The FCC launched a broad-reaching inquiry into the vulnerabilities threatening the security and integrity of the Border Gateway Protocol (BGP), which is central to the Internet’s global routing system, their impact on the transmission of data from email, e-commerce, and bank transactions to interconnected Voice-over Internet Protocol (VoIP) and 9-1-1 calls, and how best to address them. The FCC sought comment on how the agency could help strengthen the nation’s communications networks and critical infrastructure from the vulnerabilities posed by BGP and how it could facilitate implementation of industry standards and best practices to mitigate such harms. As a next step, the FCC may propose rules on Internet routing security that could impact wireless and wireline Internet Service Providers, Internet Exchange Providers, interconnected VoIP providers, operators of content delivery networks, cloud service providers, and other enterprise and organizational stakeholders.
The FCC has also indicated interest in leveraging its authority to authorize radiofrequency equipment for import, marketing, and sale in the U.S. as a means to address the security risks associated with Internet of Things (IoT) devices. In a Notice of Inquiry the FCC sought comment on how it could encourage manufacturers to build security into their products, including by permitting voluntary certifications in the equipment authorization process regarding compliance with the NIST IoT Report (NISTIR 8259) guidance. Securing IoT devices, particularly those in households, remains front of mind for the Administration as well. The White House recently convened private sector, academic, and government stakeholders to discuss implementing a national cybersecurity labeling program for IoT devices, with a targeted rollout in the Spring of 2023.
Most recently, on October 27, 2022, the FCC adopted a Notice of Proposed Rulemaking regarding strengthening the nation’s Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA) programs against security threats. The FCC proposes to require participating alert providers to submit annual certifications that the provider has created, annually updated, and implemented a cybersecurity risk management plan. The risk management plan would need to address specific security controls, such as requiring multifactor authentication and installing security updates. Finally, the FCC would require EAS participants to provide the FCC notice of unauthorized access of the EAS equipment, communications systems, or services, within 72 hours of the incident. Comments will be due thirty days after the item is published in the Federal Register.
FCC observers are also watching the FCC’s increased focus on cybersecurity for signs of whether it may extend the sorts of critical infrastructure regulations that the Cybersecurity and Infrastructure Security Agency (CISA) is developing for other industries into the telecommunications space as well. The proposed rule regarding EAS and WEA may provide a clue on that question. Commissioner Starks notes approvingly that the proposed rule aligns the timeframe for cyber incident reporting with the timeframe found in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which CISA is administering, and argues that the FCC’s “actions must be within the larger whole-of-government approach to protect our nation’s networks and infrastructure.”
Next Steps
These examples illustrate how the FCC is boldly claiming its place in cybersecurity regulation. Telecom and technology industry participants including network providers and resellers, device manufacturers, service providers, and retailers, are well advised to monitor FCC activity on cyber. Sharing industry perspectives on cybersecurity issues with the FCC, through written comments or staff meetings, may help influence whether and how new rules are crafted and implemented—and ensure that the regulatory environment is manageable for industry and promotes innovation.
