CommLaw Monitor News and analysis from Kelley Drye’s communications practice group Wed, 12 Jun 2024 02:46:39 -0400 60 hourly 1 The FCC’s Packed September Meeting Agenda Includes Focus on IoT Spectrum and Robocall Prevention Thu, 16 Sep 2021 16:50:28 -0400 The FCC released a full agenda for its next Commission Open Meeting, scheduled for September 30, 2021. The agency will consider a Notice of Proposed Rulemaking (“NPRM”) to improve the Wireless Network Resiliency Cooperative Framework (“Framework”) and outage reporting. The FCC will next address an Order on Reconsideration to vacate a 2020 order that permits states to lease spectrum in the 4.9 GHz band (designated for public safety use) to third parties for non-public-safety use and a Further NPRM (“FNPRM”) to adopt a nationwide framework for the 4.9 MHz band that would allow for public safety and non-public safety uses. The FCC will also consider adopting a Public Notice that would describe the process for the Office of Engineering and Technology (“OET”) to approve automated frequency coordination (“AFC”) systems, which must be used when performing certain unlicensed operations in the 6 GHz band. Rounding out spectrum issues, the FCC will consider a Notice of Inquiry (“NOI”) focused on whether there is adequate spectrum to support the Internet of Things (“IoT”). The FCC will then shift its attention to two FNPRMs regarding robocalls. One FNPRM would propose that voice service providers block autodialed calls to numbers on the Public Safety Answering Points (“PSAP”) Do-Not-Call registry and seek alternative ways to protect PSAPs from robocalls and security threats. The other robocall-related FNPRM would propose that gateway providers take action to prevent robocalls that originate outside of the U.S. on U.S. numbers. Next, the FCC will address another NPRM to clarify that Tribal libraries are eligible to receive support under the E-rate program. The FCC will close its meeting by considering a Second Report and Order that would adopt standard questions to be answered by applicants with reportable foreign ownership that seek the Commission’s approval to obtain or modify certain licenses or to complete transactions involving those licenses.

You will find more information about the items on the September meeting agenda after the break:

Promoting More Resilient Networks - The NPRM would seek comment on various issues related to improving the reliability and resiliency of communications networks during emergencies and natural disasters. The NPRM focuses on whether the Framework (a wireless industry agreement aimed at providing mutual aid during emergencies, ensuring municipal and consumer readiness and communicating about service restoration) can be improved, such as by expanding participation, increasing the scope of participants’ obligations or codifying industry disaster-based coordination obligations. The NPRM would also seek comment on enhancing information provided to the FCC during disasters and network outages through the Network Outage Reporting System and the Disaster Information Reporting System. In addition, the NPRM would ask about communications resilience strategies to mitigate the impact of power outages, including coordination between communications providers and power companies and the use of backup power during disasters.

Reassessing 4.9 GHz Band for Public Safety – The Order on Reconsideration would grant requests by public safety organizations to vacate a 2020 order that permits states to lease spectrum in the 4.9 GHz band (designated for public safety use) to third parties for non-public-safety use. The Order on Reconsideration would also lift a freeze on 4.9 MHz licenses to allow incumbent licensees to modify licenses or seek new permanent fixed sites. The FNPRM would propose to establish a nationwide framework for the 4.9 GHz band to maximize public safety while promoting interoperable communications and interference protection throughout the network. Areas for comment would include how to protect public safety users from harmful interference, the use of the Universal Licensing System or another database to maintain relevant technical data, adoption of consistent technical standards to foster interoperability of equipment using the band and giving public safety uses priority. The NPRM would also seek comment on how to manage the band, incentivize public safety licensees to use the latest commercially available technologies and allow non-public safety use of the band without jeopardizing public safety operations.

Authorizing 6 GHz Band Automated Frequency Coordination Systems - The Public Notice would set forth a process for the OET to authorize AFC systems, which are required to operate standard-power devices in the 6 GHz band. Specifically, unlicensed standard power devices that operate in the 6 GHz band are required to check an AFC system prior to operating to avoid harmful interference to incumbent operations. The Public Notice would explain the approval process for AFC system operators, which would include conditional approval, a public trial period and an opportunity for public comment. The Public Notice would provide detailed information about the content of AFC system proposals and request that such proposals be submitted no later than November 30, 2021 (although proposals will be accepted after that date).

Spectrum Requirements for the Internet of Things - The NOI (which is required to be issued by The William M. (Mac) Thornberry National Defense Authorization Act for FY 2021 (Pub. L. No. 116-28) (the “Act”)) would seek comment on whether there is sufficient spectrum available for current and future IoT needs. As directed by the Act, the LOI would ask for comment on how to ensure that adequate spectrum is available for the increased demand for the IoT, whether regulatory barriers would prevent accessing any additional needed spectrum and the roles of licensed and unlicensed spectrum for supporting the IoT.

Shielding 911 Call Centers from Robocalls – The FNPRM would propose to update the FCC’s rules governing the PSAP Do-Not-Call registry. Although the FCC adopted rules in 2012 to establish the registry as a means to protect PSAPs from unwanted robocalls, the registry has not been fully implemented due to security concerns associated with releasing PSAP telephone numbers to entities accessing the registry. The FNPRM would propose that voice service providers block autodialed calls to PSAP telephone numbers on the PSAP Do-Not-Call registry, as an alternative to allowing entities claiming to use autodialers to access the registry to identify telephone numbers that may not be called. In addition, the FNPRM would seek comment on whether autodialed calls and text messages continue to disrupt PSAPs’ operations, security risks associated with maintaining a centralized registry of PSAP telephone numbers, ways to address security issues (such as enhanced caller vetting and data security requirements) and alternative means to prevent robocalls to PSAPs (such as by utilizing other technological solutions or leveraging the National Do-Not-Call registry).

Stopping Illegal Robocalls From Entering American Phone Networks - The FNPRM would propose to require gateway providers to assist in the battle against illegal robocalls by applying STIR/SHAKEN caller ID authentication and other robocall mitigation techniques to calls that originate abroad from U.S. telephone numbers. The FNPRM would also seek comment on several other proposals aimed at mitigating robocalls, including the following requirements that would be applicable to gateway providers: (1) responding to traceback requests within 24 hours; (2) blocking calls upon notification from the Enforcement Bureau that a certain traffic pattern involves illegal robocalling; (3) utilizing reasonable analytics to block calls that are highly likely to be illegal; (4) blocking calls originating from numbers on a do-not-originate list; (5) confirming that a foreign call originator using a U.S. telephone number is authorized to use that number; (6) including robocall mitigation obligations in contracts with foreign customers; and (7) submitting a certification regarding robocall mitigation practices to the Robocall Mitigation Database. In addition, the FNPRM would seek comment on a requirement that service providers block calls from gateway providers identified as bad actors by the FCC and on whether additional information should be collected by the Robocall Mitigation Database. The FNPRM would ask whether there are alternative means to stop illegal foreign-originated robocalls. Finally, while the rulemaking proceeding is pending, the FCC would not enforce the prohibition in Section 63.6305(c) of the FCC’s rules on U.S.-based providers accepting traffic carrying U.S. NANP numbers that is received directly from foreign voice service providers that are not in the Robocall Mitigation Database.

Supporting Broadband for Tribal Libraries Through E-Rate - Pursuant to Section 254(h)(4) of the Communications Act of 1934, as amended, a library may not receive preferential treatment or rates (such as under the E-rate program) unless it is eligible for assistance from a State library administrative agency under the Library Services and Technology Act (“LSTA”). In 2018, the LSTA was amended to specifically include Tribal libraries as eligible for assistance from a State library administrative agency. The NPRM would propose to amend Sections 54.500 and 54.501(b)(1) of the FCC’s rules to clarify that Tribal libraries are eligible for E-rate support. The NPRM would also seek comment on other measures to enable Tribal schools and libraries to gain access to the E-rate program and ways to increase participation in the E-rate program.

Strengthening Security Review of Companies with Foreign Ownership - The Second Report and Order would adopt standardized national security and law enforcement questions (“Standard Questions”) to be answered by applicants with reportable foreign ownership as part of the Executive Branch review of certain applications filed with the FCC. The issuance of Standard Questions is the FCC’s final step in implementing several reforms to formalize and streamline the FCC and Executive Branch review process consistent with Executive Order No. 13913 (April 20, 2020), which established a Committee for the Assessment of Foreign Participation in the United State Telecommunications Sector (“Committee” (formerly known as Team Telecom)) and set forth procedures and timelines for the Committee to complete its review. The Second Report and Order would include Standard Questions for the following types of applications when reportable foreign ownership (generally a 5 percent or greater equity and/or voting interest (indirect or direct) in the applicant) is present: (1) applications for a new or modified International Section 214 authorization or submarine cable landing license; (2) applications for assignment or transfer of control of an International Section 214 authorization or a submarine cable landing license; and (3) petitions for a declaratory ruling to permit foreign ownership in a broadcast licensee, common carrier wireless licensee or common carrier earth station licensee that exceeds the benchmarks in Section 310(b) of the Communications Act. There would also be a supplement to each set of questions to provide personally identifiable information for individuals with a reportable ownership interest, non-U.S. individuals with access to the applicant’s facilities, corporate officers and directors, and a law enforcement point of contact.

Join Kelley Drye at Telecom Council’s IoT Forum on Cybersecurity Tue, 12 Jan 2021 15:37:25 -0500 On January 21, join Kelley Drye and Partner Steve Augustino at Telecom Council’s IoT Forum on Cybersecurity. Continuing on a series of virtual meetings, the IoT Forum will convene to look at innovation and startups working on IoT Security. Steve will present on the IoT Cybersecurity Act of 2020, including the role of security standards in today’s market and the trends that IoT device manufacturers should consider when designing their products and services.

Click here for more information and to register.

NIST Wastes No Time in Implementing the IoT Cybersecurity Act of 2020 Fri, 18 Dec 2020 17:44:11 -0500 Last week, we told you that President Trump signed bipartisan legislation establishing minimum security requirements for Internet of Things (“IoT”) devices used by the federal government. The Act is the first of its kind at the federal level, aimed at protecting the security of IoT devices and services in the marketplace. The Act governs federal purchases of IoT devices and services but is intended to leverage the purchasing power of the federal government to affect the broader IoT market indirectly. Thus, without (yet) setting standards for all IoT devices and services, the legislation nevertheless is significant whether or not a company sells its product to the government.

The core of the legislation is a requirement that the National Institute of Standards and Technology (“NIST”) issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. These standards are then to be incorporated by the Office of Management and Budget and, in turn, in federal procurement standards.

As we noted, this work in standards development at NIST was already far along, with NIST having issued a Core Baseline for IoT Device Cybersecurity in June. Not surprisingly, NIST was ready for the Act’s mandate, and on December 15 issued four additional documents for comment. As NIST explained in a blog post, these four new documents “expand the range of guidance for IoT cybersecurity, with the goal of ensuring IoT devices are integrated into the security and privacy controls of federal information systems.”

To begin, NIST had already issued two key documents, the Core Baseline documents. Specifically, the first two documents in NISTIR 8259 series, NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline, identified the technical requirements IoT Device manufacturers should address in securing their IoT devices. The new documents are designed to enable these principles to be applied to federal purchases of IoT. They are:

  • SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements. This document provides guidance for federal agencies seeking to integrate IoT devices and services into their systems and infrastructure. SP 800-213 offers recommendations on considering system security from the device perspective and is intended to enable the federal customer to identify device cybersecurity requirements — the abilities and actions a federal agency will expect from an IoT device and its manufacturer and/or third parties.
  • NISTIR 8259B, IoT Non-technical Supporting Capability Core Baseline. This document is a complement to the previously released NISTIR 8259 documents. In particular, NISTIR 8259B details additional, non-technical supporting activities typically needed from manufacturers and/or associated third parties.
  • NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline, This document takes the general guidance provided for in the Core Baseline – which is written for a generic IoT device – and provides a process for applying the baseline to specific industries or uses. It details a process that an organization may use integrate the generic baselines with organization-specific or application-specific requirements (e.g., industry standards, regulatory guidance), thus yielding an IoT cybersecurity profile suitable for specific IoT device customers or applications.
  • NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government. Finally, this document follows the above process to develop a profile for federal government IoT uses and provides a device-centric, cybersecurity-oriented profile that also incorporates FISMA criteria for security.
The NIST documents are merely drafts at this time. Interested parties are invited to offer comment on the draft documents on or before February 12, 2021. We recommend that any IoT device manufacturer or service provider review this new guidance carefully and consider offering comments to NIST. As we’ve noted before, even if a provider does not intend to offer service to the federal government, it is foreseeable that this guidance could become a de facto standard for IoT device security.

President Signs IoT Cybersecurity Act of 2020 Wed, 09 Dec 2020 12:27:18 -0500 On December 4, 2020, President Trump signed bipartisan legislation establishing minimum security requirements for Internet of Things (“IoT”) devices used by the federal government. The legislation, H.R. 1668, passed the House in September and the Senate in November.

The Internet of Things Cybersecurity Improvement Act of 2020 draws upon work that the National Institute of Standards and Technology (“NIST”) has been doing to address cybersecurity for IoT devices. Referencing work done over the Summer on IoT Device Cybersecurity, the Act directs NIST to issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. NIST, which already was working on the federal profile of IoT uses, is directed to issue these guideline by March 4, 2021. Within 6 months of that date, the Office of Management and Budget is to review agency information security policies and principles based upon NIST’s guidelines. And, adding a hammer to the incentives, federal government acquisition standards are to be revised to implement these standards. In other words, federal contractors will be required to adhere to the NIST standards in IoT devices sold to the federal government.

