CommLaw Monitor https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor News and analysis from Kelley Drye’s communications practice group Thu, 13 Feb 2025 20:03:28 -0500 60 hourly 1 FCC Begins Proceeding to Broaden its National Security Protections Beyond Universal Service Disbursements; IoT, Cybersecurity in its Sights https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-begins-proceeding-to-broaden-its-national-security-protections-beyond-universal-service-disbursements-iot-cybersecurity-in-its-sights https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-begins-proceeding-to-broaden-its-national-security-protections-beyond-universal-service-disbursements-iot-cybersecurity-in-its-sights Sun, 20 Jun 2021 22:36:29 -0400 Protecting the U.S. telecommunications networks from security threats has long been an area of strong agreement at the FCC. Following several actions by the Pai Commission to ban Huawei and ZTE equipment deemed to pose a national security threat, Acting Chairwoman Rosenworcel has continued the effort. Indeed, in February, at the first meeting she led as acting chair, Rosenworcel called on the FCC to “revitalize” its approach to network security “because it is an essential part of our national security, our economic recovery, and our leadership in a post-pandemic world.”

At the FCC Open Meeting on June 17, 2021, the FCC took its most visible step yet toward Acting Chairwoman Rosenworcel’s vision. The Commission adopted a Notice of Proposed Rulemaking (“NPRM”) and Notice of Inquiry (“NOI”) to further address national security threats to communications networks and the supply chain. The NPRM and NOI sets its sights on the Commission’s rules relating to equipment authorization and competitive bidding. The Commission’s proposals have seeds of a much broader focus on Internet of Things (“IoT”) devices, cybersecurity and RF fingerprinting, to name a few. All participants in the telecommunications ecosystem should take notice.

The NPRM and NOI initiates an inquiry into many proposals to tighten the focus on network security in FCC procedures. Most notably, the Commission opened inquiry into the following areas:

Equipment Authorization Rules and Procedures – The NPRM seeks comment on a proposal to prohibit all future authorizations of equipment on the Covered List under the Secure and Trusted Communications Networks Act of 2019, including equipment subject to the FCC’s certification and Supplier’s Declaration of Conformity processes associated with equipment authorization. This proposal goes beyond the current rules, which prohibit recipients of Universal Service Program funding to use that funding to purchase, lease or maintain equipment on the Covered List.

Under current rules, despite the USF program prohibition, equipment on the Covered List can still obtain equipment authorization (and has already obtained authorization). The NPRM considers whether to revise the rules to ensure that any “covered” equipment cannot qualify for authorization. It also seeks comment on whether to revoke authorizations that were previously granted for equipment on the Covered List. If approved, the FCC seeks to determine which authorizations should be revoked and through what procedures.

Competitive Bidding Certification – The NPRM also seeks comment on a proposal to require applicants who wish to participate in FCC auctions to certify that their bids do not and will not rely on financial support from any entity that the FCC has designated under Section 54.9 of the FCC’s rules as a national security threat to the integrity of communications networks or the communications supply chain. The certification would require applicants to attest that no equipment (including component part) is comprised of any “covered” equipment, as identified on the current published list of “covered” equipment and would cross-reference section 1.50002 of the FCC’s rules that include the Covered List.

Manufacturing Encouragement Efforts – The NOI portion of the FCC document seeks comment on how the FCC can leverage its equipment authorization program to encourage manufacturers who are building devices that will connect to U.S. networks to consider cybersecurity standards and guidelines. The FCC inquires further about how to address security risks associated with IoT devices. Importantly, as we theorized a while back, the FCC notes the work that the National Institute of Standards and Technology (“NIST”) has done on cybersecurity and, in particular, cybersecurity for IoT devices, and asks whether the FCC’s equipment authorization rules should require manufacturers to certify in equipment authorization applications that they have considered this guidance in the design and manufacturing of their devices. The NOI also includes questions regarding the use of “RF fingerprinting” to help identify and isolate insecure devices.

