FCC abandons plans for rules on IoT cybersecurity
Following the shock election result, the Federal Communications Commission has put on hold proposed new rules to ensure the security of connected devices in the Internet of Things, according to an agency letter and work plan released Monday.
The plan, which lays out the FCC’s “risk reduction program” for IoT, says the agency should “Issue an NPRM [notice of proposed rule making] to examine regulatory measures the FCC could take to help address cyber risks that cannot be addressed through market-based measures.” The workplan was attached a to letter sent to Sen. Mark Warner, D-Va., by FCC Chairman Tom Wheeler.
It’s the first time the agency has publicly disclosed that it was working on regulations for IoT device cybersecurity. Previously, agency officials have stressed that, as Wheeler’s letter states, FCC’s net neutrality rules “enable Internet Service Providers (ISPs) to take measures to protect their networks, and those with which they interconnect, from harmful devices” — for instance by disconnecting them en masse.
The plan states that the FCC could use “existing legal authorities” for the NPRM, such as its power to certify wireless devices, noting, “The NPRM could examine changes to the FCC’s equipment certification process to protect networks from IoT device security risks.” Currently the equipment certification process is used to ensure that devices which broadcast radio waves don’t spill out of their allotted spectrum bands or otherwise interfere with other devices.
The plan also proposes that the NPRM include “a cybersecurity certification (possibly self-certification)” and “a consumer labeling requirement to address any asymmetry in the availability of information and help consumers understand and make better decisions regarding the potential cyber risks of a product or service.”
But the letter to which the plan was attached says the agency has “had to postpone some of the next steps in this combined approach in light of the impending change in administrations.”
FCC officials confirmed to CyberScoop that all of the steps contemplated in the work plan are on hold for the time being — as are other agency actions that have proved controversial or are opposed by one or more commissioners.
Nonetheless, Warner urged the incoming Trump transition team to take up where the outgoing administration left off. “The commission’s proposal for a device certification process, either by the agency or through industry self-certification, deserves strong consideration,” he wrote. Similarly, he said FCC consumer labeling requirements “will empower and educate consumers.
“I strongly urge the incoming Trump Administration to make cybersecurity a top priority, because we simply must move forward with responsible new initiatives to better engage consumers, manufacturers, retailers, internet sites and service providers in improving our nation’s cybersecurity posture,” he concluded in a statement Monday.
Close observers of the FCC said the uncertainty over the future of the agency’s initiative was a product of the limbo it now finds itself in, as President Obama’s appointees prepare to leave.
“It has been unclear from the beginning what the FCC’s jurisdiction is in this [cybersecurity] area,” Robert M. McDowell, a senior fellow at the right-leaning Hudson Institute told CyberScoop.
McDowell added the FFC’s recent decision to regulate ISP’s like phone companies under its Title II authority was unlikely to stand, which rendered the agency’s authorities even murkier. “After the surprise presidential election, it is highly doubtful that ISPs will have to live under those old phone laws. If Title II for ISPs gets repealed, then other agencies, such as the Department of Homeland Security, will continue to have jurisdiction over this area.”
Wheeler wrote to Warner wrote in response to a missive from the senator prompted by the internet outages earlier this fall caused by the massive Mirai IoT botnet. Mirai took advantage of poor security in consumer IoT devices like webcams, DVRs and internet routers, recruiting them into a botnet, or robot network, of compromised equipment which was used to attack major websites and internet infrastructure by overwhelming it with fake traffic — a so-called distributed denial or service or DDoS attack.
Because of the way the devices were configured, consumers — even assuming they knew their devices were under attack — had no way of mitigating the security holes that enabled attackers to get control of the devices. This led some policymakers to the conviction that regulatory agencies needed to get involved.
Nonetheless, the proposed rules would likely have proved highly controversial if the FCC had gone ahead with them, especially among industry groups.
“We cannot regulate our way to cybersecurity,” said Matt Eggers, executive director for cybersecurity policy at the U.S. Chamber of Commerce.