The termination of the Federal Communications Commission’s data privacy and security rules, along with the end of net neutrality, leave the telecoms vulnerable to cyber breaches, critics say.
Yet, industry representatives reject any linkage between recent regulatory moves and security efforts, and say related cybersecurity work will help telecoms stay secure.
The net neutrality repeal reduces transparency about what Internet service providers are offering, critics say, and thus limits information on the security of their services. And lawmakers’ repeal of the specific privacy and security rules raise various concerns, according to critics such as retired Adm. David Simpson, the former FCC security chief who wrote the regulations.
“The obligation for ISPs to engage in reasonable security practices is eliminated; personally identifiable information and the history of one’s web activity will be sold by ISPs to the highest bidder,” Simpson said last year. “This increases consumer cyber risk exposure, [and] the availability of our digital ‘fingerprints.’”
Former FCC Chairman Tom Wheeler’s 2015 net neutrality order classified ISPs as “common carriers” under Title II of the Communications Act, which set the stage for the related data-security and privacy rules. Current FCC Chairman Ajit Pai’s repeal order reclassifies the ISPs under Title I – the governing authority up until 2015, which industry representatives long argued gave the FCC plenty of room to set security standards.
“The argument that rescinding the Open Internet Order undermines security is a complete ruse,” said Robert Mayer, vice president for cybersecurity at the United States Telecom Association. “Nothing is being undermined by returning to the Title I regime” that covered the industry prior to the Open Internet Order, he said.
Around the same time as the Wheeler net neutrality order in early 2015, the FCC’s Communications Security, Reliability, and Interoperability Council, known as CSRIC, approved a telecom-sector-crafted cybersecurity strategy based on the National Institute of Standards and Technology’s framework of cybersecurity standards.
The strategy reflected in the CSRIC report “was focused on cybersecurity,” said John Marinho of the wireless industry group CTIA. “This was done independently of net neutrality.”
The report “continues to be our guide,” said a source with another telecom industry group. “That was a seminal work.”
The framework-based strategy approved by CSRIC secures the telecom sector’s cybersecurity policies, industry sources say, and cyber efforts have not been affected by the move away from Wheeler’s open Internet policy and the related security rules.
“The participants did such a good job at CSRIC that we’re in position to move forward,” the industry source said, adding, “Regulations don’t help us do what we need to do on a daily basis. We’re going to do the best job we can to protect the networks.”
Added Mayer: “The FCC wouldn’t be constrained from trying to impose stricter security controls even without Title II authority, but another paradigm has emerged, with the work we did at CSRIC and with the [NIST] framework. The current environment is one of continued progress on using the framework — and our sector helped that.”
Meanwhile, NIST on Jan. 19 closed a public comment period on proposed updates to a voluntary framework of cybersecurity standards, which would be the first revisions since it was released in 2014.
Overall, Mayer said, “The current environment is one of continued progress on using the framework [while at the same time] the FCC is recognizing the substantial activity underway” at other agencies including NIST, the Department of Homeland Security, and the National Telecommunications and Information Administration.
“[Current FCC leaders] are taking great care to avoid duplication across agencies and regulatory bodies,” he said.
In turn, Mayer asserted, the telecom industry understands it must “demonstrate a high level of accountability” in order to maintain a “collaborative relationship” with federal authorities on cyber.
“I find it remarkable that this [NIST framework] document that started at 40 pages four years ago has garnered the level of support it has in the U.S. and around the world. It continues to be a living document that evolves with the threat environment. It is the single most important document on risk management.”