Commissioner Statements

As expected, the NPRM and NOI received unanimous support from the Commissioners. Acting Chairwoman Rosenworcel cited to the rash of ransomware attacks and emphasized the need for broader cybersecurity considerations of IoT. “We need to acknowledge that the equipment that connects to our networks is just as consequential for our national security as the equipment that goes into our networks,” she said. Commissioner Carr discussed the possibility of Chinese interference with missile defense systems in North Dakota and referred to this proceeding as “closing a loophole” in FCC rules. Commissioner Starks, a former staff member in the Enforcement Bureau, emphasized changes intended to make enforcement against foreign actors easier to implement, citing examples from the past decade involving illegal jamming equipment manufactured overseas. Commissioner Simington took credit for adding “RF fingerprinting” to the NOI, stating that the technology “can play a central role in interdiction and enforcement of hacking and cyber-crime.”

With this proposal’s broad support at the Commission, equipment manufacturers (including IoT device manufacturers should pay close attention to the FCC’s actions. Comments will be received over the summer and the Commission could address its rules by year-end. Affected manufacturers may wish to comment in the proceeding.

]]>
Join Kelley Drye at Telecom Council’s IoT Forum on Cybersecurity https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/join-kelley-drye-at-telecom-councils-iot-forum-on-cybersecurity https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/join-kelley-drye-at-telecom-councils-iot-forum-on-cybersecurity Tue, 12 Jan 2021 15:37:25 -0500 On January 21, join Kelley Drye and Partner Steve Augustino at Telecom Council’s IoT Forum on Cybersecurity. Continuing on a series of virtual meetings, the IoT Forum will convene to look at innovation and startups working on IoT Security. Steve will present on the IoT Cybersecurity Act of 2020, including the role of security standards in today’s market and the trends that IoT device manufacturers should consider when designing their products and services.

Click here for more information and to register.

]]>
President Signs IoT Cybersecurity Act of 2020 https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/president-signs-iot-cybersecurity-act-of-2020 https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/president-signs-iot-cybersecurity-act-of-2020 Wed, 09 Dec 2020 12:27:18 -0500 On December 4, 2020, President Trump signed bipartisan legislation establishing minimum security requirements for Internet of Things (“IoT”) devices used by the federal government. The legislation, H.R. 1668, passed the House in September and the Senate in November.

The Internet of Things Cybersecurity Improvement Act of 2020 draws upon work that the National Institute of Standards and Technology (“NIST”) has been doing to address cybersecurity for IoT devices. Referencing work done over the Summer on IoT Device Cybersecurity, the Act directs NIST to issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. NIST, which already was working on the federal profile of IoT uses, is directed to issue these guideline by March 4, 2021. Within 6 months of that date, the Office of Management and Budget is to review agency information security policies and principles based upon NIST’s guidelines. And, adding a hammer to the incentives, federal government acquisition standards are to be revised to implement these standards. In other words, federal contractors will be required to adhere to the NIST standards in IoT devices sold to the federal government.

The goal of indirect IoT regulation was overt in the legislation. In a press release accompanying passage of the Act by the Senate, Senators Mark Warner (D-VA) and Cory Gardner (R-CO) expressly stated their goal that “leveraging the purchasing power of the federal government…will ultimately help move the wider market towards greater cybersecurity.” As we warned when NIST initiated its IoT device security guidance, non-binding standards can quickly become de facto regulations. That result is obvious here.

In addition, a second objective of the IoT Cybersecurity Improvement Act is to develop standards for the reporting of vulnerability information relating to federal IoT uses. Specifically, NIST is directed to develop guidelines for reporting, coordinating, publishing, and receiving information about a security vulnerability to information systems owned or controlled by the federal government (including but not limited to IoT vulnerabilities). These guidelines are to be aligned, to the maximum extent possible, with international standards adopted by the International Standards Organization and should provide guidance on both disclosing the vulnerability and disseminating information about the resolution of the security vulnerability. NIST is directed to develop these standards by June 2021.

This legislation adds to an already busy plate for NIST’s IoT and cybersecurity programs. But this legislation adds some teeth to the activities, making NIST an agency to watch in 2021.

