Technology industry groups are warning the Federal Communications Commission to exercise regulatory caution when changing its device authorization process in the name of network security.

Also Read: Secure Networks Act Passes Senate

In a notice of inquiry (NOI) and notice of proposed rulemaking (NPRM), the FCC is contemplating changes to its equipment authorizations for phones, computers and other devices that tap into FCC-regulated spectrum in its ongoing effort to better protect the network supply chain from national security threats.

Eight industry groups signed onto two letters to the commission targeting the NOI and NPRM. They included the Consumer Technology Association, CTIA–The Wireless Association, USTelecom and the Information Technology Industry Council (ITI).

While the signatories all said they supported protecting the supply chain against “foreign adversaries and nation-states,” the trade groups said the FCC effort raises a number of legal and implementation questions. It also raises the specter of unintended consequences the FCC should consider carefully before taking any action, the groups said.

The groups are particularly concerned about the FCC’s revocation of existing authorizations for equipment that may be in consumers’ homes or offices, or incorporated into other equipment.

“Devices sold at retail may be difficult or impossible to locate, and if a device has been incorporated into other equipment a replacement may require new engineering, testing, validation and manufacture,” the letter said. 

The technology groups also have issues with the proposed criteria for evaluating suspect devices according to their country of origin, rather than the technology used. Historically the FCC’s authorizations have been based on technology and not, for example, whether a device came from China. The groups said the FCC's legal authority to conduct this new type of review is unclear.

The Secure and Trusted Communications Networks Act (HR 4998) has passed the House by voice vote, according to the legislators who backed the bill. 

It must still pass the Senate and be signed by the President.  

Related: Commerce Releases Suspect Tech Vetting Framework 

Among other things, the bill would make at least $1 billion available for ripping and replacing suspect tech from existing networks. 

The bill "prohibits the use of federal funds to purchase communications equipment or services from any company that poses a national security risk to American communications networks." (Funds for federal contracts are already barred from being used on Huawei and other allegedly suspect tech.)

Related: Huawei-Scrubbing 5G Bill introduced 

The FCC has already voted to exclude suspect tech from its Universal Service Fund broadband subsidy program and sought input on how to reimburse the smaller carriers who tend to purchase suspect tech because of the cost of the subsidized products and whether it should extend the prohibition beyond the USF fund to other networks. 

Congress definitely wants the FCC to look beyond. The bill would require network providers to submit an annual report to the FCC on whether it had "purchased, rented, leased, or otherwise obtained" equipment from suspect tech providers.  

The bill specifically: 

1. "Prohibits the use of federal funds, administered by the Federal Communications Commission (FCC), to purchase communications equipment or services from any company that poses a national security risk to American communications networks;

2. "Requires the FCC to establish the Secure and Trusted Communications Reimbursement Program to assist small communications providers with the costs of removing prohibited equipment or services from their networks and replacing the prohibited equipment with more secure communications equipment or services; and

3. "Helps the Federal government better share supply chain security information with carriers, particularly smaller carriers, to help keep this equipment out of our networks in the future." 

“Securing our networks from malicious foreign interference is critical to America’s wireless future," said House Energy & Commerce Chairman Frank Pallone (D-N.J.), ranking member Greg Walden (R-Ore.), and Reps. Doris Matsui (D-Calif.) and Brett Guthrie (R-Ky.) in a joint statement. "Companies like Huawei and its affiliates pose a significant threat to America’s commercial and security interests because a lot of communications providers rely heavily on their equipment. This bipartisan legislation will protect our nation’s communications networks from foreign adversaries, and help small and rural providers remove and replace suspect network equipment. We look forward to swift action in the Senate so we can send this bill to the President’s desk and protect our national security,” the leaders said. 

The FCC had no comment at press time on how much the bill differed from what it had already established in the order voted out unanimously last month.

Few companies in the cable and telecommunications industries have escaped the cyber attacks that continue to wreak havoc on just about every layer of the supply chain.

Varying degrees of security breaches at Comcast, Cox Communications, Time Warner Cable and other cable providers have raised the red flag in the cybersecurity space and prompted a new mantra: Now is the time to raise the level of security.

“A fundamental evolution is taking place and the security implications are numerous,” Michela Menting, research director at consulting firm ABI Research, said. “Above all are the issues raised by the transition to all-[Internet protocol] networks, which are already highly exploited by threat actors and will be a boon for malicious cyber-agents — and all sectors are vulnerable.

“Investment in security services and corresponding hardware and software is not something they can ignore or put off , except at great cost to their services, reputation and client base,” she said.

Cybersecurity concerns have become so paramount that in its Charter Communications-Time Warner Cable merger order, the Federal Communications Commission required Charter to submit a plan to manage its increasing security risks during the transition.

