Communications Litigation Today was a Warren News publication.
BEAD Implications

ISPs Face Unified Cyber Threat Bigger than Anything in the Past, Experts Warn

U.S. ISPs face a bigger cybersecurity threat today because nations representing that threat work together like never before, Wilkinson Barker’s Clete Johnson said Wednesday. Other experts said cybersecurity plans are rightly a requirement of receiving funding under the $42.5 billion broadband equity, access and deployment (BEAD) program.

Russia, China, Iran and North Korea “are now effectively a military alliance,” Johnson, a former Senate aide and FCC and Commerce Department cybersecurity adviser, told a Broadband Breakfast webinar. “Unlike a free-market democracy, they live in a world where the government controls the information environment.”

In those nations, hundreds of thousands of people work at “trying to conduct cyber espionage, sabotage and, in some cases, cyberwar,” Johnson said. If we think a security checklist “is going to protect us against those enemies, we are in for a reckoning.” Every ISP needs a security plan, which is “adaptive, dynamic, collaborative,” he said: “That’s the answer to the threat.”

U.S. companies are competing against state-sponsored actors, "which is very difficult,” argued Chuck Brooks, consultant and adjunct professor in Georgetown University’s Cyber Risk Management program. These countries “have unlimited resources and companies don’t." Most only have a chief security officer or CIO and are understaffed, he said.

“North Korea funds its whole economy” using “ransomware, at least recently,” Brooks said. The Chinese “are constantly targeting our critical infrastructure” and attacking U.S. companies to steal intellectual property, he added. Russia sponsors organized criminals who “operate very professionally with the best and brightest … because they’re making tons of money,” he said. “We have our work cut out for us.”

Cybersecurity rules as part of broadband funding plans “can feel like just another requirement” among many, said Cole McAndrew, information security officer at AIS Network and a former policy analyst at the Virginia Department of Housing and Community Development. Even though requirements may seem “excessive,” they should be viewed “as an opportunity to be proactive” in protecting ISP networks and the state against “massive losses from a cyber incident, but also protecting end users,” McAndrew said. “Cyber threats evolve every single day -- there are unlimited bad actors out there,” he said: “They’re constantly looking for unprotected, outdated cyber environments to exploit.”

A network “is only as strong as its weakest link,” McAndrew said. According to recent studies, more than 75% of cyberattacks this year started with an email and 98% of websites are vulnerable to attack, he added. Nearly all data breaches are due to human error and about half are perpetrated against companies with fewer than 1,000 employees.

Johnson called for partnerships between government and the private sector rather than focusing on financial penalties. National ISPs “invest hundreds of billions of dollars in the resiliency of their networks and in the security,” he said. “They know better than anyone else how to keep them running.” The government and ISPs must know “each [has the] other’s back against these criminals.”

Speakers agreed that the National Institute of Standards and Technology must play a network security role.

NIST is “very collaborative,” Brooks said, noting that while it's part of the Commerce Department, “they actually work almost at the hip” of the Department of Homeland Security, DOD and other agencies. As China focuses on quantum technology, NIST's response is post-quantum encryption standards (see 2402200064), he said.

In 1995, Congress eliminated the Office of Technology Assessment (OTA), Brooks noted: “Without NIST, I think we’d be rudderless.” NIST is bipartisan and “a great collection of minds and scientists.”

Smaller ISPs also need individualized security plans, Johnson said. “It’s not an IT department problem, it’s a CEO and board challenge,” he said. Look at the NIST cybersecurity framework and guidance from the FCC and what’s offered through the BEAD program, Johnson advised.

Security can’t start with the ISP but must begin with the user, said Jay Harmon, managing director at BorderHawk, a security consulting firm. Many homes have as many internet connections as the average business did years ago, he said. Some devices are communicating 24 hours a day and “are sending large volumes of data to addresses you have no idea about because you’re not looking,” he said. “The ISP can’t really control that.”