Pai Seen Unlikely to Act on FCC Public Safety Bureau's Cybersecurity White Paper
The FCC Public Safety Bureau’s white paper on communications sector cybersecurity regulation is highly unlikely to influence the commission’s cybersecurity policies under new Chairman Ajit Pai, said industry lawyers and lobbyists in interviews. The white paper, which the FCC issued two days before former Chairman Tom Wheeler resigned, said the commission can’t rely on organic market incentives alone to reduce cyber risk. The federal government needs to assert “appropriate” regulatory oversight over ISPs’ cybersecurity practices in the absence of clear market incentives to drive improvements, said now-former Public Safety Bureau Chief David Simpson in the white paper (see 1701180082). The agency issued various other actions in the final days of Wheeler's tenure (see 1701240020).
The recommendations won’t “necessarily be a first priority” for the FCC under Pai, though he hasn't made any decisions on it, an official said: “It’s still really early” in Pai’s chairmanship and FCC staff “haven’t had a chance to have those conversations yet.” Pai hasn't finished evaluating the FCC’s other cybersecurity policies and outstanding proposals, though “I can’t imagine” that the cybersecurity policy statement that began circulating in February 2016 “is going to stick around,” the official said. “But they’re still making those determinations.” Wheeler previously was seen as backing away from pursuing the still-circulating policy statement, which included a framework for the FCC to hold confidential meetings with communications sector executives aimed at providing assurances on the firms’ cybersecurity practices (see 1611300063). The agency didn’t comment.
It’s unlikely that Pai will pursue any element included in the white paper, several industry lawyers said. ‘I’m not expecting the FCC to move on a lot of new cybersecurity initiatives” during Pai’s chairmanship, said former Public Safety Bureau Chief Jamie Barnett, now a Venable cybersecurity and telecom lawyer. “What will be interesting to see is whether future [iterations of the Communications Security, Reliability and Interoperability Council] will address cybersecurity issues” to the same degree it did during CSRIC V and the council’s previous iterations, he said. Everything the FCC has done on cybersecurity issues under Wheeler and then-Chairman Julius Genachowski “appears to be on the table” for potential rollback under Pai, including the Wheeler policy statement, a telecom sector lawyer said.
It’s best to view the paper as a “wrap-up document meant to lay down a few markers” and give Wheeler’s successor “some ideas” on cybersecurity, said Wiley Rein cybersecurity lawyer Megan Brown: The paper was “very aggressive and endorsed the idea of an FCC role on cybersecurity regulation that I don’t think is consistent” with the view of Pai or fellow Republican Commissioner Mike O’Rielly. “There’s a new sheriff in town” at the FCC, and “I don’t think this paper is going to be very influential at all” in shaping Pai’s cybersecurity policies, Brown said. “I’d imagine Pai has already put this into the circular file,” particularly since the white paper’s assertions that cybersecurity information that ISPs need to send to FCC duplicates aspects of the information sharing program at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, said Shane Tews, visiting fellow at the American Enterprise Institute’s Center for Internet, Communications and Technology Policy.
The white paper is likely “dead on arrival” at the FCC under the new Republican majority, but it remains a concern because Wheeler circulated the paper to Sen. Mark Warner, D-Va., said Tech Knowledge Director Fred Campbell. “There’s always a chance that someone in Congress would decide to act” on the proposals included in the white paper, but that appears to be the “only plausible way it would happen at this point.” Those concerns prompted Campbell to strongly criticize the white paper in a Wednesday blog post, he said.
Campbell criticized the FCC not only for issuing the white paper so close to Wheeler’s resignation but also for wrongly presuming the commission “has authority to do whatever it likes with regard to cybersecurity.” There's evidence of increasing cybersecurity investment, which in combination with “other private-industry responses to cyber risk offers no indication there is a market failure,” Campbell wrote. “Even if there were evidence of market failure, there is no indication that FCC meddling along the lines [the FCC] suggested would solve it.”
AT&T Assistant Vice President-Global Public Policy Chris Boyer also criticized the document Wednesday, saying in a blog post the paper “makes bald assertions but doesn’t provide any evidence that there are a lack of incentives for carriers to protect their networks from cyberattacks.” The FCC relied “on already-debunked assumptions that there is inadequate competition in the broadband marketplace, and then leaps to the conclusion that ISPs therefore won’t invest in protecting their networks and customers from cyberattacks,” Boyer said: “This is not merely unsupported, it is absurd” given AT&T’s investment in cybersecurity. The FCC “is simply not designed to address the incredibly complex issues of cybersecurity, especially in an environment that is continuously changing and doesn’t fit nicely into traditional silos,” Boyer said.