The goal of indirect IoT regulation was overt in the legislation. In a press release accompanying passage of the Act by the Senate, Senators Mark Warner (D-VA) and Cory Gardner (R-CO) expressly stated their goal that “leveraging the purchasing power of the federal government…will ultimately help move the wider market towards greater cybersecurity.” As we warned when NIST initiated its IoT device security guidance, non-binding standards can quickly become de facto regulations. That result is obvious here.

In addition, a second objective of the IoT Cybersecurity Improvement Act is to develop standards for the reporting of vulnerability information relating to federal IoT uses. Specifically, NIST is directed to develop guidelines for reporting, coordinating, publishing, and receiving information about a security vulnerability to information systems owned or controlled by the federal government (including but not limited to IoT vulnerabilities). These guidelines are to be aligned, to the maximum extent possible, with international standards adopted by the International Standards Organization and should provide guidance on both disclosing the vulnerability and disseminating information about the resolution of the security vulnerability. NIST is directed to develop these standards by June 2021.

This legislation adds to an already busy plate for NIST’s IoT and cybersecurity programs. But this legislation adds some teeth to the activities, making NIST an agency to watch in 2021.

Podcast: Closing the Digital Divide and Enabling Connected Life Tue, 01 Sep 2020 13:09:36 -0400 Americans who lack high-speed broadband internet access are caught on the wrong side of the “Digital Divide,” with students facing a “homework gap” and adults, and even entire communities, facing an “opportunity gap” that impacts everything from jobs, education, and healthcare to sustainability and well-being. This episode of Kelley Drye’s Legal Download discusses the increasing importance of access to advanced communications networks and services, and a few of the legal issues involved in closing the digital divide and enabling connected life.

Click here to listen and subscribe.

FCBA CLE: Furthering UAS Deployment in U.S. Airspace Tue, 09 Jun 2020 15:41:32 -0400 Join Partner Steve Augustino and the FCBA’s Internet of Things committee for “Furthering U.S. Drone Operations: An Update on FAA and Spectrum Policy Developments,” a virtual CLE on Monday, June 15th from 3:00 – 5:10 p.m. Steve will moderate the first of two panels. His session, “Furthering UAS Deployment in U.S. Airspace,” will provide an update on FAA initiatives, Congressional requirements, and industry efforts that are aimed at the full integration of small UAS into the nation’s airspace.

Click here for more information and to register.

FCC Opens Proceeding to Reinvigorate Opportunities for TV White Space Devices Fri, 06 Mar 2020 10:29:40 -0500 On February 28, 2020, at its Open Meeting, the FCC voted to commence a rulemaking to examine the rebalancing of many technical rules governing the deployment of fixed and certain mobile, unlicensed white space devices in the television bands (in and around the 600 MHz range) to increase opportunities for relatively long-distance connectivity in rural and underserved areas, such as for wireless broadband solutions or applications associated with the Internet of Things (“IoT”), although there are no application restrictions on white space devices per se. The rule changes are proposed only in those frequencies below TV channel 35, and so exclude the 600 MHz duplex gap and the 600 MHz service band. The text of the Notice of Proposed Rulemaking (“NPRM”) was promptly released on March 2. Comments are due 30 days after Federal Register publication with replies due sixty days after publication, which has not yet occurred.

Part 15 of the FCC’s rules allow unlicensed white space devices to operate at locations on frequencies not in use by licensed services. Twelve years ago, the FCC authorized unlicensed white space device operations for the first time on television channels not being used locally by broadcasters and associated service licensees. The devices are required to obtain a list of available channels and power levels for use at their particular location from FCC-approved entities that maintain accessible databases. Fixed devices must also incorporate geo-location capability. Portable devices must include geo-location and database access capabilities or, alternatively, acquire a list of available channels via another device with geo-location ability and access to a database. While several orders in the intervening years have been designed to increase flexibility and promote additional opportunities for deployment of such devices, such as relaxed technical accommodations for devices in rural and underserved areas, their use has fallen somewhat below initial aspirations.

Last May, Microsoft Corporation filed a petition for rulemaking requesting that the FCC provide yet additional flexibility for white space device operations. Many commenters filed in support, but the National Association of Broadcasters (“NAB”) raised concerns, as did stakeholders with interests in Wireless Medical Telemetry Service (“WMTS”) operations on Channel 37 and proponents of wireless microphones using spectrum not being used by other licensed services.

Proposed New Power and Height Limits for White Space Devices in “Less Congested” Areas

Now, after the NAB and Microsoft have worked together to resolve most of their differences, the FCC proposes to permit fixed white space devices in spectrally “less congested” areas over larger distances through using higher transmit powers (16 v. 10 W EIRP) and deploying antennas at greater heights above average terrain (up to 500 meters from a maximum of 250 meters) – while maintaining the existing one-watt transmitter conducted power limit for fixed devices and proposing certain adjustments when higher gain antennas are used. This flexibility would come with the need to maintain greater separation distances from authorized services, although the FCC also invites comment about even greater flexibility in powers used and antenna heights and whether coordination or notification procedures should be adopted in combination with the proposed relaxed requirements.

Given the foregoing proposals, the FCC, in the NPRM, additionally inquires whether it should relax the limit on antenna height above ground level, including potentially in all areas within the United States. But current power and height limits would remain in Channel 36, which the FCC believes would be adequate to protect WMTS and Radio Astronomy operations in Channel 37.

As an overarching matter, the FCC also inquires whether it should change the definition of “less congested” areas which now are those areas where, within the band of intended operation, at least half of the TV channels that will continue to be allocated and assigned only for broadcast service are unused for broadcast and other protected services, and are thus available for white space device use. For example, the FCC asks whether “less congested” areas should be defined, in part, based on population density.

In conjunction with these proposals, the FCC will consider making additional changes to the protection criteria for operations in the TV bands other than broadcasting, such as TV translator receive sites, Low Power TV (including Class A) receive sites, Multichannel Video Programming Distributor (“MVPD”) receive sites, fixed Broadcast Auxiliary Service (“BAS”) links, the private land mobile radio and commercial mobile radio services (“PLMRS” and “CMRS”), and licensed wireless microphones.

Potential Operation of White Space Devices on Mobile Platforms in Geo-Fenced Locations

Additionally, the NPRM proposes to permit higher-power operation of white space devices on TV Channels 2-35 on mobile platforms inside “geo-fenced” areas (within “less congested” areas) enforced by incorporated geo-location capabilities, e.g., GPS coupled with a database, and new operational requirements, such as prohibiting operation on board aircraft or satellites to limit the potential for interference. The FCC seeks comment on a wide variety of other questions related to permitting wider deployment of white space devices on mobile platforms, including limitations on the size of the area over which a higher-power mobile device could operate, changes to the databases used for white space devices, and other possible safeguards.

