Update: The FCC has rescinded its cybersecurity white paper as of February 3, but the comment period for the notice of inquiry is still in effect.
In its recently released “Cybersecurity Risk Reduction White Paper,” the Federal Communications Commission expressed serious concerns about the “burgeoning and insecure [internet of things] market [that] exacerbates cybersecurity investment shortfalls [because] the private sector may not have sufficient incentives to invest in cybersecurity beyond their own corporate interests.” Noting that insecure wireless devices have shut down service to millions of users by attacking critical control utilities that are not FCC-regulated, the FCC is advocating “cyber accountability” – a combination of market-based incentives and regulatory oversight – to reduce cyberrisk in the communications sector.
While the FCC seeks to apply cyber accountability to many communications carriers (including internet service providers and submarine cable operators), in the internet of things world, device manufacturers and vendors would bear a large portion of responsibility. The FCC proposes that IoT equipment suppliers should implement “security by design” practices to build cybersecurity into their products before marketing them. As defined by the FCC, security by design is “a practice of continuous testing, authentication safeguards and adherence to best [cybersecurity] practices.”
The FCC avers that regulatory oversight of this process would likely be required, in part because of the “large and diverse numbers of IoT vendors – who are driven by competition to keep prices low – hinders coordinated efforts to build security by design into the IoT on a voluntary basis.” Accordingly, the FCC states that, among other things, changes to its equipment certification rules may be necessary to protect networks from IoT device security risks.
As detailed in a previous article on 5G security issues, the FCC has commenced a proceeding in which IoT stakeholders can opine on various cybersecurity matters and help shape future rules as to whether and to what extent IoT device suppliers should be responsible for securing their products and their potential liability to third parties for breaches. Comments may include, for example, information as to market practices and conditions that mitigate the need for regulatory oversight. Comments are due by April 24, 2017 and reply comments are due by May 23, 2017.
Editor’s Note: In an attempt to broaden our interaction with our readers we have created this Reader Forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks.