Communications Litigation Today was a Warren News publication.
FCC Reserves ‘Alternatives’

Wheeler Urges Private Sector Leadership of Cybersecurity Effort Over FCC Regulation

The FCC wants the private sector to lead the communications sector’s “new paradigm” on cybersecurity risk management but “must be ready” with regulatory “alternatives” if that work fails, Chairman Tom Wheeler said Thursday. Wheeler’s remarks at an American Enterprise Institute event, billed as his first major cybersecurity policy speech as chairman, expanded on the FCC’s existing message within the sector this year that it preferred a voluntary industry-led effort to a regulatory approach (CD May 19 p4). The FCC released a prepared version of Wheeler’s speech after the AEI event (http://bit.ly/1oUaNIT).

The private sector’s cyber efforts “must be more dynamic than traditional regulation and more measurably effective than blindly trusting the market or voluntary best practices to defend our country,” Wheeler said. The FCC hopes its push will lead the communications sector to change its behavior, he said, saying up to 90 percent of breaches were preventable with basic or intermediate security practices.

An industry-led effort is likely to be more effective, because “the pace of innovation on the Internet is much, much faster than the pace of a notice-and-comment rulemaking,” Wheeler said. An effective communications sector response on cybersecurity will require a “joint effort” involving federal, state and local government collaboration, interagency cooperation, international cooperation and government outreach to the private sector, he said. The FCC has increased its focus on cybersecurity as a public safety issue this year, tasking the Technological Advisory Council (TAC) to explore opportunities for expanded cyber research and development within the sector and the Communications Security, Reliability & Interoperability Council’s (CSRIC) Working Group 4 with facilitating development of sector best practices. Those best practices would tailor the National Institute of Standards and Technology-developed Cybersecurity Framework for communications sector purposes, Wheeler said Thursday.

Bob Dix, Juniper Networks vice president-government affairs and critical infrastructure protection, told us he believes Wheeler “hit the nail on the head” on using CSRIC and TAC for cybersecurity work. The agency should be emphasizing interagency collaboration on cybersecurity matters rather than carving out its own cybersecurity role, said Dix. Much of the FCC’s work on cybersecurity issues within the communications sector duplicates efforts at NIST, the Department of Homeland Security and other agencies, he said. “The government may operate in its stovepipes and be able to run their own projects around these issues. From the private sector standpoint, we're the volunteers,” he said. “We're unable as a rule to support multiple cycles supporting redundant efforts."

The FCC is exploring ways to “measure the success or failure of this new paradigm,” though “quantitative cyber-risk factors are relatively immature,” Wheeler said. CSRIC is seeking input from other federal agencies and the private sector on suitable metrics, he said. Cyber-risk assessment approaches are likely to differ from company to company, but “it is crucial that companies develop methodologies that give them a meaningful understanding of their risk exposure and risk assessment posture that can be communicated internally and externally,” Wheeler said. “That is what we are asking our stakeholders to do.”

CSRIC doesn’t “want to waste time looking for metrics that either create complacency or false assurances,” said CSRIC Working Group 4 co-chairman Robert Mayer in an interview. “We want to have evidence that organizations are taking advantage of the best risk management processes that are out there, the best informative references and mitigating their cyber risk.” CSRIC has to do that “in a way that recognizes that not all companies are starting at the same level,” said Mayer, USTelecom vice president-industry and state affairs. “Over the next year, we need to have a very serious dialogue with industry leading the discussion. We have to come up with the concepts around what is the right way to give comfort to stakeholders that there’s process."

Dix questioned FCC exploration of metrics for its cybersecurity effort given NIST has shied away from establishing metrics to determine successful use of its framework. “It’s so hard to quantify,” he said. “How do you create a set of metrics that presents that market acceptability that he talked about in an ever-evolving risk environment? It’s difficult to get tangible metrics around that -- and it’s hard to measure what you prevent."

Comcast considers cybersecurity “a key component of our overall enterprise risk management,” said Chief Infrastructure and Information Security Officer Myrna Soto in a statement. “We have and will continue to be committed to taking a leadership role in establishing practices that meet the dynamic and ever-changing nature of these threats.”