FCC’s Proposed Cybersecurity Regulation Fatally Flawed

For most people, the hardest part of their last few days on the job is finding the motivation to tie up loose ends before they leave. This should have been easy for the former chairman of the Federal Communications Commission (FCC), Tom Wheeler, who left the agency upon President Trump’s inauguration. After Trump’s election victory, congressional leadership advised Wheeler to focus his staff’s energies on consensus and administrative matters and to avoid complex or controversial issues.

Wheeler didn’t take their advice. Just two days before Trump’s inauguration, Wheeler’s FCC issued a white paper asserting that the agency (1) has jurisdiction to comprehensively regulate cybersecurity for commercial communications networks and (2) should regulate the cybersecurity practices of broadband internet service providers (ISPs) and other sectors of the communications industry.

The FCC’s report is not only complex and controversial, its key conclusions are wrong. Like the analysis in so many other items the Wheeler FCC issued, the report just presumes the agency has authority to do whatever it likes with regard to cybersecurity. It doesn’t. Congress has determined that the Department of Homeland Security (DHS) is the appropriate forum for addressing cybersecurity, not the FCC.

The FCC’s view of the cybersecurity marketplace is also based on something other than reality. Compelling evidence shows that market forces are in fact incentivizing substantial investment in the deployment of cybersecurity protections without the FCC’s interference.

Perhaps the fact that authority over cybersecurity matters has been delegated to DHS explains the FCC’s motivation for issuing the white paper during the 11th hour of Wheeler’s tenure. The Trump Administration is reportedly considering a reorganization of the FCC that would move duplicative functions to other agencies. The white paper’s claim that the FCC is “uniquely situated” to regulate cybersecurity for commercial networks appears to be a ploy to maintain the agency’s relevance to communications security issues even after the old telephone network is phased out entirely.

The FCC’s unsupported allegation of a cybersecurity market failure similarly appears designed to justify the agency’s desired role. The FCC suggests this role would be aimed at forcing ISPs to bear direct responsibility for and the costs of all cybersecurity regulation industrywide, an approach that supports Wheeler’s vision of subjecting ISPs to a unique FCC regulatory scheme premised on Title II.

The white paper’s proposed win-win for FCC job security (asserting jurisdiction) and Wheeler’s regulatory legacy (supporting Title II reclassification of broadband) would be a disaster for cybersecurity. The FCC does not have clear jurisdiction to address cybersecurity issues in a comprehensive manner, and the limited approach the agency envisions would create confusion and conflict with broader efforts that are already well underway at the DHS.

The white paper’s suggestion that the FCC focus its cybersecurity efforts on ISPs would also be ineffective. The ability of ISPs alone to mitigate cybersecurity risks is limited by technology and (ironically) Title II regulation itself. As a technical matter, ISPs can’t filter encrypted data traffic, and the use of encryption on the internet is growing. And as a regulatory matter, the FCC’s Title II rules prohibit ISPs from exercising control over significant sources of cybersecurity risk (like end-user devices and software). Security experts consider Apple’s mobile operating system (iOS) to be more secure than Google’s (Android), but if a wireless service provider were to prohibit the use of Android phones on its network to promote cybersecurity, it would be slapped with a Title II complaint faster than you can say “net neutrality.”

Finally, an FCC effort to impose top-down regulations on the rapidly-changing global market for cybersecurity would inhibit innovation and the competitiveness of U.S. firms. “Speed is where the Black-Hats [hackers] have the advantage over the White-Hats [cybersecurity experts].” Moving cybersecurity at the speed of government would make international White-Hats look like cheetahs and American competitors look like snails.

The FCC is not an appropriate forum for a comprehensive approach to cybersecurity

Despite its grandiose claims that the FCC is “uniquely situated to comprehensively address” cybersecurity due to its hold on ISPs, the agency has zero cyber expertise or jurisdiction. The white paper itself acknowledges that “[c]yber risk can be introduced at any stage of the communications supply chain, from product design, to testing, to manufacturing, to product introduction and distribution, to product maintenance and support, and finally, to product retirement.” Despite this reality, the FCC’s proposal for cybersecurity reporting requirements would be limited to “broadband internet access service” only, as defined in the agency’s net neutrality rules. That definition excludes internet backbone providers, content delivery networks, private internet connections, manufacturers, and devices and software of all kinds. The white paper doesn’t reconcile the FCC’s claim that it’s “uniquely situated” to regulate cybersecurity issues when the agency hasn’t asserted regulatory jurisdiction over the vast majority of the cyber risk supply chain.

