Roughly two years after Chairman Ajit Pai began a process of withdrawing from cybersecurity responsibilities defined by the Federal Communications Commission's previous leadership, stakeholders say roles at the FCC and Federal Trade Commission have yet to be fully defined, but cyber initiatives are proceeding effectively between the telecom sector and government.
“The FCC has morphed itself to be an expert adviser agency rather than a lead agency” on cybersecurity, said Gregory Guice of the law firm McGuireWoods and a former FCC legislative director. “That's a big shift, to cede that territory.”
Still, Guice observed, “the parade of horribles hasn't happened. That doesn't mean it won't, but cybersecurity was not so affected, despite the intense hyperbole around repeal of net neutrality and other moves by Pai.”
Inside Cybersecurity discussed the state of cyber policy in the telecom sector with Guice, Robert Mayer, senior vice president for cybersecurity at USTelecom, former FCC public safety chief David Turetsky, and former FTC Commissioner Terrell McSweeny as part of an ongoing series on the issue.
The FCC had been the proper venue several years ago, Mayer said, when federal authorities and industry were jointly crafting a cybersecurity strategy for the telecommunications sector. But the threats and challenges have evolved and the nature of the government-industry engagement needed to evolve as well.
“Regulation won't keep up with the attacks, it's a static process,” Mayer said. “But there is an understandable interest by government that industry is pursuing reasonable activities.”
He pointed to ongoing industry-government engagements on botnets, malware, internet routing and other security issues. “We are actively engaged with DHS, the National Institute of Standards and Technology, the National Telecommunications and Information Administration and other agencies to understand what government is concerned about and what we should do to address those concerns.”
These engagements are part of a “whole-of-government” approach to cybersecurity that goes beyond what the FCC could accomplish, Mayer said.
The FCC steps back
Early in 2017, the newly installed FCC Chairman Pai withdrew a notice of inquiry on securing next-generation “5G” networks crafted by retired Adm. David Simpson, the FCC security chief under former Chairman Tom Wheeler.
Next, lawmakers terminated net-neutrality and related security and privacy rules promulgated under Wheeler, with Pai pledging that the FCC and FTC would collaborate to ensure there was no gap in consumer protections.
“At the time, I was very critical of Congress' moves and Chairman Pai's moves to weaken the FCC's authority and take the FCC off the playing field on security and privacy,” said Terrell McSweeny, a former Democratic commissioner on the FTC who focused intently on consumer data security issues during her tenure. “The expert regulators, like the FCC on networks, are well positioned to handle network security and privacy as the cops on the beat.”
McSweeny said, “The FTC does a fantastic job on consumer data protection and privacy, but there are exemptions for common carriers. The current commissioners have called for removing those exemptions -- I was very pleased to see that. It can be very difficult for the FTC to proceed on privacy and security because of the exemptions.”
She noted a U.S. 9th Circuit Court of Appeals ruling that said certain “activities” of common carriers are not covered by those exemptions, saying “that was good, but it would also be good to eliminate the common carrier and nonprofit exemptions” in statute. “The FTC's authority -- assuming the common carrier exemption isn't a barrier -- is a very broad authority to protect consumers. It has found weak security practices to be unfair practices.”
Two years after Pai took over at the commission, “The FCC has become incredibly circumspect on cybersecurity,” said Turetsky, now teaching at the University at Albany-SUNY in New York. “I have a lot of respect for the FTC's role and expertise, but the FCC has withdrawn more than it should have.”
The key question, though, is whether telecom-sector security has suffered -- or will suffer -- by the FCC's move off the stage.
And, Guice said, “we haven't yet heard the FTC's voice in its role,” suggesting that, “in some ways, the commission is still awaiting legislation” that will clarify and expand its role. “What do we want the FTC to be -- that is still to be determined.”
FTC Chairman Joseph Simons, a Trump appointee, as well as many congressional Republicans and Democrats, support spelling out more robust legal authorities for the commission in areas like data security and online consumer protections.
“In my view, we need more authority,” Simons said before a House Energy and Commerce subcommittee last summer. “I support data security legislation that would give us three things: one, the ability to seek civil penalties to effectively deter unlawful conduct; two, jurisdiction over non-profits and common carriers; and three, the authority to issue implementing rules under the Administrative Procedure Act, and we should consider additional privacy authority as well."
The FTC last year embarked on a series of public workshops on data security, privacy and related questions.
