FCC Seen to Have at Least Title I Authority on Cybersecurity
The FCC has at least some legal authority to justify its expanded focus on cybersecurity risk management in the communications sector, which parallels other agencies’ efforts to implement President Barack Obama’s 2013 executive order on the topic (CD Feb 14/13 p1), former FCC officials and industry observers told us. FCC Chairman Tom Wheeler has strongly advocated industry leadership of work to improve the sector’s cybersecurity, saying in a speech at the American Enterprise Institute (AEI) earlier this month that he’s seeking private sector participation but the FCC is prepared to regulate the issue if that fails (CD June 13 p1).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Wheeler’s AEI speech indicates he’s “pretty confident that he’s got the authority to move forward, and probably on more than one set of authorities,” said former FCC Public Safety Bureau Chief Jamie Barnett, now co-chairman of Venable’s telecom and cybersecurity practice. Most of those authorities would fall under Title I of the Communications Act, including the FCC’s “traditional role” on public safety matters and in authorizations related to public safety communications and 911, he said. Wheeler could also act on cybersecurity through Title II reclassification of broadband as a utility, but most industry observers believe he would reserve this as a “nuclear option,” Barnett said. Net neutrality advocates have urged the FCC to reclassify broadband to be under Title II because it would allow for stronger net neutrality rules, but most observers believe that’s unlikely to happen. “I don’t think that’s the first or second option on this,” Barnett said.
Former FCC Commissioner Robert McDowell, now a Hudson Institute fellow, said the FCC’s authority on cybersecurity is “limited” to its role under Title I, and its primary role should be as a partner for other agencies that have a cybersecurity role, including the Department of Homeland Security. “Congress has not legislated specific cybersecurity authority to the FCC period,” he said: “Congress has not designated the FCC to be the lead cyber agency. The FCC will find there are other federal agencies that will jealously protect their turf in the cybersecurity realm. It remains an open question how far the FCC can go.” Brendan Carr, public safety aide to FCC Commissioner Ajit Pai, had no comment.
The FCC may institute a status-reporting program as part of its cyber efforts, which could be confidential like current service outage reporting requirements or could take another form, Barnett said. “The question then becomes, will that become voluntary or mandatory?” he said. The FCC has instituted multiple voluntary reporting programs -- with varying success -- along with mandatory ones, Barnett said. Cybersecurity reporting is likely to begin as a voluntary regime given the sector’s overall preference for voluntary measures, he said. That would fit in with the Obama administration’s pattern of encouraging voluntary cybersecurity efforts like use of the National Institute of Standards and Technology’s Cybersecurity Framework, Barnett said.
No one appears to be disputing that the FCC has at least some authority to deal with cybersecurity, and the FCC’s actions thus far indicate it’s following the approach set forth by the cybersecurity executive order by reserving regulatory authority as a backup, said Norma Krayem, a principal at Squire Patton. The executive order identified the communications sector as a critical infrastructure sector but did not direct independent agencies like the FCC to participate, she said. The work occurring through the FCC’s Technological Advisory Committee and the Communications Security, Reliability & Interoperability Council’s (CSRIC) Working Group 4 will put the communications sector on a “parallel track” with the other sectors, Krayem said.
The FCC’s current cyber efforts are built on groundwork established under former Chairman Julius Genachowski and previous FCC chairmen, including previous CSRIC initiatives like the ISPs’ anti-botnet code of conduct (CD March 23/12 p1) and work to protect against website spoofing and Internet route hijacking, Barnett said. CSRIC’s current cybersecurity work on industry best practices will be different because Working Group 4 includes members of the financial services sector, which “creates a different dynamic” because they are customers of the communications sector, Krayem said.
Wheeler’s strong public stance on cybersecurity distinguishes the FCC’s current work from previous efforts, Krayem said. Previous chairmen have also wanted to increase the FCC’s role in improving cybersecurity, but Wheeler’s emphasis on the issue “has made the communications sector stand up and take notice,” she said. The appointment of Public Safety Bureau Chief David Simpson and Bureau Chief Cybersecurity Counsel Clete Johnson, who both have substantial past experience in cybersecurity, “brings a different level of skill sets” on cybersecurity that may “reinforce” the FCC’s focus on the issue, Krayem said.