Prospective Changes That Might Propose Use of White Space Devices for IoT

The FCC also hopes to facilitate innovative narrowband IoT services by considering certain changes to the power spectral density (“PSD”) limits applicable to white space devices in the TV bands. Matters raised by the NPRM include a revised definition of “narrowband” white space devices and spectrum utilization limits, while the FCC leans toward permitting manufacturers and standards groups to develop their own protocols to prevent multiple devices from transmitting simultaneously and interfering with each other without a regulatory mandate. As with all of the other areas under consideration in the proceeding, the FCC asks whether there are other rule modifications needed to promote narrowband operations while ensuring protection of authorized services that operate in the TV bands from harmful interference potentially caused by narrowband white space devices.

Possible Flexibility for White Space Devices to Operate Adjacent to Occupied TV Channels

Further, the FCC seeks comment about higher-power white space device operation within the service contour of an adjacent-channel TV station. Generally, white space device operations above 40 milliwatts EIRP must generally operate outside the protected contours of adjacent-channel TV stations, although fixed white space devices may operate within the protected contour of adjacent-channel TV stations with a power level of 100 milliwatts EIRP when the white space device operates in a six-megahertz band centered on the boundary of two contiguous vacant channels, which requires three contiguous vacant channels available for use. Microsoft noted that these conditions are not always present and the FCC should therefore consider other ways to permit higher-power operation of white space devices when adjacent TV channels are occupied, such as more sophisticated location-determining computer models (e.g., Longley-Rice) and consideration of improved selectivity in next-generation TV receivers. NAB opposes any consideration of this matter – the primary area where Microsoft and the broadcasters could not reconcile their differences over Microsoft’s proposals.

Interest in Microsoft’s proposals has already been considerable, with almost two dozen parties commenting. There is every reason to expect that a similar level of participation will emerge during the rulemaking. Manufacturers of white space devices, developers of agricultural, mining, construction, and other IoT applications, and potential users of these devices should be especially interested, as well as broadcasters and those operating in the authorized services in the TV bands.

Podcast: IoT Security Tue, 26 Nov 2019 13:19:11 -0500 From smart homes and self-driving vehicles to drones and healthcare monitoring, Internet of Things (IoT) capabilities are a hot topic for both manufacturers and consumers. The most recent episode of Kelley Drye’s Full Spectrum podcast spotlights one of the key areas for everyone involved – maintaining security of IoT devices. The episode features cybersecurity developments, like the National Institute of Standards and Technology’s (NIST) baseline recommendations for securable devices. We describe how NIST has taken the lead in this area and what the current recommendations might mean for future regulation.

Click here to listen and subscribe.

Securing IoT Devices (Part 2): Inside the NIST Guidance Document for IoT Device Manufacturers Thu, 22 Aug 2019 11:27:44 -0400 At the end of July, the National Institute for Standards and Technology (“NIST”) released draft cybersecurity guidance for IoT device manufacturers. The document, titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, is intended, according to NIST, identify the cybersecurity features that IoT devices should have “to make them at least minimally securable by the individuals and organizations who acquire and use them.” The NIST document is not a rule or requirement for IoT devices, but rather is a continuation of NIST’s effort to foster the development and application of voluntary standards, guidelines, and related tools to improve the cybersecurity of connected devices.

NIST is seeking comment on the document through September 30 of this year and it held a workshop in August for interested parties to discuss the document. In a prior post, I blogged on takeaways from that workshop. Now, it’s time to take a closer look at the NIST document itself.

Overview of the Baseline

The NIST Baseline (“NISTIR 8259” in government-speak) is subtitled “A Starting Point for IoT Device Manufacturers,” and it is intended as just that. NISTIR 8259 builds upon a base document released in final form on June 27, 2019 relating to cybersecurity and privacy risks for the Internet of Things. IoT manufacturers should review NIST’s Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks before digging into the Baseline document. Considerations (also known as NISTIR 8228) identifies high-level considerations that make IoT security different than IT security and offers suggestions for mitigating cybersecurity and privacy risks. Its intended audience primarily are the users and organizations deploying IoT devices, but it has meaning for manufacturers, network operators and service providers in the space as well.

The NIST Baseline takes these considerations to the manufacturing side, offering (as NIST describes it) to help IoT device manufacturers “understand the cybersecurity risks their customers face” so IoT devices can provide the minimal features to make them securable. (For a discussion of the different meanings that “securable devices” can have in this context, see my blog post on the NIST workshop.)

Securing IoT Devices

The NIST Baseline explains that cybersecurity risks for IoT devices have two high-level risk mitigation goals: protecting device security and protecting data security. As noted in the user-focused Considerations document, the challenges in doing so stem from three features of the Internet of Things:

  1. IoT devices interact with the physical world in ways conventional IT devices usually do not. (In other words, they are, by their nature, connected devices.);
  2. Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can; and
  3. The availability, efficiency, and effectiveness of cybersecurity features are often different for IoT devices than conventional IT devices.
The NIST Baseline focuses on a generic customer to define the “core” baseline features. The draft notes that manufacturers may need to identify and implement additional features beyond the core baseline that are most appropriate for customers of their particular devices and applications, and offers information on how manufacturers can do this.

For the “core,” NIST identifies six features that IoT devices should address:

  1. Device Identification. How the IoT device can be uniquely identified, both logically and physically.
  2. Device Configuration. How the device’s software and firmware can be changed and who is authorized to make such changes.
  3. Data Protection. How the device can protect from unauthorized access and modification the data that it stores and transmits.
  4. Logical Access to Interfaces. How the device can limit (logical) access to its local and network interfaces so that only authorized users may access these elements.
  5. Software and Firmware Updates. How the device can be updated by authorized entities only, using a secure and configurable mechanism.
  6. Cybersecurity Event Logging. How the device can log cybersecurity events and make the logs accessible to authorized entities only.
For each core feature, the NIST Baseline identifies, in table form, the key elements to consider, the rationale for the feature and several reference documents that may be helpful in addressing the feature. In keeping with NIST’s limited role, the Baseline focuses on the “what” that needs to be addressed, not on the “how” manufacturers should address it.

Separate from the core features, the NIST Baseline also discusses two areas relevant to securing IoT devices. First, it discusses considerations for implementation of these features in the design and manufacturing process. Second, it discusses considerations in communicating these features and the cybersecurity risks of IoT devices to the manufacturer’s customers and users of the device (users who may not necessarily have been the ones to purchase or configure the device).

Issues for Comment

Unlike FCC or FTC notices seeking comment, the NIST Baseline does not provide specific questions or issues for comment. Instead, the Baseline simply seeks feedback from all stakeholders on the draft, in order to assist NIST in refining the document.

The NIST workshop that I attended offers some insight into the comment areas that NIST would find helpful. In the discussion group sessions, NIST first asked whether the six core features were sufficient, and whether any other considerations should be added to the list. My group spent a lot of time discussing the relationship between the Baseline and efforts to create industry-specific standards or best practices. NIST seemed very interested in determining whether the Baseline would serve as a useful starting point for those efforts.

