Cybersecurity Standards Must Not ‘Leave the Public Short,’ Simpson Tells CSRIC

"We want stakeholders to create this new paradigm of business-driven cybersecurity risk management that will be a measurable, accountable substitute for traditional, prescriptive regulation,” Simpson said. “We don’t want to define the checklist and then require you to do the checklist.” Letting industry develop standards should prove more “flexible and dynamic” than FCC-imposed regulation and “more demonstrably effective than blindly trusting the market,” he said.

"Voluntary” doesn’t mean industry doesn’t have to get on board with the guidelines, Simpson said. But he acknowledged FCC regulation can’t keep up with a rapidly changing Internet sector. “We believe that CSRIC’s efforts to implement the framework will provide a groundbreaking opportunity for companies to take that real ownership I described of cyberrisk management,” he said.

Simpson encouraged the CSRIC to consider “nonregulatory responses” that may be needed if any companies fall short of the cyberrisk guidelines. The FCC isn’t “looking for reports of cyber minutiae,” he said. “Cyber minutiae is something we want the CSRIC to deal with.”

Simpson’s remarks built on his comments at the last CSRIC meeting in June (CD June 19 p2). Also in June, FCC Chairman Tom Wheeler warned that the FCC is not afraid to step in to regulate if voluntary efforts fall short (CD June 13 p1). The CSRIC cybersecurity working group is making substantial progress on its recommendations to use the National Institute for Standards and Technology’s (NIST) Cybersecurity Framework for communications sector needs, the co-chair of the working group said this week (CD Sept 24 p4).

On another key issue, the CSRIC approved a final report Wednesday on 911 location accuracy and testing, as carriers transition from 3G and 4G to Voice over LTE (VoLTE) platforms. The FCC had sent the working group nine questions to answer, officials said. The report, as is the case for the others approved by CSRIC Wednesday, hadn’t been posted by the FCC.

The working group found that the FCC likely will not have to modify existing standards for wireless location accuracy to accommodate VoLTE, said co-chairman Brian Fontes, CEO of the National Emergency Number Association. But different procedures may be needed if the FCC imposes standards for indoor location accuracy, he said. The working group also advised that the current CSRIC, CSRIC IV, adopt the same standards as those adopted by CSRIC III.

"The net-net” of the recommendations is that VoLTE location performance, at least outdoors, will be “slightly better or equivalent to 2 and 3G performance,” Fontes said. But tests will be necessary to validate VoLTE performance, he said.

Simpson said since everything is “faster” with LTE, he wondered why location performance wouldn’t be considerably better than with earlier networks. Laura Flaherty of the National Highway Traffic Safety Administration, the other working group co-chair, said just because the air interface is faster in LTE, the messaging between network nodes and latency won’t necessarily improve significantly.

CSRIC approved a final report from its working group on the best practices on addressing service-based distributed denial-of-service (DDoS) attacks. The report looks at actual DDoS attacks and examines a variety of existing industry best practices, said Mike Glenn of CenturyLink, working group co-chairman. The report recommends 25 best practices for network operators, 17 for hosting providers and eight for the victims of attacks, he said.

No magic bullet exists, Glenn said. “This is a really hard space,” he said: Many of the recommendations are hard to implement. “That’s kind of how the problem shakes out,” he said. “It is what it is."

Simpson questioned what role the FCC can play in curbing DDoS attacks if it doesn’t want to impose regulations. Simpson drew a parallel to the FCC’s voluntary approach on cybersecurity. The most “powerful thing” might be to get various parties to the table for further discussions, he said. “We'd love to identify the barriers” and “figure our how to mitigate those barriers and actually move forward,” he said.

The CSRIC also approved a report by its legacy technologies group on revised best practices for legacy systems. The group assessed 1,022 best practices from an earlier CSRIC report and zeroed in on 476 for further study, said Robin Howard of Verizon, working group co-chairwoman. The group identified 22 as no longer relevant, found 40 were up to date and found 322 that needed to be modernized.

Simpson said he’s particularly interested in reading the report. “Having witnessed a number of tech transitions, the greatest risk is quite often not in the new bleeding edge” technology, Simpson said. “It’s in the retirement of legacy systems. When there is no more new investment money around technical solutions, the supply chains begin to dry up for replacement parts."

CSRIC also signed off on a report by its working group on powering consumer devices during commercial power failure. Among the recommended best practices is that service providers should provide consumers with affordable backup power for devices that tie VoIP systems into the public switched telephone network, said Tim Walden of CenturyLink, co-chairman of the working group.

The working group also recommends standardization for power-over-ethernet, Walden said. Power-over-ethernet “would solve a lot of problems that we're seeing today,” he said. The report also recommends that when power outages occur, providers should make spare batteries available “at a reasonable price,” he said.