Wheeler Floats FCC Cybersecurity Certification for IoT Devices

Federal Communications Commission Chairman Tom Wheeler has laid out an unexpected roadmap through which the FCC could directly regulate the security of internet-connected devices.

In a letter to Sen. Mark Warner (D-Va.) dated Dec. 2 and released by Warner on Monday, Wheeler proposed an FCC-mandated cybersecurity certification process for “Internet of Things” devices. The proposal would also require consumer cybersecurity labels for IoT devices and associated services.

Wheeler is set to step down as chairman on Jan. 20, but the new framework could be used to support legislation enhancing the FCC’s ability to regulate IoT devices.

Wheeler’s letter responded to a set of questions that Warner sent to the FCC four days after an Oct. 21 cyberattack directed through IoT devices knocked popular websites offline for several hours. He said in Friday’s letter that he shares Warner’s concern “that we cannot rely solely on the market incentives of ISPs to fully address the risk of malevolent cyber activities.”

In addition to public-private partnerships and interagency cooperation, Wheeler said FCC regulations could also play a role.

The letter marks a shift in perspective from the days immediately following the Oct. 21 cyberattack, when an FCC official said there was little appetite at the agency for increased regulations mandating stricter network security protocols for internet service providers.

Wheeler now seems to be moving the regulatory target to the IoT devices themselves. The FCC already imposes a certification process on all devices that emit or receive spectrum to ensure they don’t interfere with radio communications.

“Equipment authorization is a critical element of the FCC’s regulatory structure to maintain the integrity and usability of spectrum,” Wheeler explained in an outline of a proposed regulatory structure that accompanied the letter to Warner.

Berin Szoka, president of the limited-government group TechFreedom, said Wheeler may be looking at the FCC’s existing certification authority “as a hook for regulating the security of the devices.” But Szoka said that would vastly overstep the commission’s regulatory authority.

An FCC official told Morning Consult on Monday that the proposals floated in Wheeler’s letter would likely require an expansion of the agency’s device certification process to include cybersecurity. “It seems to be a very aggressive take on cybersecurity from the perspective of the FCC’s jurisdiction,” the official said.

It’s highly unlikely that Wheeler himself will be able to issue a proposed rule to expand the FCC’s certification authority, mainly because he’s required to step down as chairman when President-elect Donald Trump takes office.

The FCC official noted that the language in the letter was “wishy-washy” and said the proposal to directly regulate IoT devices is simply demarcating the outer limits of the agency’s authority.

Warner — whose Oct. 25 letter focused on steps the FCC could take to regulate the internet service providers that connect to IoT devices — said he was pleased with Wheeler’s answer.

“The commission’s proposal for a device certification process, either by the agency or through industry self-certification, deserves strong consideration,” Warner said in a statement Monday. “Similarly, the FCC’s suggestion of consumer labeling requirements echoes the call by many security experts for metrics that will empower and educate consumers.”

Briefings

Tech Brief: Russian Hackers Targeted Elections in 21 States, DHS Official Says

A U.S. Department of Homeland Security official told the Senate Intelligence Committee that Russian hackers targeted election-related databases in 21 different states leading up to the 2016 presidential election. Only two states — Arizona and Illinois — have been publicly identified as having their election systems targeted, and officials would not comment on the identities of the other 19 states.

Tech Brief: Uber CEO Travis Kalanick Resigns

Uber Technologies Inc. CEO Travis Kalanick stepped down from the helm of the ride-hailing service after five of the company’s major investors demanded that he resign. Kalanick’s resignation comes after a series of scandals forced him to take an indefinite leave of absence from the company last week.

Tech Brief: Data on 198 Million Voters Left Exposed Online

A proprietary data set containing the names and personally identifying information of approximately 198 million registered U.S. voters was left unprotected online for at least 12 days in a large cache of electronic files. The information was compiled by consulting firm Deep Root Analytics, which helps Republican campaigns with voter targeting efforts, and appears to include information on nearly all the estimated registered voters in the United States.

Load More