Second, the discussion group was asked whether customer communication should be a core feature or a separate consideration (as in the draft now). This seemed to focus on the role that shared responsibility among manufacturers, users, control organizations (like a corporate IT group) and/or the government played in securing devices (or making them securable).

Finally, our discussion group was asked about two potential additions to the Baseline. First, we were asked whether considerations in protecting legacy devices in an IoT network should be added. This question raised the issue of the role a single IoT device plays in a larger network, such as a smart home configuration where multiple devices (potentially from multiple manufacturers) are controlled by a central hub device. Second, we were asked whether exterior threats to the devices, such a DDoS attack or botnet attacks, should be part of the Baseline.

Any and all of the above should be fair game for comment to NIST on the Baseline. Comments on the NIST draft may be submitted through September 30. Kelley Drye is working with device manufacturers on potential comments to NIST. If you are interested in submitting comments, please feel free to contact us.

Securing IoT Devices: Lessons from a NIST Workshop Tue, 20 Aug 2019 13:05:30 -0400 Connected devices already are making headway into business and consumer markets. “Smart” speakers, video doorbells, remote programmable thermostats and other devices are increasing in popularity in homes across the United States. Major automakers and startups are pursuing self-driving cars and the “passenger economy.” Businesses are using IoT capabilities to enhance preventive maintenance, to track assets through the production cycle and to gain insights into consumer behavior.

Now, the federal government is trying to provide resources for businesses engaged in the Internet of Things (“IoT”) economy. Building on guidelines it established for cybersecurity generally and IoT cybersecurity specifically, the National Institute for Standards and Technology (“NIST”), a division of the U.S. Department of Commerce, held a workshop for manufacturers on securing IoT devices. I attended the workshop and these are my principal takeaways from the meeting.

NIST Cybersecurity Baseline for IoT Device Manufacturers

Titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, NIST has produced a draft document for comment. The comment period for the draft document runs through September 30, and I’ll have more detail on that document in a follow up post. But, for today, I want to run through impressions from the day-long workshop held at NIST headquarters in Gaithersburg, Maryland.

First, some background. The NIST workshop was held Tuesday August 13, 2019. The crowd in the room appeared to be between 125-150 people, with an unknown number viewing via a webcast. The audience included representatives from tech companies, defense contractors, mobile carriers, research institutions and more (and even at least one lawyer!). In introductory presentations, NIST officials explained that NIST does not have rulemaking authority over private industry. It has a role in setting cybersecurity standards that federal agencies must meet, but any influence NIST has on private industry is through voluntary adoption of its frameworks and standards. More broadly, NIST’s mission is to promote innovation and competitiveness through the use of common standards and measurements. The purpose of this workshop was to receive feedback from industry on the guidance document that has been produced.


By far, the most informative and – judging from conversations the rest of the day, surprising – learning from the day was a presentation on a study conducted by NIST’s Information Technology Laboratory. The presentation discussed consumer perceptions of IoT security. The study consisted of 40 semi-structured interviews with consumers using IoT devices. The participants were not novices – the participants had to be using at least three IoT devices in their homes in order to qualify, and their education levels skewed higher than the U.S. as a whole. The study should re-orient the way we think about the IoT:

  • To consumers, the “Internet of Things” is not a thing. Participants did not use the terminology of “IoT” or the Internet of Things. Instead, to the extent that they saw this as a category, participants referred to the devices as “smart home” or “connected devices.” To me, this makes a lot of sense. Consumers don’t want an “IoT doorbell” or likely even know what that might mean. They focus on functionality (it’s a video doorbell, for example) and don’t really care about the labels and buzzwords dominating the policy discussions.
  • Participants expressed general concerns about privacy – but used the devices anyway. The rationalizations presented were quite interesting. One participant is quoted as saying that he/she knew the device was collecting personal data but “I like having the convenience of having these things.”
  • The participants were confused about the difference between privacy and security and didn’t really seem to understand security. Some took mitigation measures that ranged from the silly (covering cameras with tape) to the minimally effective (not placing devices in certain rooms in the house). The takeaway I had from this is that manufacturers should not expect consumers to know or understand security practices; security will involve a lot of hand-holding to accomplish.
  • On a related note, participants were cognizant of a shared responsibility to protect security, but really didn’t take much responsibility themselves. 29 of the 40 participants pointed to the manufacturer as responsible for security. Participants cited manufacturer’s greater knowledge as one factor why they bore a greater proportion of the responsibility for security.
The second revelation for me was the way in which these documents have potential to become de facto standards, despite NIST’s protestations to the contrary. The NIST program manager outlined the core principles of the Baseline draft as including (a) recognition that there is no one-size fits all approach, (b) a focus on outcomes, not requirements to get there and (c) an acceptance of risk-based principles. And, again, one should keep in mind that NIST does not have regulatory authority over anyone other than federal agencies.

Nevertheless, representatives from regulatory agencies in attendance indicated that they are looking to the NIST baseline as at least a best practice, if not a standard. In my discussion session (one of four), several participants talked about these standards becoming part of government and private industry RFPs, either as requirements or “nice to have” differentiators among bidders. Moreover, several industry groups discussed their efforts to build upon guidance such as the NIST Baseline to develop industry-specific standards. Still others saw multiple standards efforts, and stated that the focus should be on the commonalities among the various standards that are published.

Regardless of how these developments take form, it is clear that the work NIST has done will have an impact, indirect or not, outside of NIST’s limited regulatory authority. Manufacturers should carefully heed the guidance NIST provides, and should consider providing comments on the draft before the September 30 deadline.

Third, the discussion group crystallized some of the interplay among considerations that go into IoT security. Immediately before the discussion groups, a NIST official gave an overview of the draft, emphasizing the difference between a “secure” device and a “secure-able” device. Nevertheless, some in my discussion group suggested that some devices were not worth securing, distinguishing between “securable” devices and those that are not, for cost, utility or other reasons, worthwhile to secure. Others noted that IoT devices most often will operate in a network, not independently, and therefore, security might be provided by other devices in the network (much like a firewall provides security in IT systems today). Moreover, there was general agreement in my discussion group that not every device in a network needed to have all of the security capabilities, and that instead, some devices may have more or different security in order to control (or protect) less secure (or secure-able) devices in the network.

These discussions suggested to me that security is more nuanced and that the concept of “securable” devices depends on multiple factors. While NIST’s document is a starting point, use of it as a standard has pitfalls. Particularly as we are starting to see a wave of IoT security legislation (notably, SB-327 in California and several bills in the U.S. Congress), the inter-dependency of securability and IoT networks is a layer of complexity that policymakers and regulators may not fully appreciate in their oversight activities. Manufacturers and others in the IoT economy have their work cut out for them in explaining how real-world security might work.

