Title II Reclassification Seen Presenting Potential for Increased FCC Cybersecurity Authority
The FCC’s expected vote Thursday to reclassify broadband as a Communications Act Title II service has the potential to unintentionally expand its regulatory authority on communications sector cybersecurity, ex-agency officials said in interviews. They conceded it’s unlikely the commission has any plans to exercise that authority in the near future given the strong likelihood of legal challenges to new net neutrality rules. Industry lawyers have said the FCC can claim authority on cybersecurity at least via Title I, and could stake a claim via Title II and Section 706 (see 1406240037). FCC Chairman Tom Wheeler has been championing improving cybersecurity risk management within the communications sector since last year via voluntary private sector-led work in the Communications Security, Reliability and Interoperability Council’s (CSRIC) Working Group 4 and the Technological Advisory Council (see 1406130056).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Title II “is so vast and powerful that it could conceivably be leveraged to expand the FCC’s reach into a number of areas,” said former Commissioner Robert McDowell, now at Wiley Rein. “Maintaining the security of telecom networks is one of the pillars of Title II, so an argument could be made that new Title II authority could lay the foundation to reach further into cybersecurity.” Section 222 is limited in its scope and companies that would fall under Title II regulation under the new net neutrality rules would likely argue that “the FCC has no more authority over cybersecurity than it did for telecom proprietary network information for all these decades,” McDowell said. The FCC didn’t comment.
Reclassification “raises questions” about whether Title II authority could more fully apply to cybersecurity regulation on protecting the security and reliability of broadband networks, said former Public Safety Bureau Chief Jamie Barnett, now representing 911 wireless accuracy stakeholders and other telecom companies at Venable. He said telcos “pushed back very hard” on including broadband outage reporting requirements in 2012 VoIP outage reporting rules (see report in the Feb. 16, 2012, issue) “even though VoIP runs on broadband.” The telcos eventually reached a détente with the FCC and agreed to the VoIP rules sans broadband reporting requirements based on the FCC’s authority on 911 reliability, Barnett said. The FCC could have a stronger hand to seek cybersecurity-related requirements if the broadband-related issues included in the 2012 VoIP rulemaking “come under the Title II umbrella,” particularly reliability concerns like packet loss, jitter and latency, he said.
It's too early to know how exactly Title II reclassification will affect the FCC's cybersecurity authority, but there's “some possibility” that Title II reclassification “could be perceived as enhancing the FCC’s authority to regulate with cybersecurity considerations in mind," said former Public Safety Bureau Chief David Turetsky, now at Akin Gump. It's likely the FCC “won’t intend for the new rules to be an impediment to stopping distributed denial-of-service attacks and other sorts of destructive activity,” Turetsky said. The 2010 net neutrality rules gave carriers “broad discretion” to manage their own cybersecurity as “reasonable network management,” he said. “My guess is that they’ll be sensitive to that in the new rules as well.”
The extent to which the FCC’s cyber authority actually expands with Title II reclassification will depend on the actual language of new net neutrality rules and how courts interpret them in widely anticipated challenges to the order, Barnett and Turetsky said. “We’ll have to see” which Title II provisions the FCC forbears from before any changes in authority become clear, Turetsky said. “We’re going to have a long road through the courts.” Wheeler’s statements on FCC involvement on cybersecurity have always pointed in favor of fostering voluntary action rather than seeking regulation, “and I take him at his word on that,” Barnett said. “It’s a little bit of a different game if the FCC could impose regulations and that their authority is clear. That may not be quite as clear until any litigation clouds are cleared up.”
McDowell said he believes the FCC may choose not to wait for courts to decide legal challenges against Title II reclassification before it determines how to proceed on cybersecurity, particularly since the net neutrality order will take effect after approval unless a court stays it. “I’d expect that as aggressive as the Wheeler FCC has been on enforcement matters, they’ll want to define the scope of their new Title II authority through enforcement proceedings as quick as possible,” he said.
The future trajectory of the net neutrality rules won’t affect CSRIC Working Group 4’s ongoing work on its cybersecurity best practices report, said Working Group 4 Co-Chairman Robert Mayer. The group submitted a draft of its final report to CSRIC last week. The report, which will focus on how to adapt the National Institute of Standards and Technology’s Cybersecurity Framework for communications sector use, is set for consideration at CSRIC’s March 18 meeting (see 1502200046). “Nothing in the report implicates traditional authorities that the FCC operates under because it was understood from the beginning that this was a voluntary initiative,” said Mayer, USTelecom vice president-industry and state affairs. “I’m confident that the report will validate that consideration.”