Scuttle Proposal for Cybersecurity Certification Program, Major Carriers Tell FCC
CTIA, USTelecom, AT&T, Verizon, Qwest and Sprint Nextel said the FCC should drop, at least for now, plans for a voluntary cybersecurity certification program that the commission proposed. In an April 21 notice of inquiry, the FCC asked how such a program would work and whether it would improve security.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"CTIA believes the proposed voluntary certification program may not have the desired outcome,” it said. “In addition to being logistically challenging, the program is unlikely to provide sufficient flexibility to address the realities of cyber threats, and it may even leave networks more vulnerable to attack. The Commission could better promote cyber security by coordinating its efforts with those already underway by other federal agencies and focusing on public-private partnerships.” CTIA cited the Communications Security, Reliability and Interoperability Council, the National Communications System and the U.S. Computer Emergency Readiness Team.
"The FCC should support the public-private partnership model as an ideal mechanism for ensuring successful implementation of constructive cybersecurity policies,” USTelecom said. “Prescriptive regulations could substantially undermine these public-private partnerships by chilling these cooperative efforts between industry and government."
The proposal for a voluntary certification program “is premised on an incorrect assumption that there are insufficient market-based incentives for communications providers to implement effective cyber security practices,” AT&T said. “In fact, substantial incentives exist for communications providers to educate customers on cyber security policies and implement effective cyber security practices, and those providers will and do lose customers if they fail in that effort.” AT&T said it’s unclear “what practical value the program would add, whether it would be useful to network operators and whether they would even participate, especially in light of the significant logistical challenges faced.”
Verizon and Verizon Wireless said the government has a role to play in cybersecurity but must proceed with care. “Due to existing cybersecurity mechanisms already in place, the government must tread carefully so that any new regulation does not disturb the current systems or divert network operators’ resources from security enhancements,” Verizon said. The carrier said broadband providers are already devoting “substantial resources” to protect their networks from cyber-attacks. “The Commission’s well-intentioned proposal to develop a cybersecurity certification program should not proceed unless and until integrated into a unified approach supported by the rest of the government.”
Qwest said there’s “no need” for the kind of program proposed in the notice. “Qwest has a long history of ensuring that its network performs at a very high level of reliability,” the carrier said. “Qwest believes that its peers operate with similar economic incentives to provide reliable and secure services. Qwest does not believe that the cyber security certification program proposed in the NOI will provide a greater incentive for it to provide reliable and secure services that fulfill its customers’ needs.”
A certification program “is not necessary to create the powerful market incentives communications service providers already have to deploy robust cyber security measures to protect their networks and customers,” Sprint Nextel said. “The Commission may want to suspend consideration of a certification program until its role in the emerging federal cybersecurity landscape becomes clear, and it completes its broader broadband Notice of Inquiry."
MetroPCS also opposed the proposed certification program. “A one-size-fits-all approach to cyber security will lead to resource inefficiency and to potential vulnerabilities, as networks will be encouraged to use measures that may not exactly fit their individualized needs,” the company said. “Further, industry groups are better able to reflect changes that occur over time as opposed to regulatory requirements that must go through the regulatory process prior to any change."
Several commenters questioned whether the FCC has legal authority to set up a certification program. “Putting aside the policy and practical weaknesses of the certification program, the Commission has not identified any compelling basis for statutory jurisdiction under Title I, Title II or any other provision of the Communications Act that would allow it to establish a cyber security certification program, as it is required to do with any regulatory action,’ AT&T said.