Up next: a summary of the NIST Cybersecurity Baseline for IoT devices. Manufacturers and participants in the IoT economy should carefully review this draft and consider filing comments with NIST to inform the final document.

FCC Starts Rulemaking on Commercial Mobile Access in 1675-1680 MHz Band, Similar to 2012 Ligado Petition Thu, 16 May 2019 20:47:17 -0400 By unanimous vote, the FCC launched a rulemaking this past week to consider allocating the 1675-1680 MHz band for co-primary use by flexible commercial terrestrial fixed and mobile operators with incumbent federal operators. The Notice of Proposed Rulemaking (“NPRM”), released on Monday, May 13, is, in many fundamental ways, similar to a proposal Ligado first made in a 2012 petition for rulemaking, with adjustments over the years, seeking to allow terrestrial mobile operations in the 1675-1680 MHz band.

While the NPRM formally does not act on Ligado’s petition (filed by its pre-bankruptcy predecessor LightSquared), the FCC is incorporating the record from the Ligado proceeding into the new docket. That record includes strong opposition from the National Oceanic and Atmospheric Administration (“NOAA”) and several other federal and non-federal users of the band. NOAA is the primary user of the 1675-1680 MHz band, using it for its weather tracking and monitoring capabilities. Numerous unlicensed receive earth station operators and other stakeholders make operational use of the weather data downlinked from NOAA satellites on a direct read out.

NOAA and other incumbents use the band under the current allocations: Meteorological Aids (“MetAids”) and Meteorological-Satellite (“MetSat”) services. MetAids service (i.e., radiosondes) is already transitioning from the band to other frequencies. But the MetSat service is here to stay, as NOAA’s GOES-N and the recently-launched GOES-R satellites operate at the top of and near the 1675-1680 MHz band. Indeed, GOES-R is expected to operate through at least 2036. Because the federal government’s MetSat earth stations are fixed, and relatively limited in number, the FCC contemplates that large geographic areas should be available for commercial wireless users. These tentative conclusions do not take into account the uncertain number of non-federal earth stations that utilize the direct read out. However, the NPRM invites comment on other ways, apart from direct read out, that non-federal entities that rely on the GOES data can gain access to that data, including a non-radio-based content delivery network. Products generated from GOES data support multiple operational activities including dynamic weather forecasting, anticipation of hurricane movements, water level and flood management, warnings for tornadoes and severe weather, wildfire growth tracking, and condition reports for firefighters.

Comments will be due thirty days after Federal Register publication of the NPRM (which has not occurred as of this writing), with replies due 60 days after publication. The FCC seeks comment on numerous issues, with a strong repeated request for cost/benefit information and data, as well as alternative approaches, including:

  • Coordination with Federal Systems – How can current federal earth stations in and adjacent to the band be protected from harmful interference? How can future federal earth stations be accommodated by new commercial users in the 1675-1680 MHz band with minimal disruption to their services?
  • Non-Federal Users – Which non-federal entities operate receive earth stations in the band? Which entities rely on this direct read out data? What other options exist for non-federal users to access the data from NOAA satellites? Is a content delivery system operated over the Internet an acceptable alternative? Would such a system increase the total number of users with reliable access to NOAA satellite data?
  • Band Plan and Licensing – The Commission proposes to license the full five megahertz on an unpaired, geographic area basis. Should the Commission auction licenses by Partial Economic Area (“PEA”)? Should the spectrum be made available solely for downlinks from base stations to user terminals?
  • License Term and Performance Requirements – Should the Commission grant 15-year licenses? Should licensees be required to demonstrate reliable signal coverage to 45% of the population within six years and 80% within twelve years, or should other performance measures be utilized? Should there be different performance requirements for Internet of Things (“IoT”) type services, since they may not provide service based on residential population coverage?
Ligado’s plan, laid out in its proposal, which the NPRM does not take up, was to combine the five megahertz in the 1675-1680 MHz band with the adjacent five megahertz block at 1670-1675 MHz, which it has been leasing. Ligado’s larger ultimate plan was to utilize 1670-1680 MHz along with thirty other megahertz in the L-Band, for which Ligado holds operational authority, to provide a terrestrial commercial network under Commission rules that allow satellite spectrum to be used for Ancillary Terrestrial Component services under certain conditions. Ligado has had license modification applications pending for several years before the Commission to implement its plan. Stakeholders that oppose Ligado’s proposals have raised concerns, respective to specific sub-bands, about harmful interference to GPS operations and adjacent satellite communications (“SATCOM”) services. The NPRM does not mention the applications and the Commission has not otherwise indicated whether or when it will act on them.

Apart from Ligado’s reactions to the Commission’s “non-action” on its petition through the NPRM, NOAA continues to do studies using Spectrum Relocation Fund monies into the compatibility of existing meteorological operations in and adjacent to 1675-1680 MHz band with new entrants. One gets the sense that, while the NPRM clearly opens a new chapter in this long story, much of the chapter remains to be outlined, let alone written.

FCC Sets Stage for Next Spectrum Incentive Auction at April Open Meeting Wed, 27 Mar 2019 17:01:58 -0400 It’s once again full speed ahead on spectrum and 5G deployment at the FCC, as the agency plans to take action at its next open meeting scheduled for April 12, 2019 on a slew of measures aimed at making additional millimeter wave (“mmW”) frequencies available to support 5G wireless technologies, the Internet of Things, and other advanced services. Topping the agenda, the agency expects to propose procedures for the simultaneous auction of spectrum for commercial wireless services in three mmW bands encompassing 3400 megahertz. As we previously reported, the proposal would clear the way for the FCC’s second-ever incentive auction (the first being the March 2017 broadcast spectrum incentive auction) designed to clear out incumbent licensees by offering payments in exchange for relinquishing current spectrum holdings. The agency also anticipates reforming access to mmW bands to facilitate the auction and extending long-standing protections for over-the-air reception devices (“OTARD”) to hub and relay antennas essential to 5G network deployment. Rounding out the major actions on the April agenda, the FCC plans to forbear from certain legacy long-distance regulations in the face of increased competition and eliminate the controversial rural “rate floor” for high cost universal service support.

You will find more details on the significant April meeting items after the break:

Spectrum Incentive Auction: The draft Public Notice would propose auction application and bidding procedures for licenses in the Upper 37 GHz (37.6-38.6 GHz), 39 GHz (38.6 GHz-40.0 GHz), and 47 GHz (47.2-48.2 GHz) bands. In the first auction phase, participants would bid for generic 100 megahertz blocks in the three mmW bands. The first auction phase also would determine the amount of incentive payments due to incumbent licensees that opted to relinquish their existing spectrum holdings. The second auction phase would establish the specific frequency assignments awarded to the auction winners. The actual number of licenses available for auction is not yet settled and will depend upon how many incumbent licensees previously agreed to give up their existing spectrum holdings for payment or accept modified licenses. The FCC would announce the particular licenses available at auction in advance of the auction application deadline. The FCC expects to complete the auction by the end of 2019.

