Federal Communications Commission Requests Comments on Effectiveness of Cybersecurity Recommendations
The Federal Communications Commission ("FCC") is seeking industry and public comment on whether it should take further steps to ensure that the U.S. communications industry is sufficiently prepared for cybersecurity threats.
The Commission last raised this question several years ago when it appointed an advisory committee of industry, public safety, and consumer representatives to develop recommendations for best practices in lieu of regulatory requirements. The voluntary recommendations ("Recommendations"), released in 2012 by the FCC's Communications Security, Reliability, and Interoperability Council, focused on remediating security oversights, gaps, and outdated practices that facilitate malicious use of networks and network services. Among other things, the Recommendations included:
- Adoption of an Anti-Bot Code of Conduct to educate users and mitigate the effects of botnet activity on ISP networks;
- Increased implementation of the Domain Name System Security Extensions ("DNSSEC") to allow internet users to validate the identify of websites; and
- Measures to prevent IP route hijacking—the routing of traffic through potentially untrustworthy networks.
In its July 25, 2014, Public Notice ("Notice," available at http://www.fcc.gov/document/pshsb-seeks-comment-csric-iii-cybersecurity-best-practices), the FCC requests input from ISPs, the internet community, and consumer groups to help assess whether the Recommendations are being implemented, and to comment on their effectiveness and the lessons learned from any such implementation. The Notice reiterates that a wide range of stakeholders, including leading ISPs, participated in the development of the Recommendations and publicly committed to implementing them, and it describes the Notice as an effort to develop "proactive private sector-driven" risk management. At the same time, however, the Notice pointedly observes that the vulnerabilities described in the Recommendations continue to be exploited, adding urgency to the need for their immediate implementation or for potential "alternative approaches" (i.e., federal regulation).
The Recommendations and the recent Notice indicate the Commission's desire to improve cybersecurity through collaboration rather than regulation, thus avoiding the lengthy and at times cumbersome process that often accompanies rulemaking. The Notice highlighted FCC Chairman Tom Wheeler's desire to avoid a "prescriptive regulatory approach" that is incapable of addressing the complexity and pace of change inherent in matters related to the internet. At the same time, however, the Chairman's stated preference for the approach of collaboration rather than regulation comes with the caveat that any industry-led security regime must be "more demonstrably effective than blindly trusting the market." This Notice can be seen as an early attempt to allow the industry to build its track record under the FCC's voluntary collaboration approach, as well as to signal the type of transparency and accountability that may be expected to support such a voluntary framework.
The Notice seeks comment on several specific questions, which will assist the FCC in evaluating the effectiveness of the Recommendations thus far:
- What progress have stakeholders made in implementing the Recommendations?
- What barriers have stakeholders encountered in implementing the Recommendations?
- What significant success stories or breakthroughs have been achieved in implementing the Recommendations?
- What are stakeholders' views and/or plans for full implementation of the Recommendations?
- How effective are the Recommendations at mitigating cyber risk when they have been implemented?
- Given the experiences gained in the past two years, are there alternatives to full implementation that could be more effective than full implementation at mitigating cyber risk posed by botnets, DNS vulnerabilities, routing infrastructure vulnerabilities, and source address spoofing? On what basis do stakeholders believe that these alternatives are more effective than the Recommendations? Do stakeholders undertake qualitative or quantitative evaluations of the effectiveness of these various approaches, or both?
Other federal agencies, including the Federal Trade Commission, the Securities and Exchange Commission, and the Department of Health and Human Services, have increased their oversight of cybersecurity-related matters. The FCC's Notice provides interested parties a unique opportunity to assist the Commission in determining whether it should do the same. Comments are due by September 26. If you wish to discuss the FCC's Notice, proposed comments in response, or other federal cybersecurity requirements and practices, the Jones Day attorneys identified as Contacts are available to assist.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.
Bruce A. Olcott
Mauricio F. Paez
Preston N. Thomas, an associate in the Washington Office, assisted in the preparation of this Alert.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.