Congress has given the Department of Homeland Security express authority to address cybersecurity matters

Congress gave the DHS express authority to address cyber risk for both commercial and federal entities in the Cybersecurity Act of 2015. Among other things, the act enabled real-time exchange of cybersecurity information among federal government and non-federal entities through the National Cybersecurity and Communications Integration Center while removing the threats of liability and antitrust prosecution. The ability of DHS to collect and integrate cyber information from a truly comprehensive array of sources renders the FCC’s proposal to collect information only from ISPs both duplicative and absurd.

The FCC’s naked power grab should be rebuffed by policymakers in the new Administration. The Department of Homeland Security is occupying the cyber field at the express direction of Congress. DHS has already launched an automated system for sharing cyber information, created a program to strengthen the nation’s cybersecurity workforce, established funding for cybersecurity research and development, and published guidance on “everything from setting up your first computer to understanding the nuances of emerging threats.” If more federal action is needed on cybersecurity, DHS is the appropriate forum for it.

There is no market failure impairing the deployment of cybersecurity protections by ISPs

Even if the FCC were an appropriate forum for cybersecurity regulation, the FCC’s attempt to justify a need to impose new rules on ISPs based on an alleged market failure is not supported by actual facts.

Private investment in cybersecurity is booming. From 2009 to 2014, corporate investment in cybersecurity companies increased 5x, and has shown resilience to market turmoil. In mid-2016, Gartner predicted the global cybersecurity market would have a compound annual growth rate (CAGR) of 7.8% through 2020, a more recent report by M&M research estimates a CAGR of 10.6% through 2021 (from $122 billion in 2016 to $202 billion in 2021), and others are even more bullish. Median salaries for chief information security officers (CISOs) are going up, and CISOs “are becoming boardroom mainstays” who are expected to present accurate cyber risk information to leadership alongside corporate financials.

Investment in cybersecurity is increasing in response to the recent rise of organized cybercrime and new data detailing cybercrime’s impact on the cost of doing business. In 2014, the Center for International and Strategic Studies estimated that the annual cost to the global economy from cybercrime is more than $400 billion, and according to a research report prepared for IBM, the biggest financial consequence to organizations that experience a data breach is lost business. After a decade of research into the cost of data breaches and the emergence of organized cybercrime, cybersecurity is now seen as an ordinary and consistent cost of doing business that plays a critical role in customer retention. Private companies now recognize “the reality is you’ve go to be willing to do what it takes” to protect customers.

This evidence of increasing investment in cybersecurity and other private-industry responses to cyber risk offers no indication there is a market failure, and the FCC’s white paper doesn’t present any contrary facts. The agency claims that market forces alone aren’t providing the “necessary cybersecurity investment for society as a whole,” but provides no data regarding the actual level of private investment in cybersecurity or the actual level of cybercrime and its relation to that level of investment (if any). The FCC’s white paper also makes no effort to quantify the potential cost of the additional cybersecurity investments and regulations it considers “necessary” or to compare those costs to the benefits it expects its regulations to produce. The FCC apparently believes a naked conclusion is all that’s needed to justify its intervention.

Even if there were evidence of market failure, there is no indication that FCC meddling along the lines Wheeler suggested would solve it. Consider that the federal government appears to have fared no better at protecting its own networks and cyber assets from cybercrime than private industry. Cybercrime against federal agencies is often headline news:

  • A 15-year old reportedly hacked into the email inbox of CIA director John Brennan in October 2015, and may have leaked data about 20,000 FBI employees and 9,000 DHS agents.
  • The “cybermafia” stole information on 724,000 people from the IRS in 2015, and used the information to steal $50 million in federal funds by using the information to file for bogus tax refunds.
  • Personal information involving 22 million people was stolen from the Office of Personnel Management over an extended period in 2013-2016 by suspected Chinese hackers.

Other hacked federal agencies include the State Department, White House, and U.S. Postal Service.

Conclusion

The FCC has no role in adopting new cybersecurity regulations for the broadband industry, and the new Administration and Congress should keep it that way. Cyber oversight should be kept at the Department of Homeland Security where it belongs.