37 GHz/50 GHz Band Access: The draft Order would facilitate the auction of the Upper 37 GHz band by establishing procedures for the Department of Defense (“DOD”) to operate in this spectrum on a shared basis with commercial wireless operators under limited circumstances. Specifically, the FCC would review DOD requests to use Upper 37 GHz band frequencies, contact potentially-affected commercial wireless licensees, and help coordinate shared usage, if possible. The draft item also would permit the licensing of Fixed-Satellite Service earth stations to transmit in the 50 GHz (50.4-51.4 GHz) band to potentially provide faster, more advanced services.

OTARD Reform: The draft Notice of Proposed Rulemaking would reform the FCC’s OTARD rule, which currently protects only end-user antennas (e.g., satellite TV dishes) from state, local, or private restrictions. Under the FCC’s proposal, the OTARD protections would be extended to hub or relay antennas used by fixed wireless providers that represent the backbone of emerging 5G networks. The FCC would seek input on how reforming the OTARD rule would impact small antenna infrastructure deployment, particularly in rural areas. The FCC anticipates retaining OTARD rule exceptions for state, local, and private restrictions on antennas based on public safety issues or historic preservation objectives, so long as the restrictions are not overly burdensome and apply in a nondiscriminatory manner.

Legacy Regulation Forbearance: The draft Order would partially grant a petition filed by USTelecom asking the FCC to forbear from enforcing certain legacy long-distance service regulations applicable to former Bell Operating Companies (“BOCs”) and other incumbent carriers. First, the FCC would no longer require incumbent rate-of-return carriers to offer long-distance service through a separate affiliate. Second, the FCC would grant incumbent carriers relief from the “provisioning interval” requirement obligating them to fulfill telephone exchange service and exchange access requests within the same period that they provide such services to affiliated entities. Third, the FCC would refrain from requiring incumbent carriers to submit reports about their legacy “special access” services. Finally, the FCC would eliminate a BOC-specific requirement to provide nondiscriminatory access to poles, conduits, and rights-of way, finding the obligation duplicative of a similar access rule already imposed on all local exchange carriers. The FCC plans to hold off on USTelecom’s request that it forbear from enforcing its incumbent carrier network element unbundling and resale mandates, but the agency likely will take up this issue before the end of the year.

Rate Floor Elimination: The draft Order would abolish the USF “rate floor” that limited the amount of Connect America Fund support received by some rural carriers to build and maintain networks in underserved areas. Today, if a carrier elects to charge its customers less than the rate floor set by the FCC for voice service, the difference between the amount charged and the rate floor is deducted from the amount of USF support received by the carrier. The FCC plans to conclude that this process results in artificially-inflated rates for rural customers and should be eliminated, along with all of the rate floor’s associated reporting and customer notification requirements. The FCC previously froze the rate floor for two years while it considered reforms and the rule’s elimination would prevent a nearly 50% increase in the rate floor scheduled to take effect in July 2019.

FCC Aims to Open up 6 GHz Band for Unlicensed Use While Protecting Incumbents through Automated Sharing Features and Other Restrictions Mon, 15 Oct 2018 16:19:00 -0400 Responding to demands by high tech companies for more so-called “mid-band” unlicensed spectrum to augment that already made available in the 5 GHz Band, which accommodates Wi-Fi, Internet of Things (“IoT”), and other Unlicensed National Information Infrastructure (“U-NII”) applications as well as Licensed Assisted Access and LTE-Unlicensed solutions, the FCC will vote on a draft Notice of Proposed Rulemaking (“NPRM”) at its October 26 Open Meeting to make up to 1200 megahertz of nearby spectrum available for similar purposes. The draft leaves no doubt that, to make the 5.925-7.125 GHz band (the “6 GHz Band”) available for unlicensed use, sophisticated sharing mechanisms will need to be in place. Various parts of this frequency range are already used by fixed, mobile, and satellite services, and the draft item commits to protecting these incumbents and allowing these services to grow while at the same time opening the band to increased numbers of unlicensed devices. To achieve this, the Commission is considering drawing upon its experience with white spaces and the Citizens Broadband Radio Service (at 3550-3750 MHz), and would seek comment on numerous subjects before adopting rules. The draft item would be a stepping stone to enabling unlicensed devices to operate with wider bandwidths and higher data rates, which the Commission hopes would set off a new wave of innovation in consumer devices complementing its recent moves to spur the rollout of next-generation 5G networks. The NPRM, when adopted, will be sure to generate a wave of comments from both equipment manufacturers and broadband providers hungry for more spectrum as well as incumbent public safety organizations, utilities, satellite companies, and various other fixed and mobile services licensees seeking to protect and hoping to expand their existing operations in the 6 GHz Band, particularly as relocation options for other similar spectrum are increasingly scarce.

Currently, the Commission’s unlicensed rules permit operations in the 6 GHz Band for wideband systems (e.g., sensor/tag systems used to locate objects) and ultra-wideband operations. In general, the draft NPRM would allow other unlicensed devices to be introduced to the 6 GHz Band by splitting the spectrum into four sub-bands that pair technical and operational parameters with certain 5 GHz U-NII sub-bands, while incorporating features designed to protect incumbent licensees in those sub-bands. The Commission hopes that by mirroring the operational and technical parameters that already exist for unlicensed devices in the 5 GHz Band, it will “create an enhanced ecosystem of unlicensed use in the 6 GHz band and the nearby U-NII bands” (which are spread over 580 megahertz within the 5150-5850 MHz range).

5.925-6.425 and 6.525-6.875 GHz: Automated Frequency Control

Unlicensed devices using the 5.925-6.425 GHz and 6.525-6.875 GHz sub-bands would be able to operate both outdoors and indoors at power levels permitted for unlicensed use in the U-NII-1 and U-NII-3 sub-bands (5150-5250 and 5725-5850 MHz, respectively). But the NPRM envisions that unlicensed devices in the 6 GHz sub-bands labeled U-NII-5 and U-NII-7 by the draft item would only be allowed to transmit if an automated frequency control (“AFC”) system determines that such transmissions are permitted, so as to avoid harmful interference to licensed operations. The AFC system, or systems, would communicate with an unlicensed device that acts as a “standard-power access point,” which, in addition to operating itself, would control operational permissions for client devices as well as devices accessing a wireless router in the home or an access point at a public location.

