Wheeler Backing Off Proposal for Confidential Cybersecurity-Related Meetings
FCC Chairman Tom Wheeler won't continue to pursue a long-circulating proposal that would have set up a framework for the commission to hold confidential meetings with communications sector executives aimed at providing assurances on the firms’ cybersecurity practices, said multiple industry executives and lawyers in interviews. Wheeler proposed the meetings framework in a circulated policy statement that would have adopted the Communications Security, Reliability and Interoperability Council’s (CSRIC) 2015 report on recommendations for communications sector cybersecurity risk management, which included a voluntary commitment to participate in the meetings (see 1602220052). Abandoning the policy statement would call into question the durability of Wheeler’s “new paradigm” for the FCC’s role on cybersecurity issues, executives and lawyers said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
A halt in the push for the statement's adoption is apparently part of the FCC’s response to mounting pressure from Republicans to stop work on major policy initiatives, the executives and lawyers said. The FCC pulled an order and Further NPRM on business data services and other major items from commissioners' November meeting after the Republican leaders of the House and Senate Commerce committees urged the FCC to back off of controversial items given the transition from President Barack Obama to President-elect Donald Trump. Commissioners Michael O’Rielly and Ajit Pai also backed an end to work on controversial policy work (see 1611150052 and 1611160048).
The cybersecurity policy statement apparently had the support of Commissioners Mignon Clyburn and Jessica Rosenworcel, which would have been enough to pass it, two industry executives told us. FCC officials explored passing the statement via a declaratory ruling, the executives said. O’Rielly and Pai “weren’t prepared to sign on” to the meetings proposal, and Wheeler had sought unanimous commission support in order to strengthen the argument for industry executives to participate, one telecom executive said. An FCC spokesperson said the policy statement “is currently on circulation and we have no further comment.”
O’Rielly and Pai were concerned about how the FCC proposed to grant confidentiality protections to meeting participants equivalent to those the Department of Homeland Security uses in its Protected Critical Infrastructure Information (PCII) program, another executive said. The FCC originally sought to hold the meetings in concert with DHS as CSRIC recommended in order for participants to receive the PCII protections, but couldn’t reach agreement, the executive said. Major communications interests strongly urged the FCC to implement PCII-equivalent protections but questioned whether the commission had the authority to do so (see 1603010073).
The agency realized “a new administration is going to come in and they might have a very different approach” from how Obama and Wheeler viewed communications sector regulation, so “they didn’t want to go too far down a new road with this process if they thought they would have to backtrack on it” soon, said Internet Security Alliance President Larry Clinton. “I don’t think this policy statement will see the light of day” given the upcoming change in administration, said Venable cybersecurity and telecom lawyer Jamie Barnett. It might have been possible to continue massaging the meetings proposal in a bid to increase support if Democratic presidential nominee Hillary Clinton had been elected to succeed Obama, but a Republican-majority FCC is unlikely to view the meetings as appropriate, Barnett said.
“Nothing from a technical perspective” precludes the FCC from revisiting the proposal, but “I’m very skeptical” that it would happen under a Republican-majority FCC, one industry executive said: “We’re in a situation where CSRIC made this recommendation” more than a year ago but the FCC let it “languish.” New leadership “will want to look” at whether the FCC still can play a “legitimate role” in seeking cybersecurity assurances from the communications sector as Wheeler had envisioned “or whether that function is more appropriately located at DHS," given the department’s role as the communications industry’s sector-specific agency on cybersecurity matters, the executive said.
The proposed meetings framework never had “total confidence or buy-in from either inside or outside the FCC,” Barnett said. “The same is true in essence for the proposal that came out” of CSRIC’s 2015 recommendations, as there was only broad acceptance of the meetings “because the private sector didn’t want the FCC to do something more drastic” on cybersecurity regulation, he said. The shift to a Republican administration means “it’s a new day and everything is up for re-examination,” he said. An industry executive said there’s still support for the meetings proposal as articulated in the CSRIC report but it will be up to the regulator to decide how it wants to handle cybersecurity issues moving forward.
Wheeler's decision to no longer push for the meetings framework “is in large part a pullback” from the “new paradigm” on FCC involvement in cybersecurity risk management that he first articulated in 2014, Barnett said. Wheeler had sought a balanced approach in which the private sector would lead the communications sector’s work on cybersecurity but the FCC would reserve the right to explore regulatory “alternatives” if that work failed (see report in the June 13, 2014, issue). There was always “confusion in some quarters as to exactly what was the new paradigm” that Wheeler was calling for, Clinton said. Wheeler’s approach has drawn praise from the private sector but some identified subsequent rulemakings that have drawn on expanded Title II Communications Act authority as delineated in the net neutrality order as reason to question Wheeler’s commitment to that approach (see 1608230021).
“I’d be surprised” if a Republican-majority FCC embraces Wheeler’s vision of the commission’s role on cybersecurity, Clinton said. “You have a new administration coming in and they’re going to see things in a very different context than Wheeler did.” There can “be more than one approach” to FCC involvement in cybersecurity, but the fundamental question is “what is the proper role of government” in handling cyber issues, Barnett said. “It will be interesting to see how that develops as we move forward.”
Uncertainty about the agency’s role in cybersecurity shouldn’t affect CSRIC's ongoing work on cybersecurity issues, Barnett and others said. Several CSRIC working groups have been working on recommendations and reports that build off the 2015 report to tackle sector-related cybersecurity issues. CSRIC “is a voluntary, consensus-based process” in which the private sector and stakeholders take the lead, so “I wouldn’t anticipate any material adjustment in their recommendations” because of a possible shift in the FCC’s cybersecurity approach, an industry executive said. “I suspect CSRIC will finish up its work as planned but I don’t know how much” of an effect any cybersecurity recommendations will have “at this point,” Barnett said.