Communications Sector, Agencies To Begin Planning Cybersecurity Metrics Pilot Program
The communications sector and federal agencies plan to begin developing a pilot program over the next month to further develop and test metrics for the FCC Communications Security, Reliability and Interoperability Council’s report on sector cybersecurity risk management, said industry executives and government officials Thursday. The CSRIC report, adopted Wednesday, was meant to adapt the National Institute of Standards and Technology’s Cybersecurity Framework for communications sector use (see 1503180056). The report continued to draw praise Thursday, with industry executives and federal officials saying during a USTelecom event that the report represented a turning point for communications sector cybersecurity.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The CSRIC report recommended the FCC adopt the availability of critical communications infrastructure as the main meaningful indicator of cybersecurity risk management. Most sector participants “would say availability is king” and is the best indicator of the potential impact of a cyber event, said CenturyLink Director-National Security Kathryn Condello, chairwoman of the Communications Sector Coordinating Council (CSCC). “If you don’t have the signal, if you don't have the dial tone, the rest of it is immaterial.” Network availability “is in the core DNA” for companies like AT&T, said Assistant Vice President-Global Public Policy Christopher Boyer, who co-chaired a measurement feeder group within CSRIC Working Group 4, which produced the cybersecurity report. Boyer also led Working Group 4’s wireline segment. Other possible indicators like botnet attacks aren’t completely within the control of the communications sector like network integrity is, Boyer said.
Private sector companies proposed that the CSCC, FCC, Department of Homeland Security and other agencies begin planning a metrics pilot program by holding an all-party meeting within the next month to collect input and then bring in sector technical experts to develop possible technical metrics based on that input, Condello said. All parties would then reconvene in August or September to see what the technical experts propose, she said. “I believe we will be able to drive to something that’s reasonable,” Condello said. The sector wants to begin piloting the metrics by the beginning of October, she said. “Is it going to be perfect? No. Is it going to be pristine? No. But it will I think be one of the first demonstrable pilots” examining whether it’s possible to measure cybersecurity over an entire sector, she said. “I have faith and I have confidence that we will be able to do something interesting, and we’ll see if it ends up being fabulous.”
The proposed metrics pilot will be the next step in moving the communications sector’s cybersecurity work forward, said Public Safety Bureau Chief Cybersecurity Counsel Clete Johnson. Much of the work the private sector and the FCC do based on the CSRIC report is going to be seen as a pilot program, and it’s likely to be something “that will be occupying a lot of our time” over the next year, said Public Safety Bureau Associate Chief-Cybersecurity and Communications Reliability Jeff Goldthorp. The CSRIC report’s recommendations and guidance are focused on cybersecurity within the communications sector, but the sector affects all other critical infrastructure sectors and the lessons learned from the CSRIC report could be applicable internationally, Johnson said.
Goldthorp and Johnson praised the CSRIC report Thursday, echoing positive comments about it Wednesday from FCC Chairman Tom Wheeler and Public Safety and Homeland Security Bureau Chief David Simpson. “It’s a solid platform for us to build on,” Goldthorp said. The FCC issued a public notice on the CSRIC report in docket 15-68 Thursday that seeks out “constructive support” on the report’s conclusions and recommendations, Johnson said. Comments on the CSRIC report are due May 29 and reply comments are due June 26, the FCC said. Wheeler “will have a lot more to say” on the CSRIC report in the next few weeks, “and that will be aimed at understanding what’s the best way for us collectively to move forward” and apply the report, Johnson said.
The CSRIC report also has the potential to provide feedback to NIST as it continues to collect reaction to its Version 1.0 Cybersecurity Framework, said NIST Senior Information Technology Policy Adviser Adam Sedgewick. “We can bring in” material from the CSRIC report and consider how it can apply broadly across all critical infrastructure sectors, he said. The report “is really a great example of the sorts of things we hoped that the framework process would foster,” said Sedgewick. The CSRIC report “really demonstrates the living nature” of the NIST framework, said Computer Security Division Chief Donna Dodson, who was Working Group 4’s senior technical adviser.
Boyer, Condello and other executives said they believe the CSRIC report significantly advances the communications sector toward the “new regulatory paradigm” that Wheeler sought when he assigned Working Group 4 the task of writing the CSRIC report last year. The NIST framework provided a common taxonomy that all critical infrastructure sectors can use, while the CSRIC report put the framework into terms that communications companies can apply “in their everyday jobs,” said NCTA Vice President-Broadband Technology Matt Tooley. The report also provided guidance to small- and medium-sized sector companies since the NIST framework “can be overwhelming to a small carrier,” while still providing the flexibility that the NIST framework included, said NTCA Industry and Policy Analysis Manager Jesse Ward.