The draft item notes that the U-NII-5 and U-NII-7 sub-bands are home to point-to-point microwave links that support public safety, railroad, oil and gas pipeline, utilities, and wireless and wireline communications service, as well as some fixed satellite services. As the fixed service incumbents are at known, fixed locations, the FCC believes the AFC system could be a “simple database” which is automatically queried to determine which frequencies are available for an unlicensed device to use at a given location and time. The FCC seeks comment on numerous aspects of possible approaches to the AFC system concept, thereby highlighting the many technical and other issues that will need to be resolved. These include what are the basic eligibility requirements to be an AFC system operator; whether there should be more than one AFC system; whether the FCC’s ULS system is or can be made sufficiently reliable as the basis for AFC system operation and determination of available frequencies; whether and how AFC systems (assuming there are more than one) will need to exchange data; whether the AFC system(s) should be centralized or de-centralized; whether unlicensed devices will need to register with the AFC system(s) and will need to identify themselves to incumbents; how the location and height of an unlicensed 6 GHz Band device will be determined before frequencies are selected; what security needs to be in place to ensure proper operation of the AFC system(s); whether 6 GHz Band unlicensed devices might cause aggregate harmful interference to satellite space station receivers and, if so, how to mitigate that interference; how often unlicensed devices would need to check the AFC system to confirm the availability of the frequencies they are using; and whether and how AFC system operators can charge access fees. The FCC also requests input on the nature of and metrics for the appropriate interference standard to protect incumbent licensees, ensuring that unlicensed devices in the U-NII-5 and U-NII-7 sub-bands cannot operate co-channel to any fixed link within that link’s defined exclusion zone. In this area, the Commission faces a number of “real-world” challenges, such as properly allowing for multipath fading when an AFC system determines that a frequency is available, with the goal of maximizing spectrum utilization by licensed and unlicensed devices.

6.425-6.525 and 6.875-7.125 GHz: Low-Power, Indoor Operation

Meanwhile, unlicensed devices using the 6.425-6.525 GHz and 6.875-7.125 GHz sub-bands, which the NPRM terms the U-NII-6 and U-NII-8 sub-bands, respectively, would only be allowed to transmit indoors and at lower power levels than in the U-NII-5 and U-NII-7 sub-bands (equal to the same, more restricted, power levels already applicable to the 5 GHz U-NII-2 bands (i.e., 5250-5350 and 5470-5725 MHz)). However, as the draft NPRM would propose, unlicensed operations in the U-NII-6 and U-NII-8 sub-bands, by “low-power access points” and client devices, would not be subject to AFC system coordination before operation. The draft NPRM states that this sub-band is primarily used for mobile such as Broadcast Auxiliary Service television pick up stations (i.e., electronic news gathering and wireless video links), mobile and fixed Cable Television Relay Service links, several varieties of fixed television-service-related links which operate on a more restricted basis, licensed wireless microphone operations, and a limited number of satellite services. The itinerant operations of the foregoing mobile services make the use of an AFC system infeasible. The FCC inquires how indoor use effectively can be assured, asking, for example, whether it should adopt specific equipment restrictions to ensure indoor operations (e.g., requiring devices to have a direct connection to a power outlet) and how to address potential interference complaints.

Interference Mitigation

The FCC’s draft item proposes a number of interference mitigation measures and potential limitations on unlicensed device use, indicating an openness to outside recommendations on how to best strike the balance between unlicensed and licensed use of the band. For example, would AFC system(s) permit operations on certain frequencies but at lower powers, whereas operation would be precluded if the unlicensed device’s maximum power were used to determine available frequencies? In addition, the NPRM would propose client devices be allowed to connect with both standard-power access points and low-power access points, and be permitted to operate across the entire band which should encourage the widespread availability of client devices. Similarly, to promote widespread adoption, the draft NPRM would also inquire whether there are ways to allow higher power and even outdoor operations in the U-NII-6 and U-NII-8 sub-bands without causing interference to mobile operations. Conversely, the Commission intends to ask whether non-AFC system operations by low-power access points should be permitted in the U-NII-5 and U-NII-7 sub-bands. Finally, the NPRM would propose to preclude operation of standard-power and low-power access points in moving vehicles, cars, trains, or aircraft (and implicitly raises the question whether sufficient spectrum is available for unlicensed operations in moving vehicles, in addition to certain 60 GHz unlicensed operations on aircraft pursuant to Commission decisions in the Spectrum Frontiers proceeding). The adoption of the NPRM would provide an opportunity for all stakeholders to weigh on the future use of the 6 GHz Band.

NTIA Holds Virtual Meeting of Multistakeholder Process on Internet of Things Security Upgradability and Patching Fri, 28 Jul 2017 13:17:53 -0400 On July 18, 2017, the National Telecommunications and Information Administration (“NTIA”) hosted a virtual meeting of its multistakeholder process to address Internet of Things (“IoT”) patching and security upgrades. The July 18th meeting represents the fourth gathering of multistakeholders in this process.

During the July 18th meeting, four working groups presented: (1) the Communicating Upgradability and Improving Transparency working group; (2) the Incentives, Barriers, and Adoption working group; (3) the Standards working group; and (4) the Technical Capabilities and Patching Expectations working group.

The Communicating Upgradability and Improving Transparency working group reached consensus on a final draft document that outlines a communications framework for manufacturers to consider before consumers buy their products. Members of the working group were quick to emphasize that their guidelines are not meant to supersede regulation or serve as a legal standard. Instead, the working group sought to identify and consolidate critical points it recommends manufacturers weigh as they develop IoT devices.

According to the final draft, “key” considerations manufacturers should communicate to consumers include:

  • Whether the device can receive security updates;
  • How the device receives security updates; and
  • The anticipated timeline for the end of security support.
The guidance also notes additional, less-critical considerations and discusses how manufacturers should notify consumers about updates.

Importantly, working group members noted there is no strategic plan for using the final draft going forward. Working group co-chairs noted they would like to see how the guidelines operate “in the wild” and that the framework could become part of the government’s effort to combat botnets and automated threats. The working group will discuss next steps on its next conference call, at a date still to be determined.

The three other working groups also presented status updates on their initiatives, which remain in earlier stages of drafting. NTIA plans a September 12, 2017 meeting in Washington, D.C. to attempt to reach consensus on these three drafts.

If you have questions about NTIA’s multistakeholder process on IoT issues, or would like to learn more about how to get involved, please contact the authors of this post.

Connect with Kelley Drye at next Presidio Forum on IoT Security in San Francisco on June 20 Tue, 13 Jun 2017 10:00:54 -0400 Kelley Drye is excited to support the next Presidio Forum on “Securing (and Regulating) the Internet of Things: Policy, Innovation & Investment,” in San Francisco on June 20, 2017. The forum will present a candid discussion exploring today’s expanding IoT threat landscape, continued rise of regulatory interests and the increasing venture capital investment for IoT Security entrepreneurship. John Heitmann, chair of the Communications Group, and associate Jameson Dempsey will both be speaking. Other speakers include Marc Rogers, Head of Information Security & IT for Cloudflare, Dmitry Dain, Co-Founder Virgil Security, and Nils Puhlmann, Co-Founder of Cloud Security Alliance. To register click here. The event is free to attend. Please contact John or Jameson if you have any questions about the event.