Jury Still Out on Wheeler's Cybersecurity Legacy at FCC, Amid Recent Rulemakings
FCC Chairman Tom Wheeler's legacy on cybersecurity remains up for considerable debate in what are likely the closing months of his chairmanship, stakeholders said in interviews. Wheeler's stated focus on improving sector cybersecurity through public-private partnerships generated early progress, but more-recent FCC actions stemming from Communications Act Title II reclassification of broadband as a telecom service raise uncertainty about that commitment, experts said. The FCC announced in 2014 that it would be making cybersecurity a bigger public safety focus (see report in the Feb. 19, 2014, issue). Wheeler that year began calling for what he called a “new paradigm” on cybersecurity risk management in which the private sector would lead development of standards on cybersecurity issues (see report in the June 13, 2014, issue).
Wheeler's push for a public-private partnership on cybersecurity still draws praise from industry officials, particularly because it resulted in robust work via the Communications Security, Reliability and Interoperability Council on a range of cybersecurity issues. Several pointed to CSRIC's adoption in 2015 of a report on communications sector cybersecurity risk management, which was meant to adapt the National Institute of Standards and Technology’s Cybersecurity Framework (see 1503180056). Wheeler “has made network security a top priority” chairman via a “multifaceted” program, a spokeswoman said. The agency has augmented CSRIC's ongoing cybersecurity work by convening 911 experts via the Task Force on Optimal Public Safety Answering Point Architecture to “develop a cybersecurity architecture for the nation's 911 system,” the spokeswoman said.
Public Safety Bureau Chief David Simpson's fostering of the CSRIC work was important for “backing up” Wheeler's articulation of a “clear policy that telecom companies needed to do more on cybersecurity than what the market was bearing,” said Venable cybersecurity and telecom lawyer Jamie Barnett, a former Public Safety Bureau chief under then-FCC Chairman Julius Genachowski. Barnett said CSRIC work on cybersecurity, and particularly on adapting the NIST framework for communications sector use, “has been very significant because they had to work with industry to come up with those things.” Barnett lauded Wheeler's push to recruit additional cybersecurity experts to the FCC.
Wheeler has “clearly prioritized cybersecurity” during his chairmanship, first by “speaking out on these issues” and then supporting CSRIC cybersecurity work as part of his call for a public-private partnership, said Akin Gump cybersecurity and telecom lawyer David Turetsky, a former Public Safety Bureau chief. CSRIC working groups are examining cybersecurity issues as part of work on aspects of communications sector security, including Working Group 5's work on sector-specific cyber information sharing issues. Turetsky praised Wheeler for ensuring that Public Safety had additional resources to enable a better cybersecurity focus within the bureau.
The FCC chief's support for the public-private partnership on cybersecurity is a “good continuation” of earlier government-private sector collaboration on cybersecurity risk management, including NIST's 2013-2014 development of the Cybersecurity Framework, said Computer & Communications Industry Association Public Policy and Regulatory Counsel Bijan Madhani. CCIA's members include Amazon, BT, Dish Network, Facebook, Google, Samsung and Sprint. “It's been smart for the FCC to see where businesses believe they can act reasonably” to improve their cybersecurity, with the NIST framework becoming the most reasonable set of best practices to guide risk management, Madhani said. Internet Security Alliance President Larry Clinton said he thought Wheeler's early steps to develop the public-private partnership on cybersecurity were “visionary and absolutely appropriate given the need to break from the traditional paradigm of the regulatory agency” on cyber issues.
Industry perceptions about Wheeler's commitment to maintaining his “new paradigm” have become more cloudy in recent months given the cybersecurity implications of recent FCC rulemakings that have drawn on the commission's expanded Title II authority as delineated in the net neutrality order, Clinton said. Stakeholders began raising concerns abut the effect expanded Title II authority would have on the FCC cybersecurity stance before the commission's 2015 vote on net neutrality (see 1502250065). An FCC spokeswoman framed recent rulemakings as a way of ensuring that promoting network security is “baked into” the agency's work. The rulemakings have incorporated “a security-by-design approach in the Commission's recently adopted 5G rule, updating the Commission's network outage reporting requirements, and, more generally, ensuring that network security is a consideration wherever appropriate in the work before us” the spokeswoman said.
“It was my initial impression Wheeler was recognizing the need to move beyond the traditional regulatory model, and I think you saw that in CSRIC's work and how well industry responded to his initiatives,” Clinton said. “Now, it looks like we've slipped back into the 1980s with the commission's recent work” on rulemakings like the ISP privacy proceeding, he said. “I have great concerns for what the impact is going to be” if that trend continues, Clinton said: “It's not going to be good for cybersecurity, it's not going to be good for the public interest. It's a flip-flop from his earlier leadership” on the public-private partnership.
The chairman “certainly reserved the FCC's right to regulate” cybersecurity even in his initial public statements about the need for an industry-led effort, so the expansion of Title II authority “will also be a significant part” of Wheeler's cybersecurity legacy, Barnett said. The Title II expansion allows the FCC to now more broadly examine “what the FCC's going to do and what industry's going to do to prove that they're taking care” of cybersecurity issues, Barnett said. The extent to which proposed ISP privacy rules will result in more cybersecurity regulation is “still up in the air,” Madhani said. Industry stakeholders already view the NPRM as being prescriptive, but the extent to which that view extends to the NPRM's data protection implications “depends on the details” of the final rules, he said.
The FCC head's legacy on cybersecurity is still “being shaped” because of the cyber implications of the ISP privacy NPRM and other rulemakings, Turetsky said: “The rules-based approach to cybersecurity that you see in the privacy NPRM is different in some respects from how” Wheeler previously framed his cybersecurity vision. Critics cited the inconsistencies between the two approaches, so the final set of ISP privacy rules that the FCC adopts “will be very important” to Wheeler's cybersecurity legacy, Turetsky said.
The outcome of the ISP privacy NPRM and other rulemakings that have cybersecurity implications “may have some impact on the opportunities to proceed in the public-private partnership,” Turetsky said. Clinton said he's concerned about the private sector's willingness to participate in FCC-facilitated cybersecurity efforts if the commission increases its regulation of cybersecurity via Title II, though he noted that the commission isn't the only agency that has voiced support for public-private partnerships while simultaneously expressing a willingness to increase regulation.
Misapplication of the public-private partnership model “could have a very serious and deleterious effect on future attempts” at encouraging industry-led cybersecurity efforts within the federal government, Clinton said: “They're slipping back into this antiquated government-centric model, and that's not going to work. The government is going to be looking for friends in this space and there are going to be people who will say, 'I'm not sure I can trust them.' If that happens, it's really bad for government because in the cybersecurity space the government needs the private sector. We're all in this together.”
Wheeler's cybersecurity legacy is also unclear since a policy statement that would set up the process for conducting the FCC-private sector meetings as part of its larger adoption of the 2015 CSRIC report on cyber-risk management is still under circulation, officials said. The FCC circulated the policy statement in February but major communications sector interests soon raised concerns that the commission wouldn't have the legal authority to implement desired confidentiality protection rules for the meetings that are similar to those that the Department of Homeland Security uses in its Protected Critical Infrastructure Information Program (see 1602220052 and 1603010073). “It's really not clear to me why the FCC hasn't generated a way forward to provide those confidentiality assurances more than a year after the CSRIC report was adopted,” Turetsky told us. “We've heard various predictions on when that statement would be forthcoming and we've blown through all of those dates.” An FCC spokeswoman confirmed the policy statement is still pending but declined further comment.