Last week, Abigail Slater, special assistant to the president for cyber policy at the National Economic Council, said there is “violent agreement” on the benefit of expanding the FTC's authority and enabling it to issue fines for companies making first-time violations of privacy and data security promises.
As roles are being sorted out, Guice asked: “Are consumers at greater risk due to the change in oversight? I don't think that's what's come about. Operators are still being very responsible -- there are market factors and other things that encourage good behavior.”
In the telecom sector, Guice said, “at its core, their networks are highly engineered to ensure the security of the service. They know the network has to be always on. FCC reliability rules still make sure it's an 'always on' service.”
Noting a Jan. 11 letter to Pai from new House Energy and Commerce Chairman Frank Pallone (D-NJ) on protecting consumers' privacy, Guice said industry players “know they're under the microscope. That has a disciplinary effect.”
Guice said “a lot of effort at the carriers goes into ensuring traffic is clean and validated,” adding that “the harm comes from outside their networks.”
Strengths in letting the FTC lead
Turetsky noted the FCC “has been pretty reticent about asserting its jurisdiction on cybersecurity over the past two years, with one glaring exception,” citing a proposed rulemaking on supply-chain issues, which he said was intended to block communities from tapping the Universal Service Fund to pay for telecom equipment made by certain Chinese manufacturers seen as security risks.
“They put out a trial balloon -- I assume the White House pushed this -- but it seemed very out of whack with Pai's overall approach,” Turetsky said.
But on the larger question, Turetsky said “one strength” of the FTC's historic approach to enforcement is that its “'unfair and deceptive practices' standard is flexible and can be applied in different ways.” He noted the calls -- from Chairman Simons and others -- for rulemaking authority, but asked, “How would rulemaking be more effective and flexible than what they have now? I don't think it's a no-brainer to give the FTC regulatory authority.”
However, Turetsky clarified that, “it's not a good idea to just take companies at their word."
This has particularly shown up in the way Facebook and others -- including telecoms, he said -- handle consumers' data. “That this could happen without action by a regulator or enforcer is very disappointing,” Turetsky commented. “We need a fundamental revamping of privacy policy.”
According to news reports late last week, regulators are preparing to levy a major fine on Facebook.
On security, Turetsky said, “The FTC says it doesn't have the tools it needs, but you can argue that cybersecurity has improved more than privacy has over the past two years. There are more incentives toward cybersecurity than toward privacy,” Turetsky explained.
“Companies aren't oriented in their DNA against cybersecurity like some are against privacy,” he asserted.
But at the same time, he said, “the market still doesn't incentivize security investments appropriately. Companies don't face all the costs of a breach. I'm a market guy and it's a rational thing: A company will rationally look at its vulnerabilities and costs, and if the cost of harm is smaller -- because consumers bear the rest of the cost of a breach -- they'll invest less in cybersecurity."
Government oversight -- from somewhere -- is intended to bridge that gap.
“Companies need to behave reasonably,” Turetsky said, and when they do, “they shouldn't get hammered when they're breached.”
Looking to the FTC, he said that commission “historically is about enforcement. Obviously, the telecom sector likes FTC enforcement over FCC enforcement, because the FTC enforces across sectors and has to allocate its resources more broadly.”
“Having a dedicated cop isn't as desirable from telecom's perspective, for their business interest,” Turetsky said. But finding the right balance between the two commissions has been an issue for about twenty-five years, he added.
Mayer argued that the attraction is the FTC's “broader purview grounded in reasonableness. They provide industry with insight on how they view 'reasonable,' and the beauty is that it evolves.”
Overall, Turetsky said, “It's arguable that there are benefits to greater attention to telecom's network security than we'd get from the FTC alone -- telecoms are the super highways that connect consumers to perpetrators. The consequences of how we manage that are very important.”
He said an expanded FCC role “could be important, adding that “how the networks are built and managed given their role in the cybersecurity ecosystem is very important.”
Turetsky said: “I think increased consequences for unfair or deceptive acts or practices pertaining to cybersecurity is both valuable and important. Companies decide how much to invest in cybersecurity and ensuring compliance with their promises.”
He said, “Companies may choose to invest too little if the consequences are not severe enough, especially given the chance they may not get caught at all, and even if they are caught, the cost of the resulting harm is borne partly by others in society and not them under our present system.”
USTelecom's Mayer stressed that above the jurisdictional issues and roles for the two commissions, “It's more important to recognize that many agencies have interest and and expertise on cybersecurity, rather than just focus on legal ambiguities.” -- Charlie Mitchell (cmitchell@iwpnews.com)