On January 18, 2017, during the final days of the Obama Administration, the Federal Communications Commission (“FCC”) released a white paper (the “FCC Paper”) on cybersecurity risk mitigation in communications networks. The FCC Paper explains the agency’s cybersecurity policy paradigm, describes cyber risk mitigation actions taken by the FCC, and includes recommendations for additional risk reduction strategies. The FCC Paper covers a number of cyber topics affecting the communications sector, including situational awareness, security by design, and real-time cyber threat information sharing.
The FCC Paper notes that while businesses take certain steps to protect cyber infrastructure, a “cybersecurity gap” remains with respect to the most direct and prominent risks. Accordingly, the FCC affirms its “clear role and responsibility in addressing residual cybersecurity risk—i.e., the risk remaining after market participants have acted to remediate cyber risk that directly affects their business interest.” The FCC Paper points out that this residual cyber risk can be substantial and “is ultimately imposed on stakeholders that have scant awareness of its presence or means to remediate it.”
To meet the challenge of reducing cyber risk in communications networks and services, the FCC relies both on voluntary risk mitigation efforts by commercial entities and the agency’s regulatory oversight capabilities. The FCC’s risk reduction strategy features various “lines of effort” designed to combat cyber vulnerabilities. One line of effort is in the field of situational awareness, meaning, the collection and analysis of information about communications disruptions. The FCC Paper states that communications providers must submit reports about network outages that feature information about the possible cause of the outage and any remediation steps taken. This includes whether “carriers are aware of a malicious cause of an outage, which could be the result of a cyber incident.” Going forward, the FCC Paper encourages expanding outage reporting requirements to IP-based communications generally in light of the “increasing reliance on IP-based communications, including [in] support of essential public safety communications.”
Another of the FCC’s lines of effort relates to security by design. The FCC Paper points out that in the rush to bring equipment into the market, security features can get short shrift. The FCC cautions against this, noting that security by design “reduces cyber risk by using a disciplined process of continuous testing, authentication safeguards and adherence to best development practices.” Real-time cyber threat information sharing is another FCC line of effort, and the FCC Paper states that such information sharing among communications companies “enables an ecosystem where indicators of attempted compromise can be shared in real time, protecting companies and agencies from that particular threat.”
The FCC Paper concludes by stating that, in the future, “the continued convergence of packet-based communication technology in wireless, wireline, cable, broadcast and satellite coupled with network functional virtualization and software defined radios will lead to hybrid (co-mingled) control elements for many service providers,” and such “interdependencies will be inviting targets for threat actors.” The FCC Paper acknowledges the agency’s desire to address cyber issues with collaborative public/private partnerships, but nonetheless notes that the FCC will not hesitate to use its regulatory prerogatives to ensure a “tolerable risk outcome” in this space. Although a new administration has taken office since the release of the FCC Paper, companies operating in the communications sector still would be wise to diligently evaluate their cyber risk reduction strategies.
