Former FCC security chief David Simpson is citing President Biden’s call for critical infrastructure operators to get ahead of upcoming cybersecurity standards as an important message from the White House cyber summit, while also noting the absence of the telecom sector from an event that featured leaders from various other “lifeline” industries.
“The meeting could make a positive difference if the president’s admonition is constructively received and acted upon,” Simpson told Inside Cybersecurity, while pointing to the announcement that the National Institute of Standards and Technology would develop a framework addressing how to secure the technology supply chain that builds on previous cyber and privacy frameworks.
According to the Biden administration, the document “will serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software. Microsoft, Google, Travelers, and Coalition committed to participating in this NIST-led initiative.”
Retired Rear Adm. Simpson, who led the FCC’s Public Safety and Homeland Security Bureau during the Obama administration, said, “The new NIST work, and efforts by the administration to communicate a clear cybersecurity threshold for companies in the critical infrastructure supply chain, could lead to an effective ‘Duty of Care’ standard” and liability for damages. “We’re a ways off from that, and agencies charged with cyber oversight would need to be ready to apply this new standard, but the NIST tasking and the president’s interest are a step in the right direction.”
Simpson underscored comments by a senior administration official prior to the summit, who said the message to industry was: “‘Heads up. This is what we think is reasonable as a threshold, since you’re an owner and operator of critical infrastructure. We’re going to work to make sure that these standards are adopted across the board because we as the government owe that to the citizens we serve. But we’d love for you to get a head start and get moving.’”
But Simpson joined various industry sources in identifying key missing pieces, including a lack of attention to cybersecurity in the telecom sector.
“The absence of major ISPs and [Mobile Network Operators] is glaring and telling,” Simpson said, adding that it was “all the more concerning given emerging details of the third major breach from one of our national mobile providers with no corresponding movement from the FCC, the administration or the Senate to investigate for accountability or address risk thresholds for telecommunications.”
Simpson also asserted, “It appears that the Administration and the Senate have lost confidence in the FCC’s ability to responsibly distribute broadband infrastructure funds.… Instead of putting the FCC, an independent agency with primary and plenary responsibility and authorities for the sector, in charge of broadband deployment in the draft infrastructure bill, Commerce, an executive branch agency will disburse the funds. It’s not clear if NTIA[’s] distribution of $65 billion worth of broadband grants will address cybersecurity. The draft infrastructure bill that cleared the Senate with bipartisan support, removed cybersecurity obligations for broadband grant awardees. This in stark contrast to the approach for Smart Transportation and Smart Energy Grids, both of which outlined an affirmative program to reduce cyber risk in the bill.”
Assessing the focus of last week’s summit, Simpson said, “There seems to be a strong pre-disposition that we can educate and train our way out of our cyber challenges. While this is clearly important, voluntary commitments from a few companies seem to be a page from the past that has not worked.”
He said, “Cybersecurity at the end of the day requires local action by companies with information system dependencies. In an interconnected information economy, the cyber supply chain is akin to a zipper, with individual companies metaphorically teeth in the zipper. Weak zipper teeth [and] failure to take a Zero Trust approach put the entire chain at risk. The National Cyber Director has rightly stated in the past that ‘we must collaborate at the lowest possible level to address scope, scale and depth … and we need to take walls down.’ I totally agree with that. [But it’s] hard to address scope, scale and depth if it takes meetings with the president to compel meaningful voluntary commitments.” – Charlie Mitchell (email@example.com)