NRIC ADOPTS BEST PRACTICES FOR TELECOM NETWORKS SECURITY

Powell announced that the Commission planned to recharter NRIC with the focus shifting to emergency services early next year. He said NRIC VII would continue to work with NRIC VI in the areas of homeland security, reliability, interoperability and broadband. He said the FCC planned to release the new charter “in the next month and begin identifying members of the new council. You'll be hearing a great deal more about this in the coming weeks ahead.”

Although best practices are designed to be adopted by telecom carriers on a voluntary rather than mandatory basis, Powell urged industry senior executives to “stay personally engaged in implementing the best practices” that had been adopted. “I encourage you to hold yourself accountable on this important point. Best practices are only effective to the extent they are practiced,” he said: “We must all work together to further advance [their] implementation… to ensure the reliability of the network.” Powell said he continued to be concerned about the reliability of communications networks and services: “I am a believer in an industry’s self-regulation, and NRIC best practices are one of the best examples we have of this.”

NRIC VI Chmn. Richard Notebaert of Qwest reiterated that “voluntary participation is really not as voluntary as it sounds. We have 2 choices in our industry: we can do the right thing… or we can wait until somebody helps us and tells us. Those of us who have been around for a while understand the advantage of doing that for the right reason, and not having it mandated… We really need to have it done because at some point the patience with a voluntary approach will end, and we don’t want that to happen.”

Several NRIC members expressed concern about the level of voluntary industry participation in submitting outage data. Jack Goldberg, Conn. PUC vice chmn., who represented NARUC, said in 11 months “we've had fewer than half participants, and in November, only 2 participants” submitted their reports, “while there were supposed to be 168 reports in a month.” He said the lack of reports made it “hard for us to come up with statistically valid information, meaningful information.” For example, he said some carriers submitted their reports only in months when they didn’t experience any outages: “The data provided, in my opinion, don’t appear… to allow us to make that conclusion about how to improve network reliability overtime.” However, NCS Deputy Mgr. Brent Greene said govt. needed to provide industry with assurance on how the outage data would be used and protected “to prevent inappropriate use of the data.”

FCC Office of Engineering & Technology Chief Edmond Thomas expressed concern that the progress in the work of the network reliability group had been “a lot slower than some of us would like to see.” He said the groups should: (1) Come up with the methodology to identify statistically root cause of the network failures and the weak spots: “We need to be able to statistically correlate the performance of networks to the use of or lack of use of best practices… and… identify the need for modification of our rules.” He said the problem with the trial was that “not only the participation is voluntary, what you fill out is voluntary as well… So we do have very significant concerns relative to the trial.”

The network reliability focus group recommended the industry continue outage reporting based on: (1) Sustaining an industry-led outage reporting initiative. (2) Using the processes established in the Voluntary Outage Reporting Trial. (3) Preserving continuity by moving data analysis to a special experts group under the NRSC on an interim basis. (4) Generating summary data analysis reports for the NRIC Network Reliability Focus Group and the communications industry. (5) Incorporating improvements. It also said the charter for NRIC VI should allow the network reliability group to: (1) Monitor the progress of the industry-led initiative. (2) Report findings to NRIC. (3) Promote expansion of reporting participation. (4) Assess potential changes in the reporting process. The group recommended several reporting process improvements, such as: (1) Developing a process that would allow all participating parties to discuss outage reports in a confidential manner. (2) Providing FCC access to the raw outage data under strict confidentiality. (3) Developing a process to facilitate queries for the data analysis group to service providers for clarifications on outage reports. (4) Increasing information requiring completion of currently optional fields while assuring confidentiality. (5) Improving outage templates and data field descriptions. (6) Employing data categorization similar to that used by the NRSC. (7) Improving accountability of participants for completeness of reports. (8) Developing effective follow-up procedures and applying quality process management.

Powell also expressed concern that while the NRIC used FCC outage reporting information from wireline carriers as the basis for improving NRIC best practices, “we lack a comparable source of information from other segments of the industry, and I am looking forward to learning more about your work in this area.” ETUG COO Brian Moor said he was “frustrated” by the time it took between when an event happened and the NRIC reliability group came up with its analysis: “It seems to be exceedingly long, particularly for FCC people who are trying to make decision on a more timely basis.”

In the area of increased access and deployment of broadband, NRIC recommended that: (1) Service providers, network operators and equipment providers should establish operational standards and practices that would support broadband capabilities and interoperability. (2) Service providers should make available meaningful information about expected performance on upstream and downstream throughput and any limitations of the service.

Broadband focus group Chmn. Doug Davis said that while there had been “an underlying assumption that once you have an IP address on the public Internet, network-based applications should work… as network-based applications for broadband evolve, transport layer transparency will play a more important role.” He said the group made several recommendations in the area of service transparency: (1) Service providers should establish and develop internal controls to administer the network policies associated with protocol or port filtering. (2) They should make policy information available to customers, including content filtering static policies. (3) Service providers and network operators should establish operational standards that would provide transparency for current products and applications as well as ensure continued multiprovider solutions with minimal operational interference as products and systems evolved. (4) Service providers should establish and develop internal controls to administer the network policies associated with protocol or port filtering “whereby network security takes precedence in maintaining overall reliability, integrity and availability of the carrier’s network and interconnection ‘peering’ or ’transit’ points.”

The NRIC’s homeland security focus group recommended that the additional NRIC VI Physical Security Best Practices be implemented by service providers, network operators and equipment suppliers to “promote the reliability, robustness, adequate capacity, security and sustainability of the public communications infrastructure” nationwide during emergency events and to “more effectively restore from disruptions of public communications” and Internet services caused by terrorist activities or natural disasters. The group also said govt. entities should “not aggregate sensitive information critical to the communications infrastructure.” It said exceptions should be limited to information needed to address specific concerns in support of federal homeland or national security objectives.