Consumer Electronics Daily was a Warren News publication.
'Substantial Rethinking' Ahead?

FCC Rescission of Cybersecurity Items Signals Likely Policy U-Turn, Stakeholders Say

FCC reversal of several cybersecurity-related proceedings and proposals further feeds expectations of an agencywide shift on cybersecurity policy under new Chairman Ajit Pai, industry executives and lawyers said in interviews. The Public Safety Bureau rescinded two cybersecurity items Friday amid a spate of Pai-directed actions (see 1702060062) -- a white paper on communications sector cybersecurity regulation issued two days before now-former Chairman Tom Wheeler's resignation and a notice of inquiry on cybersecurity for 5G devices. The FCC also removed from circulation a controversial cybersecurity policy statement adopting the Communications Security, Reliability and Interoperability Council’s (CSRIC) 2015 report on recommendations for communications sector cybersecurity risk management (see 1702030070).

The removal of the cybersecurity items isn't surprising given Pai’s “intensely deregulatory” vision, but it nonetheless signals the FCC will “probably back off a lot of cybersecurity activity over the next few years,” said former Public Safety Bureau Chief Jamie Barnett, now a Venable cybersecurity and telecom lawyer. Public Safety’s cybersecurity white paper was among a number of FCC moves from Wheeler’s final days in office seen as likely to be reversed (see 1701250077). “I wouldn’t be surprised if there is a fairly substantial rethinking of the FCC’s role on a range of internet-related issues,” including cybersecurity, during Pai’s chairmanship, said Internet Security Alliance President Larry Clinton. The agency didn’t comment.

The start of Pai’s chairmanship is “a good opportunity for us to revisit where we were directionally” in 2014, when Wheeler first took a substantial interest in the FCC’s cybersecurity role, said USTelecom Vice President-Industry and State Affairs Robert Mayer. The regulator announced in 2014 it would make cybersecurity a bigger public safety focus (see report in the Feb. 19, 2014, issue). Wheeler that year began calling for what he called a “new paradigm” on cybersecurity risk management in which the private sector would lead development of standards on cybersecurity issues (see report in the June 13, 2014, issue).

Participants in CSRIC’s development of the 2015 cybersecurity report worked in good faith to demonstrate industry accountability on cybersecurity and “never retreated” from their willingness to provide additional assurances to the FCC via a never-executed plan to hold confidential meetings with communications sector executives on the firms’ cybersecurity practices, Mayer said. He chaired the CSRIC working group that drafted the 2015 report, but only spoke with us in his USTelecom role. Wheeler was seen as backing off from pursuing the now-removed policy statement that would have set up a framework for the confidential meetings amid trouble with creating confidentiality protections for meeting participants that would be equivalent to those the Department of Homeland Security uses in its Protected Critical Infrastructure Information program (see 1611300063). “We were disappointed that nothing came of that" plan and “were very concerned that the collaborative approach” Wheeler favored in 2014 appeared to be “losing ground" in favor of "a more traditional oversight regime” by 2016, Mayer said.

The cybersecurity rollback probably will become more pronounced if the GOP-majority FCC moves as expected to undo the reclassification of broadband as a Communications Act Title II service and the ISP privacy rules (see 1701180066), Barnett said. The FCC was seen as increasingly drawing on its expanded Title II authority during the final year of Wheeler’s tenure, in enacting the ISP privacy rules and other rulemakings with cybersecurity implications (see 1608230021). The commission likely will remain “very interested” in carriers’ protection of customer proprietary network information, but “beyond that role the FCC will probably defer to the FTC" and others, Barnett said.

The FCC's increased reliance on Title II as a cybersecurity authority appears to have generated “unhappiness” both within the commission and among some industry stakeholders, and that most likely will result in changes, said former Public Safety Bureau Chief David Turetsky, now an Akin Gump cybersecurity and telecom lawyer. “The FCC over a period of time had been quite successful in using public-private partnerships” via CSRIC and other processes as a “means of engaging with industry” on cybersecurity issues, Turetsky said: “Hopefully, the historic public-private partnership aspect” of the FCC’s cybersecurity role will continue under Pai.

Industry stakeholders would like to “develop a more refined understanding” with the FCC’s new leadership at the commission and bureau levels “that addresses some of the concerns regarding the appropriate venues” for addressing cybersecurity issues, Mayer said. President Donald Trump’s anticipated cybersecurity executive order (see 1701310066) and ongoing work at NTIA and the National Institute of Standards and Technology make this a “good time for us to have a conversation” about expectations for the FCC’s role going forward, Mayer said: “I think we’ve come to realize that it’s generally understood that cybersecurity solutions require full participation from all members of a broad ecosystem and the FCC’s jurisdiction does not extend” to all players. That doesn't mean “the FCC should not have a role or an interest in this area, but we are saying they need to give consideration to” agencies that have more cybersecurity expertise and “can bring parties to the table in a meaningful way,” Mayer said.

We have historically worked closely with federal agencies on a common goal of advancing and improving global cybersecurity policies and protection levels,” said CenturyLink Senior Vice President-Public Policy and Government Relations John Jones. “We are supportive of streamlining and clarifying ownership so that fewer entities are involved in cybersecurity administration. A focused government approach will enable and encourage the alignment of federal cybersecurity initiatives, minimize divergent oversight and ensure maximum clarity and coordination between providers and the government. We also believe less regulation will be a key driver for more effective coordination and collaboration.”