]]>
President Formalizes Executive Agency Review of FCC Applications and Licenses; Quick Action on FCC License Revocation https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/president-formalizes-executive-agency-review-of-fcc-applications-and-licenses-quick-action-on-fcc-license-revocation https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/president-formalizes-executive-agency-review-of-fcc-applications-and-licenses-quick-action-on-fcc-license-revocation Sun, 26 Apr 2020 23:01:11 -0400 For years, there have been critiques about the lack of procedures surrounding the review, by a group of Executive Branch agencies commonly referred to as “Team Telecom”, of applications before the Federal Communications Commission (“FCC” or “Commission”) for licenses and transaction approvals involving foreign ownership, including the absence of timeframes for completing reviews. The FCC tried to implement limited changes within its jurisdiction by launching a rulemaking, but that never progressed to a conclusion. Now, by Executive Order (“EO”) on April 4, 2020, President Trump established a framework to govern such reviews and clearly include reviews of existing licenses and authorizations even where there are no current mitigations. There are still a lot of unknowns regarding the new “Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector” (the “Committee”). It is too soon to know whether the Committee will bring a welcome measure of regularity to a previously unshackled process or will prove to be an even greater bane to applicants and licensees than the Team Telecom process its work will replace.

Review of applications, referred by the FCC to Team Telecom, with certain national security and law enforcement concerns has long been part of the landscape, but, because the Team Telecom review process had had no statutory or regulatory framework, the communications industry had little insight into the review process or the Executive Branch’s related activities. This is not to say that the new Committee will be transparent, and one should not expect that, but the EO better defines the process and the potential scope of the review activities.

Committee Responsibilities

The Committee is tasked to review, for national security and law enforcement concerns raised by foreign participation in the United States telecommunications services sector, those applications before the FCC “for a license or authorization, or the transfer of a license or authorization” which the agency refers to the Committee (“Referred Application”). The EO does not purport to dictate when the FCC, an independent agency, refers applications to the Committee, but the track record of referrals to Team Telecom probably provides a guide of what will be referred. And nothing prevents the Committee, or an executive agency, from asking the Commission to refer an application (which has been the case prior to the EO). Moreover, the interrelationship between the Committee’s activities and those of the Committee on Foreign Investment in the United States (“CFIUS”), whose authority pursuant to statute concerns review of certain covered transactions involving foreign investment in U.S. businesses in the telecom sector and beyond, remains to be seen. Historically the link between Team Telecom review and CFIUS activities has not been susceptible to clear explanation. Indeed, there is only one mention of CFIUS in the EO, in the context of information that the Committee can share with the CFIUS when it is undertaking a review of transactions.

By all appearances, the Committee will replace the functions of Team Telecom which currently conducts such national security reviews but is not governed by any established procedures. The new EO also contemplates review, on the Committee’s own motion, of existing FCC licenses and authorizations to identify “any new or additional risks” to law enforcement and national security. These reviews may result in a recommendation to the FCC to modify or revoke licenses and authorizations even where Team Telecom or the Committee has not imposed mitigation measures earlier. While the EO provides some long-sought clarity and structure to the review process, some uncertainties remain as to how this Committee will operate and use its authority to seek conditions on or denial of FCC licenses, given the White House’s initiative to establish the Committee. However, judging by an executive agency recommendation – a mere five days after the EO was issued – that the FCC revoke China Telecom’s FCC license, albeit not under the guise of the new Committee, and the Commission’s show cause orders issued to four Chinese government owned FCC licensees, the U.S. telecommunications industry should expect to see close review of new applications and potentially renewed scrutiny of previously-granted FCC licenses.

Responding to the release of the EO, FCC Chairman Pai welcomed the EO’s “formalizing Team Telecom review and establishing a process that will allow the Executive Branch to provide its expert input to the FCC in a timely manner.” FCC Commissioner O’Reilly, long an ardent proponent for revising the review process and a champion of the Commission’s rulemaking seeking changes associated with Team Telecom review, similarly lauded the EO for “establishing a formal structure . . . and including deadlines for the relevant agencies to render decisions” and noted that fixing the “incoherent and indefensibly unpredictable review process” had been his priority over the last several years. In its rulemaking proceeding in 2016 the FCC proposed definitive timeframes and a clear review process but, despite receiving industry support, that proceeding stalled.

