House Republicans are taking a dim view of a cyberprivacy proposal developed by the Federal Communications Commission, which unleashed a torrent of industry criticism. But the FCC’s security chief thinks divisions can be overcome.
The FCC has been at the forefront of the federal government’s cybersecurity efforts. In fact, it championed a historic, industry-led approach to cyber in a strategy adopted last year.
But now, many in the telecom sector and Republicans on Capitol Hill believe the commission has reversed course with the privacy proposal, which is related to the FCC’s highly controversial order on “open access” to the Internet.
The proposal specifies that Internet service providers, as a public utility, must implement security programs around customer data, and it sets limits on how that data can be shared with other entities for both commercial and cybersecurity purposes.
Language in the FCC proposal on liability protection for sharing cyberthreat information appears to be at odds with, and more restrictive than, the provisions on this issue in the Cybersecurity Act of 2015, according to industry attorneys.
“This is going to be a drag on information sharing,” one attorney complained.
It also mandates that telecom firms inform customers when their data has been breached.
Congress has been unable to pass a uniform federal data-breach notification requirement, although 47 states have established their own requirements. Critics of the FCC proposal say the commission has no statutory authority to apply such a rule.
The House Energy and Commerce communications subcommittee waded into the debate last week with a panel of witnesses who lambasted the privacy proposal as regulatory overreach at best — and an unconstitutional assumption of authority at worst.
“Despite the Internet’s track record as arguably the greatest economic value and job creation engine the world has ever known, the FCC wants to tinker where there isn’t a demonstrated problem,” subcommittee Chairman Greg Walden, R-Ore., said at the hearing.
“Perhaps more insidiously, the FCC has gone so far as to manufacture a problem so that it could ‘solve’ it, remaking [Internet service providers] in their desired image.”
This was not the first time the Energy and Commerce panel and FCC tangled over regulatory overreach.
In 2014, former Rep. Mike Rogers, R-Mich., then chairman of the Intelligence Committee and a member of the Energy and Commerce communications subcommittee, wrote to FCC Chairman Thomas Wheeler demanding to know the basis for assertions of commission authority to regulate on cybersecurity.
FCC officials didn’t testify last week.
But FCC public safety and homeland security chief David Simpson, a retired rear admiral, last week said at an industry conference and in an interview that the proposal on protecting privacy of broadband customers fits into the commission’s overall cybersecurity strategy.
Simpson objected to charges that the proposal departs from a strategy based on the voluntary framework of cybersecurity standards or the cyberplan approved by the FCC in 2015.
Telecom sector stakeholders say their work in those industry-led initiatives is now being misapplied by the commission through mandatory requirements in the proposed broadband privacy rule.
But Simpson said, “I don’t think there’s a departure — the core value at the FCC is companies are in the best position to assess risk and deploy answers.”
He said “the worst option [is] prescriptive standards,” and said he looked forward to reviewing the multitude of industry and other comments on the proposal. He suggested differences between industry and the FCC could be resolved.
In a brief interview, Simpson elaborated that the proposal “doesn’t say how to do it, but it does say if you lose [personally identifiable information], you have to inform people about it. Then they can change passwords, credit card numbers and so forth.”
Simpson added, “The government shouldn’t be prescriptive in how to address risk, and I don’t see how the privacy proposal departs from that.”
Industry groups say otherwise in a stack of comments submitted to the FCC on the privacy proposal. And lawmakers on Capitol Hill are watching closely to see how this unfolds.
The FCC and industry have managed to step back from the precipice in previous disputes over cybersecurity policy.
The admiral is confident that will happen again. Industry is looking for greater assurance.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
