Tom Wheeler served as the 31st Chairman of the Federal Communications Commission from 2013-2017. On February 14, he joined a panel discussion at Brookings titled "The federal Cybersecurity Framework 4 years later: What’s next for cybersecurity?" Watch full event video here.
Four years ago, the Obama Administration rolled out the Cybersecurity Framework from the National Institute of Standards and Technology (NIST). It has proven to be an essential and indispensable roadmap for companies to review their cybersecurity risk and preparedness. Recently, NIST updated the document to reflect supply chain risk and additional security insights.
The anniversary of the NIST Framework should be a time to celebrate the federal government’s preparation for the cyber threats to the critical infrastructure of our communications networks. The Department of Defense, Department of Homeland Security, and intelligence community have all stepped up. Unfortunately, the agency responsible for the commercial networks that connect us, the Federal Communications Commission, is AWOL on cyber. It is a policy gap so great that the National Security Council recently found it important to propose their own solutions for the security of next generation wireless networks.
The Trump FCC has taken a laissez faire approach to its cyber responsibility. The Chairman has previously described the FCC’s cyber role as “relatively circumscribed” and spoke in opposition to “uniform rules that would apply to an entire industry.” In testimony before the Senate, Republican Commissioner Michael O’Reilly described the FCC’s cyber authority as “extremely limited.”
This is not what the law provides, however. The opening lines of the Communications Act that gives the FCC its authority are far from the alleged “circumscribed” and “limited” smokescreen the Trump FCC hides behind. The statute instructs the FCC to act in furtherance of “national defense, [and] for the purpose of promoting safety of life and property through the use of wire and radio communications.” That mandate to deal with threats to national defense and public safety surely encompasses the current cyber threats to national and individual security.
Everything is connected
Cybersecurity touches virtually every aspect of our network-based activity, because in the digital economy, virtually everything is connected. That means that everything is at risk for a cyberattack. Yet, the federal agency charged with the oversight of the nation’s electronic networks has walked away from its cyber responsibility.
In the closing days of the Obama FCC, the agency’s Public Safety and Homeland Security Bureau released a white paper that discussed the cyber risks resulting from the expansion of new networks and devices. Upon taking over a few weeks later, the new Chairman pulled the study. He could have developed his own white paper to challenge the earlier conclusions, or he could have sought public comment on the analysis; instead, he just killed the discussion. The new Chairman said the FCC’s role in such matters should only be “consultative,” rather than action-oriented.
Shortly thereafter, the Chairman pulled a Notice of Inquiry started by the Obama FCC to incentivize industry and academic efforts to secure forthcoming fifth generation networks. This proceeding would have identified cyber best practices and designs for the new network. It represented a rare opportunity to plan for the cyber challenge by encouraging the multiple stakeholders designing 5G to include cyber in their new technical standard from the start. Had the proceeding continued, it would have had positive international ramifications, clearly communicating the intent of the United States to lead the world in developing and implementing cyber-ready 5G. However, the industry did not like the idea, and so it dropped from the FCC’s agenda. Providers focus narrowly on their proprietary activities when they address cyber. When the FCC walks away from 5G cyber, is it any wonder the National Security Council notices and seeks remedies, including possible nationalization of the network as a solution?
Cybersecurity policy should permeate everything the FCC does, even those issues that seem to be “non-cyber.” For instance, when the new Chairman and the Republican Congress killed the previous Commission’s privacy order at the request of the industry, they also killed important cyber protections. The rule had required companies to have sufficient cyber safeguards in place to protect the private consumer information they held. As a result, the amount of consumer data collected, retained, and exposed to risk continues to grow without protective requirements.
The high-profile repeal of the FCC’s Open Internet Rule had a similar impact on weakening cybersecurity. The classification of broadband service providers as common carriers required them to secure their networks. Not only did the Trump FCC repeal the Open Internet Order, but it also walked away from any responsibility for broadband service, saying the Federal Trade Commission could do the job. The FTC lacks not only telecommunications experience and regulatory authority, but it also lacks cyber expertise and authority.
Billions of microchips
The ubiquity of cyber in our connected society is reinforced by the growth of the internet of things. Instead of preparing as tens of billions of microchips communicate with each other and connect to the internet, the FCC looks away. Following the 2016 Dyn attacks that shut down vast swaths of the internet as a result of compromised video cameras (among other devices), I responded to an inquiry from Sen. Mark Warner (D-VA). It would make sense if the FCC’s certification of electronic devices (required of every device from cellphones to connected coffeepots to assure non-interference with other radio devices) expanded to include cyber-certification. Instead of moving to secure the new networks, however, the Trump FCC has remained silent.
In the ultimate cyber-blindness, the Trump FCC has ignored its own report to Congress on the state of the nation’s 911 system. Just last week, the Commission sent Congress the annual report on 911 networks. Buried in the report was the fact that only 11 states and the District of Columbia have cyber protection programs in place for their 911 systems. Nothing in the Commission’s public statements highlighted this challenge and the sizable public safety problem it represents. As 911 systems convert to digital, they become a target for cyber-attacks like everything else. Yet there is no FCC leadership to protect American citizens’ reliance on 911.
Because cybersecurity touches everything, we need a whole-of-government response. The Department of Defense, intelligence community, and the Department of Homeland Security can only go so far – and they have no regulatory authority over commercial networks. In this time of national cyber threats, everything the FCC does should be viewed through the lens of cybersecurity. The regulator responsible for commercial communications should include risk-informed cybersecurity deliberation throughout the discharge of its duties.