Wheeler Floats FCC Cybersecurity Certification for IoT Devices

Federal Communications Commission Chairman Tom Wheeler has laid out an unexpected roadmap through which the FCC could directly regulate the security of internet-connected devices.

In a letter to Sen. Mark Warner (D-Va.) dated Dec. 2 and released by Warner on Monday, Wheeler proposed an FCC-mandated cybersecurity certification process for “Internet of Things” devices. The proposal would also require consumer cybersecurity labels for IoT devices and associated services.

Wheeler is set to step down as chairman on Jan. 20, but the new framework could be used to support legislation enhancing the FCC’s ability to regulate IoT devices.

Wheeler’s letter responded to a set of questions that Warner sent to the FCC four days after an Oct. 21 cyberattack directed through IoT devices knocked popular websites offline for several hours. He said in Friday’s letter that he shares Warner’s concern “that we cannot rely solely on the market incentives of ISPs to fully address the risk of malevolent cyber activities.”

In addition to public-private partnerships and interagency cooperation, Wheeler said FCC regulations could also play a role.

The letter marks a shift in perspective from the days immediately following the Oct. 21 cyberattack, when an FCC official said there was little appetite at the agency for increased regulations mandating stricter network security protocols for internet service providers.

Wheeler now seems to be moving the regulatory target to the IoT devices themselves. The FCC already imposes a certification process on all devices that emit or receive spectrum to ensure they don’t interfere with radio communications.

“Equipment authorization is a critical element of the FCC’s regulatory structure to maintain the integrity and usability of spectrum,” Wheeler explained in an outline of a proposed regulatory structure that accompanied the letter to Warner.

Berin Szoka, president of the limited-government group TechFreedom, said Wheeler may be looking at the FCC’s existing certification authority “as a hook for regulating the security of the devices.” But Szoka said that would vastly overstep the commission’s regulatory authority.

An FCC official told Morning Consult on Monday that the proposals floated in Wheeler’s letter would likely require an expansion of the agency’s device certification process to include cybersecurity. “It seems to be a very aggressive take on cybersecurity from the perspective of the FCC’s jurisdiction,” the official said.

It’s highly unlikely that Wheeler himself will be able to issue a proposed rule to expand the FCC’s certification authority, mainly because he’s required to step down as chairman when President-elect Donald Trump takes office.

The FCC official noted that the language in the letter was “wishy-washy” and said the proposal to directly regulate IoT devices is simply demarcating the outer limits of the agency’s authority.

Warner — whose Oct. 25 letter focused on steps the FCC could take to regulate the internet service providers that connect to IoT devices — said he was pleased with Wheeler’s answer.

“The commission’s proposal for a device certification process, either by the agency or through industry self-certification, deserves strong consideration,” Warner said in a statement Monday. “Similarly, the FCC’s suggestion of consumer labeling requirements echoes the call by many security experts for metrics that will empower and educate consumers.”

Briefings

Tech Brief: FCC Faces Scrutiny for Reporter ‘Manhandling’ Incident

After the National Press Club issued a release reporting that a journalist had been “manhandled” by security guards at a Federal Communications Commission press conference, Sens. Tom Udall (D-N.M.) and Maggie Hassan (D-N.H.) wrote a letter asking FCC Chairman Ajit Pai for details surrounding the incident and assurances it won’t happen again. They requested a response by May 26.

Tech Brief: GSA Launches Civilian Bug Bounty Program

A public-private U.S. effort to stem cyberattacks is underway as the General Services Administration partners with HackerOne to incentivize the discovery of web vulnerabilities in a “bug bounty” program. Researchers would give the government time to fix problems before the vulnerabilities become public.

Tech Brief: Trump Signs Cybersecurity Executive Order

President Donald Trump issued a long-awaited executive order to improve the nation’s cybersecurity, including implementing reviews of security practices and digital vulnerabilities. Trump adviser and son-in-law Jared Kushner is expected to play a major role as leader of the administration’s Office of American Innovation.

Load More