- Federal Agencies Seek Comment on New Cybersecurity Certification Program for Broadband Providers and Other Security and Privacy Issues
- May 13, 2010
- Law Firm: Sonnenschein Nath & Rosenthal LLP - Chicago Office
FCC and NTIA Seeking Comments on Wide Range of Security and Privacy Issues
A pair of recent Notices of Inquiry from the Federal Communications Commission (FCC) and the National Telecommunications and Information Administration (NTIA) demonstrate the increasing attention being paid by the federal government to information security and privacy. In the FCC Notice of Inquiry, “In the Matter of Cybersecurity Certification Program” (the “FCC Notice”)1, the FCC seeks comment from the public on the dynamics of a voluntary certification program for Communication Service Providers. In the NTIA Notice of Inquiry, “Information Privacy and Innovation in the Internet Economy” (the “NTIA Notice”),2 the NTIA seeks comment regarding the impact of worldwide privacy law on “the pace of innovation in the information economy.”
The April 21, 2010 FCC Notice of Inquiry
In a wide-ranging series of questions, the FCC inquiry covers both strategic and tactical issues that would be important in launching and maintaining a cybersecurity certification program (the “Certification Program”). Interestingly, the FCC notice presupposes a voluntary program consisting of cybersecurity best practices. This appears to have been done for several reasons. First, a number of voluntary programs have been established in the past related to privacy and security protection programs, though only a few have gained widespread commercial acceptance (e.g., the TRUSTe system for privacy protection).3 On the security side, there are virtually no widely accepted, voluntary certification systems. The only ones that even come close have at least some level of mandatory requirements (e.g., the PCI DSS)4 and tend to be focused on a particular industry vertical. Second, as the FCC points out, it does not yet know whether there is widespread adherence by broadband providers to certain industry cybersecurity best practices, such as those of the former Network Reliability and Interoperability Council. The FCC has noted that cybersecurity requirements can be expensive, and has been loathe to mandate cybersecurity requirements in the past, even as recently as in its CPNI rulemaking two years ago. But the FCC estimates that a voluntary program of cybersecurity certification would create incentives (where there now may be none) for competing broadband providers to implement best practices, and for the providers, and their largest enterprise customers, to have a say in what those best practices ought to be. For example, best practices have been adopted by many members of the wireless industry concerning billing practices and location-based services, certainly for customer marketing and differentiation purposes, but also as a necessary step to avoid the need for perhaps more intrusive and demanding regulation.
Certification Program Goals
The FCC Notice announces three goals of the proposed Certification Program:
1. to increase the security of the U.S. broadband infrastructure;
2. to promote a more security-aware culture in the communications services market; and
3. to provide more information to end users regarding the cybersecurity practices of service providers.
The FCC Notice also makes clear that the purposes of the proposed Certification Program relate directly to the core purposes of the Communications Act and, therefore, that the FCC should have the appropriate legal authority to create a voluntary certification program. The FCC Notice does, however, ask for input on what the strongest sources of authority would be for the Certification Program. It also asks whether the use of the Commission’s Title I ancillary jurisdiction would be appropriate, particularly in light of the recent D.C. Circuit decision in Comcast Corp. v. FCC. rejecting the FCC’s stated Title I ancillary jurisdiction for regulating the network management practices of a broadband provider.5
In support of the need for the above goals, the FCC Notice recites a number of challenges with the current environment related to cybersecurity, including: data indicating Internet users are increasingly susceptible to “operator error and malicious cyber attack,”6 a drop in spending on cybersecurity by at least 47% of all enterprises,7 and the inability of customers of communications services to understand the security being made available by service providers.8
Technical and Operational Areas of Inquiry
In order to achieve the articulated goals, the FCC Notice requests public comment on a comprehensive set of topics relevant to cybersecurity that would be relevant to the establishment and maintenance of a Certification Program. Perhaps most significantly, the FCC seeks comment on whether a “market-based” approach would provide appropriate incentive to companies that would cause them to become certified. Ultimately, the question would seem to come down to whether the certification seal associated with the program would offer relative security value to commercial and other large customers. The value associated with such a seal will therefore depend on the robustness of both the criteria and the actual audits to ensure the self-certification is in compliance with the standards.
At least some guidance on the value associated with security certification programs can come from the credit card industry, which has in place the PCI DSS program mentioned above. Although not voluntary, the program has been criticized in the past for not having enough controls in place to ensure that (a) the certification audits are administered consistently and (b) those entities who are PCI certified maintain their certification appropriately. The FCC notice asks a number of questions that would address how such concerns would be handled in the Certification Program being proposed by the FCC and by whom they would be handled.
