The Federal Communications Commission is challenging telecommunications providers to work more closely with the agency to improve the nation’s cybersecurity. FCC Chairman Tom Wheeler said it’s not a matter of creating new regulations, but developing a plan to share the responsibility to protect the country’s networks.
Wheeler wants to build on the initial success of the critical infrastructure cybersecurity framework mandated by the White House and overseen by the National Institute of Standards and Technology. The White House released the framework in February, and officials say implementation and acceptance has been slow and steady.
While the framework covers the telecommunications sector, among many others, Wheeler said he is trying to go one step further.
“We are therefore challenging private sector stakeholders to create a ‘new regulatory paradigm’ of business-driven cybersecurity risk management,” Wheeler said Thursday at the American Enterprise Institute’s Center for Internet, Communications and Technology Policy event on cybersecurity in Washington. “This new paradigm must be based on private sector innovation, and the alignment of private interests in profit and return on investment with public interests like public safety and national security. It needs to be more dynamic than rules, and — and this is a key point — it needs to be more demonstrably effective than blindly trusting the market.”
He said companies do not go to market using cybersecurity as a selling point to the consumer. But with the ever-increasing threats and attacks, telecommunications companies and others in this sector must make predictive and proactive investments to improve cyber readiness.
Many in the telecommunications sector already make these investments. Whether it’s Verizon or AT&T or CenturyLink, they know the value of data and what happens from a market perspective if their networks go down.
Can’t wait for market adjustments
Wheeler said as more and more devices are connected to the Internet, the dangers and potential harm increases. That’s why the FCC believes it needs to take a different approach than just relying on the market to adjust to the problems.
Wheeler said this new shared approach will be guided by four principles.
“First and foremost is the commitment to preserving the qualities that have made the Internet an unprecedented platform for innovation and free expression. That means we cannot sacrifice the freedom and openness of the Internet in the name of enhanced security,” he said. “Second is our commitment to privacy, which is essential to consumer confidence in the Internet. We believe that when done right, cybersecurity enables digital privacy-personal control of one’s own data and networks. Third is a commitment to cross-sector coordination. We cannot address these threats in one-sector or one-agency silos. Particularly among regulatory agencies, we must coordinate our activities and our engagement with our sector stakeholders. Fourth, we continue to support the multi-stakeholder approach to global Internet governance that has successfully guided its evolution, and we will oppose any efforts by international groups to impose Internet regulations that could restrict the free flow of information in the name of security.”
Wheeler said he hopes this approach will become a useful template for others and increase the cyber accountability of the providers.
While a bulk of this effort will be done by the private sector, Wheeler is changing the FCC’s makeup to play a similar role as that of NIST when it developed the cyber framework.
First off, Wheeler said this cyber effort will be led by Adm. Dave Simpson, the FCC’s chief of the Public Safety and Homeland Security Bureau.
Wheeler also created a new position of chief counsel for cybersecurity. Clete Johnson, former staff member of the Senate Intelligence Committee, is filling this role. He will help Simpson navigate the legal and strategic considerations.
Additionally, Wheeler said Jeff Goldthorp, who has worked on these issues at the commission for more than a decade, rounds out the three-person team.
Wheeler said the agency bureau chiefs and office heads are working with Simpson to “bake” cyber into the DNA of the commission. He said the commission’s activities going forward will need to consider vulnerabilities and impacts from cyber early on and throughout the FCC processes.
Measuring and management
Along with a new team and an agencywide focus, Wheeler said there are three central pillars to this effort.
The first one is situational awareness and information sharing.
“We are examining the legal and practical barriers to effective sharing of information about cyber threats and vulnerabilities in the communications sector,” he said. “In order to protect companies and consumers against malicious cyber attacks and intrusions, companies large and small within the communications sector must implement privacy-protective mechanisms to report cyber threats to each other, and, where necessary, to government authorities. And for cyber attacks that cause degradations of service or outages, the FCC and communications providers must develop efficient methods to communicate and address these risks.”
The second pillar is around cybersecurity risk management and best practices. In 2011, the Communications Security, Reliability and Interoperability Council (CSRIC) completed voluntary industry best practices pertaining to domain name security, Internet route hijacking and an Anti-Bot Code of Conduct.
Wheeler said in the coming weeks, the agency will ask vendors for ideas on how best to measure the implementation and impact of these best practices.
“Building on these efforts, CSRIC is presently hard at work developing risk management processes to tailor the NIST Cybersecurity Framework for the communications sector,” he said. “This particular effort, which features the active participation of over 100 experts from throughout the communications sector, is a landmark initiative — the central proving ground for whether our attempt to create a new paradigm will be successful. We are asking communications providers to work with us in setting the course for years to come regarding how companies in this sector communicate and manage risk internally.”
The third pillar is a combination of research and development and workforce training. Wheeler said he tasked the commission’s Technological Advisory Council (TAC) to explore specific opportunities where R&D activity beyond a single company might result in positive cybersecurity benefit for the entire industry.
He also directed the FCC staff to work with federal partners and others in the private sector to gather input on how to measure, assess and manage cyber risk in the communications sector.
Wheeler didn’t offer a timeline for when this cyber effort would be finished, but he did talk about what success would look like.
“Some common success factors are already emerging from that dialogue. First, companies conduct thorough inventories of their exposure to various cyber risks, internally and with their partners,” he said. “Second, they conduct qualitative assessments of their management of those identified exposures to cyber risk. Third, they seek data from those qualitative assessments to develop quantitative metrics pertinent to their own internal needs. Fourth, they invest to close cyber readiness gaps making conscious, measured choices to mitigate risk.”
Renewed hope for legislation
The FCC’s goal of creating a cyber framework depends heavily on the trust and legal authority of information sharing. So far, that issue has been the biggest stumbling block across the government.
While experts say the Homeland Security Department, the Defense Department and others have made progress, the lack of liability protections is hampering information sharing efforts.
“The good news here is [Wednesday] my ranking member Dutch [Ruppersberger] and I sat down with [Sens.] Diane Feinstein and Saxby Chambliss [chairwoman and ranking member, respectively, of the Intelligence Committee] in the Senate. That was one of the most productive meetings I’ve felt we’ve had this year on this issue,” Rogers said. “And now I’m being back to extremely optimistic that we will get a cyber information sharing bill this year. Extremely optimistic because I was losing hope there. I’m very, very encouraged by this meeting yesterday.”
At the same time, legislation isn’t the only issue at hand.
Bob Dix, the vice president of government affairs for Juniper Networks, said while there have been some improvements, the government needs to do a far better job in making information sharing a two-way process.
He said there needs to be better coordination across the government and the critical infrastructure sectors.
He also expressed serious frustration over the cyber incident response plan to identify roles and responsibilities in and out of government that has been sitting draft since 2011.
Dix said industry needs to understand the tactics, techniques and procedures more than sources and methods. Too often the government gets hung up on sources and methods and creates a need to know environment, he said.
Dix said there needs to be a combination of leadership, education and economic considerations to really impact the culture and information sharing environment.