And according to the Hewlett Packard Enterprise/Ponemon Institue “2015 Cost of Cyber Crime” study, hacking attacks cost U.S. firms, on average, some $15.4 million a year. Globally, U.K. insurance firm Lloyds estimates that cyber-attacks are costing businesses a staggering $400 billion a year.

There’s also the shaken confidence of clients and subscribers about the safety of their data. And not everyone is convinced the cable industry is prepared for any attacks.

“Cable networks are archaic in many respects, as they extend the life of existing systems, and frankly, the security posture of networks and the less time spent on security leads to a lot of holes,” Chris Simkins, CEO and co-founder of supply chain analysis and risk management firm Chain Security, said.

PricewaterhouseCoopers (PwC), a consultancy moving deeper into the cybersecurity space, believes cable companies are getting the message that shoring up their networks should be of the highest priority.

“There’s a lot going on with MSOs and we’re seeing the awareness lev el rising,” Mark Lobel, a principal in PwC’s U.S. advisory practice and Cybersecurity Technology, Information, Communications & Entertainment leader, said. “But cybersecurity is like a chess game with no kings, and trying to stay ahead of who’s across the board.”

And just who is across the board?

“There are many threat vectors,” Irfan Saif, a principal in Deloitte’s Cyber Risk Services practice, said. “There are service-disruption actors, those looking at the backbone to propagate malware and those who want to compromise customers. It’s a broad range of threat actors and companies must be cognizant of them all.”

That will require a holistic approach, Saif noted. “You must understand what behavior is considered normal and what indicates a threat of attack and what are the crown jewels that require higher-grade protection.”

Cisco Systems, another player in the cybersecurity space, concurred with Saif’s assessment.

“The best approach is a holistic look at security and where each layer builds on top of each other — firewalls, advanced malware protection, email and core technologies like conditional access, DRM and anti-piracy technology — a breadth of security,” Cisco senior product and solutions marketing manager Sam Rastogi said.

Another less glamorous threat, but just as dangerous, comes from the inside.

“Employees or vendors with access to information is a growing concern,” Rastogi sad. “Who’s accessing information and how, and is there abnormal activity? A risk-based program with alerts, authentication measures and more will give companies more insight.”

CableLabs, the cable industry’s research and development consortium, is accelerating its cybersecurity activity with two initiatives: It’s working with the Wi-Fi Alliance to ensure links to hotspot access points are secure, and it’s reaching more deeply into home managed access points.

“The level of engagement is very high and there are real questions being asked,” The mindset is changing,” CableLabs principal security architect Steve Goeringer said.

That’s a good thing, said Rick Michaels, CEO of CEA, a cable industry-focused investment bank. “It’s one thing that cable is carrying 60% of the Internet traffic, but now there are data centers and multiple services with different touch points in cable. Cybersecurity should be of paramount interest to the cable industry.”

Most cable companies are understandably reluctant to discuss their cyber security strategies. Comcast, which in March hired Noopur Davis as senior vice president of product security and privacy, offered a statement from Myrna Soto, senior vice president and global chief information security officer: “We’ve committed extensive resources with a focus on risk management and built resilient and smarter networks with many security layers that are monitored continuously. Using automation, tooling and analytics is key.”

Arris, another key equipment supplier to cable networks, said in a statement (in part): “Security remains a top priority at Arris, as it does for all manufacturers of Internet and network-connected devices” and that it “employs a variety of protective measures to help ensure the safe and reliable operation of our devices including, but not limited to, DOCSIS compliance, vulnerability scanning, and monitoring programs.” It works “actively with security organizations and our service provider customers to identify and quickly resolve any potential vulnerabilities to protect the subscribers who use our CPE devices.”

Breaches cut across both residential and business markets, added Sander Smith, president of Sericon Technology.

“It’s clear that very soon we’ll see consumers filling their home networks with IoT devices, and these devices will be rushed to market with very little thought given to security.”

Yet even with the increase in cyber attacks (PwC reported a 38% increase in 2015 vs. 2014), there is cautious optimism that with emerging cybersecurity innovations, an expanding community of cybersecurity companies and a heightened awareness among service providers, security is being strengthened.

“We’re seeing various levels of maturity in cable and telecom and a raising of awareness in those organizations,” PwC’s Lobel said. “But they can’t lose focus.”

The National Cable & Telecommuications Association is focusing its cybersecurity attention on two areas, senior vice president, science and technology and chief technology officer Bill Check said.

“We are leading the industry’s Cybersecurity Working Group and working with the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC), along with various cybersecurity-related working groups,” he said. “The challenge is to anticipate current and future threats and design systems of early detection and resistance, because cyber-criminals will always look for new exploits.”