FCC’s CSRIC to Take on Cybersecurity Best Practices
The FCC Communications Security, Reliability & Interoperability Council formally launched a new working group, Working Group 4, to take on cybersecurity, with a focus on best practices. FCC Chairman Tom Wheeler opened Thursday’s CSRIC meeting with brief remarks, stressing the importance of cybersecurity and calling for the council to develop a new “regulatory paradigm” for the future.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Wheeler called CSRIC’s work a “big deal” that is critical to the U.S. economy. Regulators have to be “as smart as the Internet,” he said. “This must work,” Wheeler said. “This is a new model for government. The stakes are high. My expectations are high.” Wheeler said if a multistakeholder approach doesn’t work, the alternatives are “not attractive.” Earlier, Wheeler directed the FCC Technological Advisory Council to refocus on cybersecurity (CD March 11 p1). The new CSRIC working group is being chaired by Robert Mayer, USTelecom vice president-industry and state affairs.
Public Safety Bureau Chief David Simpson said CSRIC’s work should build on the National Institute of Standards and Technology’s Cybersecurity Framework. “The NIST framework is intended to allow organizations, regardless of size, degree of cyber risk or cybersecurity sophistication, to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure,” he said. Last year, Wheeler hired Simpson, a cybersecurity expert, as new bureau chief, and Simpson has refocused the bureau on cybersecurity issues (CD Feb 11 p1).
Most CSRIC members come from companies and groups “with a high degree of cybersecurity sophistication,” Simpson said. “We all work with and sell to and partner with organizations that don’t necessarily have that same high degree of cybersecurity sophistication.” The rule in cybersecurity is “risk shared by one is risk shared by all,” he said. “We've got to have a better way of communicating across that spectrum of cybersecurity readiness about risk and, at its core, I believe the Cybersecurity Framework will do that.” Industry players should use the NIST framework “to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment and establish a plan for improving or maintaining their cybersecurity,” he said. The framework “also offers a methodology to protect privacy and civil liberties, to help organizations incorporate these protections into a comprehensive cybersecurity program,” Simpson said.
CSRIC needs to develop a new paradigm “where we're not micromanaging, but we're working with you together to appropriately manage risk across the sector,” Simpson said. “It’s time to operationalize the framework within the communications sector to keep America’s information economy strong. That’s the charge to Working Group 4, to assess and update cybersecurity’s best practices that communications sector companies can use to evaluate their own cybersecurity posture and to identify needs and expectations both internally and with external stakeholders.”
A Tall Order
Simpson said the working group is facing a complicated task. “Folks, this is a tall order,” he said. “If this work doesn’t resonate in boardrooms, we haven’t done the work right. It needs to in the future drive investment, investment in the communications sector, but quite frankly, investment in other sectors as they gauge, take their lead off what this sector does."
Mayer said the working group is getting started now because industry thought it made the most sense to wait for the NIST framework. The communications sector has “been working in the public-private partnership for a long time, for decades,” Mayer said. “In large part the reason that we are considering a different regulatory paradigm is because of the success that we have had in public-private partnerships."
Industry has “probably never been more organized and never been more dedicated and never been more communicative” than it is on cybersecurity, Mayer said. “We totally get it that we have to succeed. … As a country we have to succeed. As an industry we have to succeed and we have to find those opportunities where we can collaborate effectively and head towards a direction that’s going to work and make sense.” The approach has to work for companies of all sizes and levels of sophistication, he said. The group should focus on the biggest threats, he added. “We have to understand what are the most critical practices in light of the current threat environment."
CSRIC Working Group 9 on infrastructure sharing during emergencies has developed a list of best practices on roaming during emergencies, said Chairman Jay Naillon of T-Mobile. The document will list which carriers are active in each state, as well as the technologies and spectrum they use, he said. “If we see a storm moving inland, we can identify generally the area that it should be hitting landfall, we can quickly look at the matrix and identify which carriers are probably going to be impacted,” he said. “It can help you start preparing for the potential roaming if it becomes necessary, is feasible and mutually agreeable.”
CSRIC Working Group 1, on next-generation 911, is working on a report on the “technical feasibility” of wireless carriers including Phase 2 location accuracy information in texts sent to 911, said Chairman Brian Fontes, CEO of the National Emergency Number Association. The report is to be ready by CSRIC’s June meeting, he said. The group is also looking at standards for text-to-911, Fontes said. The industry-proposed standard assumes that a public safety answering point will designate the text-to-911 delivery method, including type of delivery method, he said. The standard “does not provide a mechanism for supporting this functionality and indicates that this is an area of future study … and that’s exactly what Working Group 1 is involved in,” he said. Another focus area is specifications for testbeds that industry will use to test the indoor location accuracy of wireless calls to 911, he said. “The current working group is examining the requirements to establish a permanent entity to design, develop and manage an ongoing public testbed for indoor location technologies that can provide the FCC with regular, comprehensive, unbiased and actionable data on the efficiencies of location technologies,” Fontes said. The working group is also looking at location accuracy and testing for voice-over-LTE networks, he said.
CSRIC also received a report from Working Group 7 on legacy network best practices. Chairman Robin Howard of Verizon said the group has identified 476 best practices for evaluation, with 275 on network reliability, 176 on physical security and 25 on disaster recovery. “We are now about 57 percent complete [with] that review,” he said. “We had a face-to-face meeting where we reviewed the first 303 best practices that the team is trying to finalize for the final report.” Most of the work has been changing the wording of the recommended best practices, he said. Several best practices will be forwarded to the new cybersecurity working group, he said. The working group is also preparing, at the direction of the FCC, a report on best practices for manholes needed to obtain access to communications infrastructure following disaster, Howard said. “Physically securing all of the nation’s manholes is very complex, it’s a project riddled with numerous issues including viable threat, vulnerability and consequences.”