Stakeholders Praise CSRIC Cybersecurity Report's Voluntary Recommendations
Industry stakeholders universally praised the FCC Communications Security, Reliability and Interoperability Council (CSRIC) report on communications sector cybersecurity risk management for recommending voluntary processes and assurances, with Motorola Solutions saying in comments posted Monday that those recommendations “strike an appropriate balance” between assuring cybersecurity protection and reflecting the interests of all stakeholders. The CSRIC report, adopted in March, was meant to adapt the National Institute of Standards and Technology’s Cybersecurity Framework for communications sector use (see 1503180056). Industry groups CTIA and TIA similarly praised the CSRIC report for providing important guidance to the sector (see 1505290042). A separate Department of Commerce Internet Policy Task Force (IPTF) proceeding (see 1504090049 and 1503160059) on possible cybersecurity topics the IPTF should address through multistakeholder work drew multiple filings urging the IPTF to factor the NIST framework into its process.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The CSRIC report in part calls for developing a voluntary confidential meetings program in which companies could meet with the Department of Homeland Security (DHS) and the FCC on their cybersecurity practices, with the success of those meetings dependent on “their confidentiality and their remaining outside the regulatory context,” Motorola said. “Companies must feel secure that the information they share shall be covered under the Protected Critical Infrastructure Information (‘PCII’) Program and shall not be divulged, disclosed, or used against them in a future enforcement proceeding.” Motorola praised CSRIC’s recommendation for adding sector segment-level overviews of cybersecurity risk management practices to the annual Communications Sector Annual Report for “affording stronger confidentiality protection to communications companies, through their role as critical infrastructure providers, which will in turn provide additional comfort in sharing this data.” CSRIC also recommended expanded industry participation in DHS’ voluntary Critical Infrastructure Cybersecurity Community program to encourage industry use of the NIST framework, which Motorola said will “provide a platform for promoting implementation of the NIST Framework across the sector.”
Huawei said the CSRIC recommendations “provide a significant and important resource for individual companies to analyze” their cybersecurity risk relative to the rest of the communications sector, which “can contribute markedly to the FCC’s goal of reducing cybersecurity risk to critical communications network infrastructure, enterprises, and consumers.” The sector can continue to improve its risk management by incorporating best practices on evaluating “vendors and providers from a cyber security risk perspective, including supply chain risk management,” Huawei said. NIST identified supply chain risk management as one of the areas in which the Cybersecurity Framework required additional work. Huawei said its own supply chain risk management practices take a “built-in” approach that “includes evaluation of our vendors and suppliers, as well as supply chain risk, generally.”
The American Cable Association (ACA) urged the FCC to consider the position of small- and medium-sized businesses as it plans implementation of the confidential meetings program. “As a practical matter the Commission and DHS are unlikely to be able to meet with all small providers individually given the large number of smaller companies that provide communications services in America,” ACA said, saying there are 2,100-3,100 small- and medium-sized firms in the sector that serve rural and smaller urban markets. Individual meetings with a sampling of small- and medium-sized providers will allow DHS and the FCC “to adequately glean the insights that are of relevance and concern for the entire sector of smaller providers,” ACA said.
Smaller providers that don’t meet with DHS and the FCC “should not be considered any more or less likely to be taking reasonable steps to manage their cybersecurity risks and threats than other similar companies” if the federal agencies choose not to hold meetings with all such providers, ACA said. DHS, the FCC and NIST should use trade shows as a venue for holding meetings with smaller providers, as well as regional meetings organized by state and local governments, ACA said. The group also recommended that DHS and the FCC expand the scope of the confidential meetings beyond the NIST framework, which would “increase the value of these meetings to the small and medium-sized businesses that participate,” ACA said.
WTA-Advocates for Rural Broadband also urged further FCC outreach to smaller firms within the communications sector, which the group said is “critical to ensure that consumers, businesses and service providers in rural areas benefit from broader industry efforts to improve cybersecurity practices, as well as protecting larger service providers that might have more sophisticated cybersecurity postures from cyber attacks initiated on small provider systems with which the larger providers interconnect.” WTA also urged further work on incentives for improving cybersecurity risk management, particularly financial incentives since cost remains the top barrier to improving cybersecurity. The FCC’s incentives work should include considering cybersecurity costs in its USF reform work, WTA said.
The Satellite Industry Association (SIA) praised work that CSRIC Working Group 4’s satellite subgroup did to highlight satellite industry issues as Working Group 4 wrote the CSRIC report. “Whether it is in the wake of disasters that have disabled terrestrial communications, or to provide reliable, day-to-day communications in harsh, remote environments, satellite systems are an indispensable part of the nation’s communications infrastructure,” SIA said.
The IPTF should consider focusing its cybersecurity multistakeholder work around pilot testing the NIST framework for the purposes of evaluating it for cost-effectiveness and to determine effective incentives for using the framework. NIST is one of the IPTF’s member agencies. “There has been virtually no work done to generate real data” on the cost-effectiveness of the framework “or to guide future policy development on incentives,” in contrast with DHS’s work to pilot test its information sharing initiatives before fully implementing them, ISA said. There’s wide support for evaluating the issues, the ISA said. CTIA and a coalition of automobile groups jointly urged the IPTF to focus its cybersecurity work on issues that it can solve in the short-term, including addressing distributed denial of service attacks and developing cybersecurity training protocols for small- and medium-sized businesses.
USTelecom urged the IPTF to focus on narrowly defined cybersecurity issues, which will “ensure that NTIA and participating stakeholders attain actionable results, while better economizing existing resources.” The most important topics the IPTF should explore include botnet and malware mitigation, which have already received significant attention from industry-led groups, USTelecom said. Further multistakeholder engagement on botnet and malware issues should focus on further expanding the Industry Botnet Group’s set of voluntary best practices for “a broad set of ecosystem stakeholders,” USTelecom said. NTIA “could function as an effective facilitator to orchestrate the high level of ecosystem engagement that will increase the likelihood of achieving further progress“ on botnet and malware mitigation, USTelecom said. IPTF should also focus on trust and security within core Internet infrastructure, cybersecurity issues with Domain Name Server, the Border Gateway Protocol and Transport Layer Security Certificates, as well as cybersecurity issues within the IOT, USTelecom said.