In acknowledging that various stakeholders must necessarily be involved, the FCC Comment devotes an entire section to questions intended to elicit the precise role that the private sector should play in the Certification Program. In an interesting contrast of private versus public responsibility, FCC first asks whether “the private-sector bodies involved in this certification program [should] have extensive responsibilities...or should the Commission retain primary responsibility?”9 The FCC concedes that the certification regime should be “primarily administered by the private sector”, as it does “not believe that the Commission has the substantial resources needed to participate in the daily operation of the proposed cyber security certification program.”10
In addition to examining the role(s) for the private sector, the FCC also seeks input on the composition of the certification regime administering the Certification Program. For example, the FCC Notices discusses a certification authority as a possible body for administering the Certification Program. It then asks whether “a certification authority should be open to all segments of the potentially affected industries, including incumbent and competitive wireline carriers; wireless and satellite providers; cable service providers; undersea cable operators; internet service providers (both facility and non-facility based); and providers of VOIP services.”11
The FCC Notice asks questions from quite different perspectives. At a fairly high level, the FCC seeks input on the benefits, advantages, disadvantages, and costs of a Certification Program,12 along with whether such a program would create disproportionate advantages or disadvantages for various stakeholders. In one very thoughtful observation, the FCC recognizes that a Certification Program (like many other things in the cybersecurity arena) cannot be a “one-size-fits-all” proposition and that any program attempting to be used by a large set of diverse stakeholders would “reduce the value of the certification program in the eyes of [its users].”13 It then requests input on whether this observation is accurate. The FCC Notice also inquires about the structure of the Certification Program, including asking for input on membership and operating procedures (along with possible standards-based models that could be used for the Certification Program).
At a more detailed level, the FCC Notice states that “the Commission would establish general cyber security objectives that would serve as the starting point for the program.”14 The FCC Notice then goes on to make brief observations and asks for input on several network cybersecurity objectives, including: (1)secure equipment management; (2) updating software; (3) intrusion prevention and detection; and (4) intrusion analysis and response.15
Procedural Areas Of Inquiry
Procedurally, the FCC Notice looks at a number of different topics. In the area of “who’s watching the watchers”, the FCC Notice requests input on how the auditors in the Certification Program should be accredited. It also discusses the importance of assessment standards, including looking at such issues as whether general security criteria would necessitate a two-step process involving review of the adequacy of the applicant’s proposed criteria followed by a second step of actually measuring whether the applicant meets those criteria.
Other procedural areas of inquiry include how assessment results would be maintained, how appeals to the FCC would be handled, and how reporting and enforcement would work. The FCC Notice also requests input on how a security certificate or seal should be conferred and the length of time that it should be valid. The FCC observes that too long of a period of validity could reduce the incentive for staying secure, while too short of a period might be administratively burdensome and therefore lead to poor participation.16
The FCC will accept comments until 60 days after publication of the FCC Notice in the Federal Register. As of this date, the FCC Notice has not been published.
The April 23, 2010 NTIA Notice of Inquiry
In a Notice of Inquiry with somewhat less depth than the FCC Notice but arguably broader scope, the NTIA Notice seeks input on the effects that privacy policies and privacy laws around the world have on innovation. As part of the work of the Department of Commerce’s Internet Polity Task Force, one goal of the NTIA Notice is to determine whether current privacy laws effectively serve the public interest and at the same time serve fundamental democratic values.17 The responses received will contribute to the report of the task force entitled Privacy and Innovation in the Information Age.
After cataloging a number of statistics related to the Internet economy and the impacts on privacy, the NTIA Notice requests comment across eight areas: (1) the U.S. privacy framework and its evolution,18 (2) state privacy laws,19 (3) international privacy laws and regulations,20 (4) conflicts across multiple jurisdictions that result in competing obligations,21 (5) the effect of sectoral laws in the U.S. related to privacy,22 (6) privacy-enhancing technologies and information management processes,23 (7) the effect of data protection laws on small and medium enterprises,24 and (8) the role of government and, specifically, the Department of Commerce.25
In looking at the current U.S. privacy framework, the Department of Commerce observed that many companies had provided feedback indicating that the current notice and choice approach might be outdated. Instead, a use-based model might be more appropriate.26 Consequently, the NTIA Notice asks whether changes to current laws, regulations, and self-regulatory mechanisms would improve innovation. It also asks several related questions, including whether some level of minimum requirements should be incorporated into the federal legal regime. Similar questions are asked about state laws and internationals laws, with additional queries related to whether the diversity of state laws is helpful or hurtful, and whether international laws impede trade and investment.
There are numerous other questions focusing on how companies deal with competing (and sometimes conflicting) privacy laws. In looking at more specific issues, the NTIA Notice includes questions that attempt to deal with some of the industry vertical models and specific technologies. Finally, there are questions about specific stakeholders, such as small businesses and startups (and the fact that they have fewer resources with which to address privacy issues), and about the Commerce Department’s role.
Comments on the NTIA Notice are due on or before June 7, 2010.
The Importance of the Notices
The two Notices of Inquiry confirm that both the FCC and the Commerce Department need input from all stakeholders, and particularly private industry, to determine the proper policy balance to be struck in the areas of data security and privacy. While a good sign, the more important phase will be the analysis of the responses and the corresponding actions that the respective agencies will take based on those industry responses.
1. PS Docket No. 10-93, available at http://hraunfoss.fcc.gov/edocs&under;public/attachmatch/FCC-10-63A1.pdf.
2. Docket No. 100402174-0175-01, available at http://www.ntia.doc.gov/frnotices/2010/FR&under;PrivacyNOI&under;04232010.pdf.
3. See http://www.truste.org.
4. See https://www.pcisecuritystandards.org.
5. Comcast Corporation v. FCC, No. 08-1291, 2010 WL 1286658 (D.C. Cir. April 6, 2010).
6. FCC Notice, at 2.
7. Id. at 3.
8. Id. at 4.
9. Id. at 8.
11. Id. at 11.
12. Id. at 6.
13. Id. at 7.
15. Id. at 7-8.
16. Id. at 15.
17. NTIA Notice, at 1.
18. Id. at 3.
19. Id. at 4.
21. Id. at 5.
24. Id. at 6.
26. Id. at 4.