Inside Cybersecurity

April 10, 2020

Daily News
Analysis

The FCC: From front lines, to sidelines, and perhaps back again to a key role in cyber battle

February 10, 2020

Telecommunications was one of a handful of “lifeline” industries that included electricity and the financial system: sectors where a cyber disaster could have a catastrophic effect rippling across the economy and costing lives and fortune.

They were all interrelated and interdependent, but electricity and finance were highly regulated and complied with extensive cybersecurity rules written by government agencies. Telecommunications, including wireless, satellite, and other services, was covered by both state and federal reliability standards, but nothing as specific on cyber as those other industries faced.

(Adapted from Charlie Mitchell’s new book Cyber in the Age of Trump, available now from Rowman & Littlefield.)

Telecom was testing the proposition—partially embraced under Obama and more so under Trump—that an industry-led approach to cybersecurity was not only equal but actually superior to a regulatory approach. The telecom industry’s shining lights on cyber were thrilled to have the bandwidth to pursue cybersecurity strategies and efforts without an omnipresent government directing the process, but they also realized the tremendous stakes and risks of their position.

“If this doesn’t work, we’re screwed,” an industry source said. Tech and telecom were increasingly intertwined in terms of the cyber threats they faced—and in their desire to avoid direct government control of the process.

Under President Obama, the Federal Communications Commission was a front-line agency in the nation’s cybersecurity fight. Obama’s FCC chairman Tom Wheeler wanted industry to lead on cybersecurity, but he also wanted the commission to have a hand in the process and assure that efforts really were being undertaken—and really did work. That changed as soon as President Trump took office.

“I’ll be on my knees praying for the next three years that a bombshell doesn’t drop,” Wheeler said after the first year of the Trump administration’s work in the telecom space.

Trump’s man at the FCC, new chairman Ajit Pai, immediately moved to revoke Wheeler’s “net-neutrality” rules designed to ensure equal access to the internet that were accompanied by a sweeping cybersecurity program. Both went into the bureaucratic waste basket. Also gone: an ambitious Wheeler-directed plan to match cybersecurity elements with the rollout of 5G wireless networks

Pai was a former corporate lawyer for the telecom sector, a staffer on Capitol Hill and at the FCC and Justice Department, and a graduate from Harvard and the University of Chicago School of Law. He was a champion of free-market economics and didn’t believe the commission should be telling industry how to secure telecom systems or directly overseeing their actions.

Industry groups offered strong support for Pai’s selection following tense relations with Wheeler over the commission’s authority to set cybersecurity requirements and the scope of such rules. Pai suggested a more modest FCC role in which the commission would largely defer to industry on cybersecurity.

Telecom industry leaders say no security vacuum

Robert Mayer of USTelecom said the FCC had been the proper venue for formulating cyber policy several years earlier, when federal officials and industry were jointly crafting a cybersecurity strategy for the telecommunications sector. But the threats and challenges evolved and the nature of the government-industry engagement needed to evolve as well.

“Regulation won’t keep up with the attacks, it’s a static process,” Mayer said. “But there is an understandable interest by government that industry is pursuing reasonable activities.” He pointed to industry-government engagements on botnets, malware, and internet routing as pieces of a “whole-of-government” approach to cybersecurity that went beyond what the FCC could accomplish.

But if the telecom system went down, the US economy went with it. That’s why Wheeler had empowered his FCC security chief—retired Rear Admiral David Simpson—to craft a security framework for the sector. One of Simpson’s jobs in the Navy had been to stand up the telecom system in Iraq during the U.S.-led occupation, so he understood operating in hostile environments with real bullets flying around.

At the FCC, Simpson would pull a bemused smile amid the constant barrage of criticism from industry, an antagonism that the admiral always believed was misplaced and missed the essential points of his security concerns. Simpson and Wheeler both were strong believers that the telecom system was a prime target in the ongoing, multifront war in cyberspace, that its networks were constantly eyed by nation-state adversaries, terrorists, activists, and run-of-the-mill cyber thieves.

Debate over cybersecurity aspects of next-generation 5G telecom networks was first stoked early in Pai’s term as chair, when he quickly rescinded a July 2016 order and rule that allocated spectrum for 5G wireless and fixed broadband networks, and had required licensees to submit statements of their network security plans. Pai also withdrew a “notice of inquiry” crafted by Simpson under Wheeler’s leadership, a forward looking, even visionary document on building in security as 5G was developed.

In April 2017, Pai issued a request for comment on streamlining rules related to 5G rollout, which did not address cybersecurity issues. The idea was to eliminate bureaucratic obstacles in order to get 5G into the field as quickly as possible—and before the Chinese could get there. The move was sharply criticized by Simpson.

“It’s clear that Pai doesn’t believe cybersecurity fits within the FCC’s national security and homeland security charter,” Simpson said.

But the Trump administration’s approach to the telecom sector would begin to change in 2019 – a shift that corresponded with tumultuous trade negotiations with China and a government-wide effort to “get tough” with Beijing on cybersecurity issues, though it was never really clear whether security or the trade talks was driving this policy evolution.

On April 12, 2019, Chairman Pai went to the White House to stand alongside Trump in announcing new steps designed to help the United States beat China and others in the race to deploy 5G. Pai told reporters on a conference call earlier that day that security was “a top priority” when it came to 5G. But that was only after he was prompted to address the issue by a reporter. It didn’t sound like a top priority, or at least not on par with the priority of getting 5G up and running.

Pai struck again on security just a week later, announcing that he would move to block China Mobile from obtaining a license to provide services in the United States. Next up, Pai moved to ban U.S. telecom firms from using equipment made by Chinese telecom Huawei, an order that would affect mainly rural telecoms long attracted to Huawei’s cheaper prices. The commission was actually asserting a cybersecurity role, on a case-by-case basis.

Cyber and the trade war

Technology was a key part of the US-China trade war that erupted in 2018, and the administration’s decision to link cybersecurity and trade objectives was a profound one. In the Huawei case, the confluence of security and global tech industry competition spurred quick action to enact bans and root Huawei and other equipment out of government systems and American supply chains. That was a policy approach initiated in Congress, not the Trump administration, but the White House happily went along because it served a purpose in the trade war realm.

However, it soon appeared that the administration's trade agenda would subsume the security side of the China issue.

The Trump administration, at first, blatantly neglected security in the race to get 5G telecom networks up and running before foreign competitors such as China and South Korea could seize the competitive heights. Then, as the China trade talks hit a critical phase in the spring of 2019, 5G security suddenly became a top priority for the administration. The president himself suggested that his top priority could change, given the state of the trade talks.

Cybersecurity professionals would say the United States should never make any concessions, period, when it comes to cyber-enabled thievery, that cyber norms of behavior were not transactional but needed to be a constant. In the age of Trump, it was now clear on Capitol Hill and throughout the policy establishment that cyber was a chip on the table in a different game, this one about global trade balances and, more important, the balance sheet in President Trump’s political account.

“I don’t think it’s surprising that national security concerns about Huawei equipment have brought us to this point,” said David Turetsky, the former security chief at the FCC. “I think it’s a little bit unfortunate that it happens in the midst of trade war because the national security issues have transcended any trade war solutions.”

Turetsky explained, “The national security issues around incorporating Huawei equipment into U.S. 5G and other networks are real and should not be considered just another trade issue that can be resolved as part of whatever agreement between the U.S. and China ends the trade war. The trade war and the national security threats shouldn’t be conflated and confused.” – Charlie Mitchell (cmitchell@iwpnews.com)