doesn’t exist today.”
In addition to promoting the CSRIC recommendations, the FCC will consider better ways to enable cyberthreat sharing among communications companies, Wheeler said. The agency will look at whether there are legal and practical barriers to information sharing, he said.
And the agency will explore ways to encourage new cybersecurity research and development, working with private companies, universities and the U.S. National Institute of Standards and Technology [NIST], he said.
Broadband provider Comcast, in a statement reacting to Wheeler’s speech, said it already focuses heavily on cybersecurity.
“The success of our business depends upon providing customers with a safe and secure network environment,” the statement said. “For that reason, Comcast and other communications providers view cybersecurity as a key component of our overall enterprise risk management. We have and will continue to be committed to taking a leadership role in establishing practices that meet the dynamic and ever-changing nature of these threats.”