The Federal Communications Commission’s role as a driver of national cybersecurity policy, promoted by former Chairman Thomas Wheeler, was effectively scrapped last week when Congress passed a measure killing the commission’s 2016 cybersecurity and privacy rules.
The move was strongly welcomed by the telecom industry and leaves another alphabet-soup agency — the Federal Trade Commission — as “the cop on the beat” when it comes to cyber.
That’s a role the trade commission has long embraced, but it will take a different and perhaps more reactive approach to cybersecurity in comparison with Wheeler’s communications commission.
Many telecom industry groups prefer the FTC’s enforcement approach, which is based on guiding principles for cyber best practices, to what they saw as prescriptive rules on cyber spelled out by the recently departed Wheeler team at the FCC.
Republican lawmakers have now used the Congressional Review Act to terminate the FCC security and privacy regulations, which the commission produced late last year as a follow-on to its controversial reclassification of broadband Internet service providers as common-carrier utilities.
That reclassification meant that Internet service providers were no longer subject to FTC enforcement, which in turn left a regulatory gap that the FCC attempted to fill with the new security rules.
Both the broadband reclassification and the security rules prompted an outcry from the telecom industry and were opposed at the time by the FCC’s two Republican members, Ajit Pai and Michael O’Rielly.
Pai was appointed FCC chairman by Trump, and one of his first moves was to suspend the privacy rules.
Sen. Jeff Flake, R-Ariz., and Rep. Marsha Blackburn, R-Tenn., quickly produced legislation under the Congressional Review Act to kill the rules, which industry had denounced as heavy-handed regulation but were also strongly supported by the online privacy community and some security professionals.
Flake’s measure passed the Senate on March 23 on a 50-48 vote, while Blackburn’s bill cleared the House on March 28 on a 215-205 vote. Trump was expected to sign the measure at press time.
Retired Rear Adm. David Simpson, Wheeler’s former security chief at the FCC, strongly objected to repeal of the rules.
“The obligation for ISPs to engage in reasonable security practices is eliminated, personally identifiable information and the history of one’s Web activity will be sold by ISPs to the highest bidder,” Simpson told InsideCybersecurity.com. “This increases consumer cyber risk exposure, the availability of our digital ‘fingerprints’ within the Internet of things and will most probably degrade user experience as pop-up advertising moves down from the application to the transport layer with no tangible cost savings passed on to the consumer.”
But telecom sector groups were buoyed by the repeal, arguing that the security regulations directly contradicted a collaborative, industry-led approach to cybersecurity that Wheeler and the FCC had championed in a different context.
In 2015, telecom industry groups, under a charter from Wheeler, crafted a voluntary plan for securing the sector in cyberspace, which the commission subsequently approved. But industry representatives charged that Wheeler and Simpson took elements from the voluntarily developed cyber strategy and made them mandatory in the broadband security rules.
“Consumers can rest easy today knowing their privacy is protected under existing FCC authority, which requires companies to keep consumers’ data safe,” the United States Telecom Association said in a release. The Flake-Blackburn measure “would simply maintain the status quo on privacy protections by removing the misguided rules adopted last year. We continue to support the FTC privacy framework and look forward to working on a more uniform air-tight approach to privacy that doesn’t advance a balkanized regulatory structure.”
Security issues related to Internet service providers weren’t the only area where Wheeler was pushing hard for action on cybersecurity and isn’t the only one where Pai is pulling on the reins at the commission.
A “white paper” issued by Simpson’s security bureau just before Wheeler left office in January vigorously defended his team’s approach of encouraging voluntary cyber efforts by industry, backed by the threat of regulation.
That paper prompted a strong response from industry.
“The Bureau makes bald assertions but doesn’t provide any evidence that there are a lack of incentives for carriers to protect their networks from cyberattacks,” AT&T’s Chris Boyer said in a blog post. “Instead it relies on already-debunked assumptions that there is inadequate competition in the broadband marketplace, and then leaps to the conclusion that ISPs therefore won’t invest in protecting their networks and customers from cyberattacks. This is not merely unsupported; it is absurd.”
Likewise, Wheeler and Simpson envisioned a sweeping role for the commission in ensuring security was built into the next generation of wireless networks, known as “5G.”
Pai, by contrast, says the commission will apply a “light touch” still to be defined but almost certainly less compulsory for industry than what the former team expected to produce. He quickly withdrew a Wheeler-issued “notice for comments” on 5G that could’ve been a precursor for regulation.
The Wheeler era was decisively put to rest by last week’s congressional action.
So what’s next from the FTC?
The FTC for years has carved out a role for itself in protecting consumers from lax cybersecurity practices by many different types of businesses.
One potential weakness of the FTC approach is that it is an enforcement agency that spells out principles on issues such as cybersecurity but may not explicitly spell out its expectations.
The commission has long maintained that companies know what it expects in terms of best practices and applying an appropriate standard of care to protecting consumer data.
That proposition continues to be battled out in various federal courtrooms around the country.
Meanwhile, the FTC in recent months has stressed its intention to be a vigorous enforcer of strong cybersecurity practices.
Thomas Pahl, the FTC’s consumer protection chief, said before the Congressional Review Act votes in Congress that the commission would be working to ensure “everyone knows that standards are here to be complied with” regardless of whether the FCC rules were repealed.
FCC Chairman Pai and acting FTC Chairman Maureen Ohlhausen also issued a statement in March pledging to work together and promising “a technology-neutral privacy framework for the online world.”
How this works out will start becoming clear in the coming months, while in the near term the telecom industry has a prime opportunity to demonstrate its leadership on cybersecurity as the federal government moves into that promised era of a “lighter touch.”
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
