The FCC is at a critical moment in its cybersecurity efforts, FCC chairman Tom Wheeler says, efforts that have come in working with key communications networks stakeholders who he says must provide leadership in combating the growing cyber threat, but who will also be asked to demonstrate to the FCC that their approach to protecting their networks is effective.
And that will mean more than glossy PowerPoints, he said.
That is according to the chairman's prepared remarks for the RSA cybersecurity conference in San Francisco Tuesday.
"Companies that rely on communications networks for their livelihood have the knowledge, expertise—and financial incentive—to get this right. Those that build, own, and operate these networks, and those that innovate at the edge of the networks, must work proactively and cooperatively to address shared risks. Companies need to 'own' their cyber readiness," he said.
Wheeler said the FCC believed the best approach to cybersecurity is "proactive and accountable self-governance within mutually agreed parameters."
He said the FCC and stakeholders had agreed to the approach, and now enforcement was the key. That was a reference to the Communications Security, Reliability and Interoperability Council (CSRIC) and its vote last month that recommended voluntary mechanisms "by which the communications industry can improve their management of cyber risks and clarify accountability within the corporate structure..."
The President directed the National Institute of Standards and Technology to develop framework for voluntary risk management, and he said it was the FCC's role to build on that framework in the specific context of promoting the reliability and resiliency of communications networks.
CSRIC's main proposal is that communications companies volunteer to hold periodic meetings with the FCC to discuss their cybersecurity priorities, how they will address them, and how that can be effective.
Wheeler said that he understood that buy-in from those companies would rely on assurances that any sensitive information discussed is not publicly disclosed, and he said that none of the information in the meetings would be used to generate regulations. "Companies must also be relieved of any suspicion that information shared in these meetings will be used to generate regulatory proposals. That is not their purpose," he said.
He said that, for the FCC's part, it is looking for a demonstration in those meetings that a company's cyber risk management regime works, though he concedes determining that is not easy. He signaled that there would need to be some measurable benchmarks for what a cybersecure network looks like. "To be clear, the FCC’s role is not to second-guess a company’s business judgment or to micromanage its implementation," he said. But he also said that "if you can measure it, you can manage it. Never has that been more important than in cyber."
"We do not envision an adversarial process in which corporate officials are cross-examined in an attempt to draw out embarrassing admissions about security lapses," he said, "On the other hand, there needs to be more than glossy PowerPoints and prepared remarks read off a script."
Wheeler said the biggest challenge of the implementation phase is probably information sharing, something Congress is currently focused on, with two House bills scheduled for floor consideration this week that would make it easier for companies to share cyber threat information with each other and the government.
Wheeler said there needed to be a real-time flow of threat information among stakeholders, most importantly among network operators and their customers.
Wheeler signaled the FCC needs to think about how to fold cybersecurity into existing network reliability reporting mandates and privacy protections.
"The time has come to think about whether and how cybersecurity fits into this framework. Though cyber attacks may not cause network 'outages' in the traditional sense of the term, the most severe attacks can cripple service for vast swaths of users. When we talk about the security of our networks we must also think about public safety. Reporting on these events may helpfully complement other methods the FCC uses to gather information about the cyber health of our communications networks," he said.
"We are also continuing to examine how the concept of cybersecurity intersects with other aspects of the FCC’s statutory mission. For instance, the FCC has explicit responsibilities to protect the privacy of data that communications providers collect from their customers in the everyday course of business [and has additional oversight now that broadband has been reclassified under Title II]. Consumers have a right to expect that this information will be protected from disclosure. Failure to do so can have a chilling effect on free expression and the virtuous cycle of network investment and innovation," he said.
