The newly Republican-led Federal Communications Commission is unlikely to make cybersecurity regulation the priority it was under the last administration, according to past comments by the agency’s new chairman.
Former Chairman Tom Wheeler gave his last word on the subject last week via a white paper calling for more cybersecurity regulation of internet service providers (ISPs).
“As private actors, ISPs operate in economic environments that pressure against investments that do not directly contribute to profit,” the paper reads. “Protective actions taken by one ISP can be undermined by the failure of other ISPs to take similar actions. This weakens the incentive of all ISPs to invest in such protections.”
It goes on to suggest the FCC consider ISP cybersecurity efforts before handing out subsidies and require them to report intrusions even when they don’t cause network disruptions. The paper came at the request of Democrats in Congress inquiring what the FCC can do to prevent cyberattacks like the DDoS takedown of DNS provider Dyn in October.
The paper followed other recent cybersecurity efforts by the FCC including proposed rules for securing 5G networks and reporting data breaches in accordance with new ISP privacy rules. All were part of Wheeler’s pledge to make cybersecurity an “all hands on deck,” “top priority” for the FCC.
His efforts are unlikely to be continued by his successor, Republican Commissioner Ajit Pai, who was tapped by President Donald Trump to succeed Wheeler this week.
In October, Pai said the FCC’s role in cybersecurity was “relatively circumscribed” and “consultative” as opposed to establishing “uniform rules that would apply to an entire industry.”
“There are other agencies that have a more well-defined space, legally speaking, and more well established expertise,” he said.
Pai’s Republican colleague Commissioner Michael O’Rielly expressed a similar opinion when he dissented on the agency’s vote to adopt stricter privacy rules for ISPs.
“It is important to note that, while cybersecurity is important, the act does not provide the FCC with any authority in this space,” O’Rielly said. “It is also worth noting that the FCC has not been included in any of the congressional legislative efforts on this topic, not even as a consulting agency. Therefore, the commission should not presume to freelance in this area.”
Industry players including AT&T, whom both Republicans typically side with, are also opposed. In its response to the paper this week AT&T dubbed the FCC’s conclusions “absurd.”
“Cybersecurity is fundamental to what we do,” the wireless carrier said Wednesday. “AT&T’s security experts are analyzing the traffic on our network 24/7/365 to understand and identify emerging threats. We currently have eight global security operation centers and hold 179 security and privacy patents. AT&T has a fleet of cybersecurity experts, and we are actively training, and re-training, employees to increase this pool of experts.”
AT&T said providers have ample incentive to protect their networks in the face of competition, adding five billion vulnerability scans and 200,000 malware events target its network daily. Another 30 billion vulnerability scans and 400 million spam messages cross its global IP network.
“And there has been a 3,198% increase in vulnerability scans of Internet of things (IoT) devices over the past three years,” the company continued. “So, we’re well aware of the threats to our network and our customers, and are taking meaningful steps to counter these risks.”
AT&T said it already works directly with multiple government agencies on cyber including the Department of Homeland Security, the Critical Infrastructure Protection Advisory Council and the FCC’s own Communications Security Reliability and Interoperability Council.
“The FCC is simply not designed to address the incredibly complex issues of cybersecurity, especially in an environment that is continuously changing and doesn’t fit nicely into traditional silos,” the company said.
Pai and O’Rielly’s new majority at the agency make it unlikely Wheeler’s cybersecurity pursuits will continue.