FCC Holds Off on Security Mandates for Internet of Things

FCC Chairman Ajit Pai (Rob Kunzig/Morning Consult)

Don’t expect the Federal Communications Commission to rush into issuing network security rules anytime soon, even in the face of a congressional inquiry seeking the agency’s response to the massive Oct. 21 distributed-denial-of-service attack.

At issue is whether the FCC’s Open Internet rules restrict internet service providers’ ability to block insecure Internet of Things (IoT) devices from their networks and whether the commission should mandate greater safeguards.

But the commissioners generally believe the Open Internet order already gives ISPs sufficient leeway to protect their networks from vulnerable internet-connected devices without additional regulations or standards. And, according to FCC officials, there isn’t much of an appetite to issue any new mandates now.

There are also questions as to whether cybersecurity is even in the commission’s purview.

Sen. Mark Warner (D-Va.) sent a letter to FCC Chairman Tom Wheeler on Oct. 25, several days after a hijacked network of IoT devices took large swaths of the United States internet offline. Warner asked detailed questions about the commission’s role in empowering both ISPs and consumers with the means to prevent similar attacks in the future.

The senator suggested that the Open Internet rule — adopted in 2015 during the debate on net neutrality — might actually limit the ability of ISPs to block insecure IoT devices from their networks. That could make it difficult to prevent future attacks stemming from those devices.

Wheeler called Warner’s letter “thoughtful” and promised a response. He also disputed the notion that the rules limit security practices of ISPs.

“The Open Internet order allows for reasonable network management, which clearly gives leeway to be able to deal with issues like this,” Wheeler said at the FCC’s open meeting on Oct. 27.

There is clear language in the rules for ISPs to deny access to networks or devices that could put their security at risk, according to one FCC official, who added that they were “designed for flexibility, particularly when it comes to network security.”

The rules allow broadband providers to implement network management practices for the purpose of “ensuring network security and integrity, including by addressing traffic that is harmful to the network,” according to the Open Internet order.

Distributed-denial-of-service attacks are mentioned in the order as one type of harmful traffic that the commission gives ISPs the power to address.

The Open Internet order does give the commission to ability to conduct a case-by-case analysis of providers’ network management practices in order to prevent ISPs from inappropriately blocking devices or networks.

But another clause singled out by Warner bars ISPs from the blocking of “non-harmful devices” from broadband networks, showing a possible conflict.

That’s not an issue, the FCC official said, because that provision largely allows ISPs to determine for themselves whether devices are harmful. “The commission doesn’t intervene and lets providers go out and do what they can to address these practices,” the official said. “If someone goes too far, the FCC might say, ‘Hey, you’re violating the Open Internet rules.’”

The FCC could go further and use its Open Internet rules to bar ISPs from blocking any traffic emanating from IoT devices, or at least those with easily circumvented security protocols.

But there is a fundamental hesitancy on the part of the commission to come down too firmly on network security. Part of that is due to ambiguity over the agency’s statutory authority on cybersecurity. During a post-meeting press conference on Oct. 27, Republican Commissioner Ajit Pai called the FCC’s role in cybersecurity “relatively circumscribed.”

“There are other agencies that have a more well-defined space, legally speaking, and more well established expertise,” Pai said, adding that he views the commission as operating in a “consultative role” rather than “setting forth uniform rules that would apply to an entire industry.”

There is no statutory provision directing the commission to create cybersecurity regulations, but the FCC retains broad flexibility in determining whether security actions undertaken by telecommunication providers are reasonable.

Morning Consult