President Donald Trump has promised aggressive cybersecurity policy. In a dangerous departure from the president, the Republican chairman of the Federal Communications Commission has taken actions to eliminate its role in addressing cybersecurity.
Chairman Ajit Pai stopped an order addressing known flaws exploited by low-end attackers to “hi-jack” the Emergency Alert System.
He pulled cybersecurity considerations out of the new internet protocol-based TV broadcast proposal avoiding public discussion of this backdoor vector to Wi-Fi and broadband connected devices.
He halted the cybersecurity provisions in the FCC’s Broadband Privacy order and opposed inclusion of cybersecurity in communications outage reporting.
He rescinded a notice of inquiry generating early public dialog regarding cybersecurity risk reduction for next-generation wireless networks and pulled from public view a study by FCC economists highlighting the growing gap between communications sector corporate cybersecurity investment and that needed to properly protect society.
The greatest concern, however, will come from benign neglect, as the chairman asserts cybersecurity risk is somebody else’s problem. His colleague, Commissioner Michael O’Rielly succinctly asserted in Senate testimony this week his opinion that FCC’s statutory authority with regard to cybersecurity in the communications sector is “extremely limited.”
Apparently, Republicans are “cyber-hawks” everywhere except the FCC. O’Rielly closed his comments out suggesting that he’s open to change if Congress makes the FCC’s jurisdiction for cybersecurity clear. Congress should do that.
The FCC has a key oversight role for our commercial communications providers and a history of consumer and public safety protections ensuring that our networks support calls for help and response in times of crisis. Addressing cybersecurity early is smart policy. It leads to more robust, resilient and cost-efficient services. In the past, this was just good business sense. Looking forward, this is a national security and emergency preparedness requirement. Communications underpin power generation, electrical, natural gas and water distribution, transportation, healthcare, finance and more.
The self-serving theory advanced by the telecommunications industry is that cybersecurity risk oversight for communications should be transferred to the Department of Homeland Security. Expanding the DHS charge however, with no regulatory authority over the commercial communications sector, will be expensive, doomed to failure or both.
The nation’s regulators are in the best position to identify the risk left unaddressed through corporate cybersecurity investments. They have regularly convened stakeholders to engage in right-sized, right-timed risk reduction efforts supported by outage reports and other marketplace indicators.
Pai has signaled that cybersecurity should not be a part of his security oversight responsibilities. This reversal in policy is a bad decision for all of us. In order to turn the cyber indifference at the FCC around, I believe there are three imperatives.
First, the president should make cybersecurity a “whole of government” and “whole of industry” priority. It should include regulators like the Federal Trade Commission and FCC with critical infrastructure responsibilities in the National Security Council group assessing, appreciating and addressing both short- and long-term cybersecurity risk.
Second, we must demand a more effective dialog between congressional committees with cybersecurity risk responsibilities. Don’t rail about cyber threats to the nation in one committee and then exclude cybersecurity as others authorize programs for broadband subsidies and other critical infrastructure. The independent regulators report to Congress, and Congress should make clear assignments for cybersecurity risk oversight. Three bills charging the FCC with cybersecurity responsibilities were introduced by Democrats in the Senate Commerce Committee this week. This is a good start, and Republicans on the committee should put partisanship aside, refine and ultimately support these bills in a manner consistent with the president’s call for an aggressive national cybersecurity posture.
Third, direct citizen engagement with the FCC. The courts have the ability to and have in the past overturned FCC action when public input is not properly addressed. If you think that cybersecurity should be an included consideration as the contours of new communication services are established, share that opinion with the FCC.
If we do this right, our technology sector will continue to produce long-term advantage. If we ignore it, growing competition from overseas markets will chip away at our lead. Information-intensive businesses will gravitate toward countries that have optimally balanced security, privacy, innovation and cost.
Pai must resist the pressures of industry lobbyists to pass the buck to DHS. Congress defined critical national defense, public safety and consumer protection roles for the FCC in the Communications Act of 1934, giving it “the purpose of regulating … commerce in communications … for National Defense and promoting safety of life and property.”
It’s clear that commercial communications are more crucial to national defense, public safety and consumer protection than ever. Cybersecurity is an inherent part of modern communications and must be a part of the FCC’s job.
Rear Admiral (Ret.) David Simpson served as chief of the Federal Communications Commission’s Public Safety and Homeland Security Bureau from November 2013 through January 2017.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.