(Washington, DC) The Chairman of the Federal Communications Commission (FCC) Tom Wheeler today unveiled a new program for communications cybersecurity that relies on industry-driven initiatives for "proactive, accountable cyber risk management for the communications sector" in lieu of a "prescriptive, regulatory approach." Nonetheless, the "new paradigm," as he called it, needs to be more "demonstrably effective than blindly trusting the market" to provide adequate cybersecurity risk management.
The goal is to spur greater cybersecurity activity by communications companies while stopping short of implementing official FCC rules or policies. Many communications companies have feared regulatory action by the FCC as a means of mandating the voluntary cybersecurity framework issued by the National Institute of Standards and Technology (NIST) last February or in the wake of a high-profile cyber incident
Speaking at an event hosted here by the American Enterprise Institute, Wheeler laid out some central pillars of the approach. The first pillar is for the FCC and communications companies to promote greater "privacy-protective" information sharing of cyber threats and attacks, along the lines of the best-in-class information sharing that the financial sector has demonstrated in its ISAC (Information Sharing and Analysis Center). The communications sector already has its own ISAC in the National Coordinating Center for Telecommunications (NCC) under the Department of Homeland Security.
The second pillar is for the FCC to measure best cybersecurity practices already developed under the Commission's auspices and to tailor risk management processes to NIST's framework. The FCC's industry-led Communications Security, Reliability and Interoperability Council (CSRIC) has already formed a working group for this task, "working group 4," which met last week to begin tailoring the NIST framework. CISRIC will host its fourth meeting on June 18, while the working group 4 is expected to meet again in late-July.
Wheeler has asked the Commission’s Technological Advisory Council (TAC) to explore specific opportunities where R&D activity beyond a single company might result in positive cybersecurity benefit for the entire industry, an effort that forms the third pillar.
It's crucial that communications companies conduct some internal reviews of their cyber risk exposure, assess how they are managing their risks and develop better metrics, Wheeler said. "Companies must have the capacity to assure themselves, their shareholders and boards – and their nation – of the sufficiency of their own cyber risk management practices."
Some companies could take time adjusting to the "demonstrably effective" aspect of the new paradigm, Wheeler noted, because it "will require a level of transparency that may make take some time to get used to, but the bottom line is that this new paradigm can’t be happy talk about good ideas – it has to work in the real world. We need market accountability on cybersecurity that doesn’t exist today, so that appropriately predictive and proactive investment is made to improve cyber readiness."
Another potential issue is the level of commitment to the FCC's program, one key communications company representative said. "There needs to be true commitment to this new paradigm. When we actively hit bumps in the road, there has to be commitment," he said, adding that the commitment has to be on the part of not only the communications companies, but also the FCC itself. "Providing there is a true will to make it work, it will work."
Communications companies aren't completely out of the regulatory woods yet. "We are not Pollyannas" Wheeler said. "We will implement this approach and measure results. It is those results that will tell us what, if any, next steps must be taken."