Committee Structure and Implementation

Comprising, at its core, the same three agencies as Team Telecom, the Committee, chaired by the Attorney General, the head of the Department of Justice, will include the Secretary of Defense, Secretary of Homeland Security, and to the extent the President deems appropriate, the heads of any other executive agencies or Assistants to the President. Officials of other agencies – such as the Director of National Intelligence, the Secretary of Commerce, and the Secretary of State – will have limited roles in certain circumstances.

The EO sets a ninety (90) day timeline, or until June 2, 2020, for the Committee members to enter into a Memorandum of Understanding (that may or may not become public) that, among other requirements, establishes the information to be collected from applicants, defines standard mitigation measures, and identifies the plan for implementing the EO. However, the EO does not set an actual deadline by which the Committee will begin reviewing Referred Applications, but does provide that the purview includes applications “referred by the FCC before the date of [the EO] to the group of executive departments and agencies involved in the review process that was previously in place,” i.e., to Team Telecom. This should provide for something of a seamless transition from the current framework to the new Committee.

The EO Brings Some Insights into the Review Process

While the Committee’s responsibilities generally would be familiar to Team Telecom observers, at least two aspects are worth specific mention.

First, the EO establishes some semblance of definitive timeframes and processes for the Committee’s review of Referred Applications, albeit triggered by a somewhat uncertain date when applicants’ responses to the Committee’s questions and information requests are “complete.” Telecommunications providers and legal practitioners that have been through a Team Telecom review know that the process often was lengthy, with reviews not uncommonly taking nine months and even much longer. Moreover, neither the applicants nor the FCC had any insight into the mechanics of the review process or whether the review was continuing in the background during the often long stretches of time with no communication, from the Executive Branch after responses to the Team Telecom questions and information requests (commonly referred to as “triage” questions) were provided, at least until the end of the review process.

Under the EO, the Committee is to finish its initial review within 120 days of when an applicant’s responses are complete, although the Committee may conclude that a “secondary assessment” is warranted.” Any secondary review must be completed within ninety days of the start of the secondary assessment. So, reviews could take seven months after the triage questions have been completely addressed and still be within the time frames contemplated by the EO. Experience often showed, under the Team Telecom process, that completing triage could take several months itself.

The EO also provides a look “behind the curtain” of the Committee, from a procedural perspective, as it delineates the actions, such as the Director of National Intelligence’s review and written national security threat assessment, that the various Committee components will take during the review process. While knowledge that a process actually exists will be of interest to applicants, the substance of the internal communications will likely not be shared until such time as Committee recommendations are made known in terms of proposed mitigation measures or the lack of objections to a Referred Application.

Second, the EO makes clear that the Committee may take a fresh look at existing licensees for national security and law enforcement risks although the procedures surrounding such license reviews are not as fully flushed out in the EO as are those surrounding examination of Referred Applications. This authority may lead to the Committee seeking license revocation through the FCC or requiring the licensee enter into a mitigation agreement to avoid, presumably, an effort to revoke the license. While Team Telecom has sought license revocations over the past few years where mitigation agreements are already in place and there are issues of compliance, see also here and here, we are unaware of existing licensees being required to enter into new or revised mitigation agreements absent new applications, for example for assignments or transfers of control, being filed with the FCC.

Nevertheless, this explicit authority for the Committee to revisit and possibly modify or require new mitigation agreements is not entirely surprising. As we have reported previously, increased concerns regarding the security of telecommunications equipment from certain foreign-owned equipment manufacturers, such as Huawei and ZTE, recently have led the FCC to restrict and, in some cases, ban the use of such manufacturers’ equipment. The Executive Branch and other agencies similarly have identified numerous national security threats, with cybersecurity as a top concern, arising in the many years since some FCC licenses have been granted. Consequently, the Committee is unlikely to be shy about revisiting existing licensees where there now are perceived law enforcement or national security concerns that the Committee believes need to be addressed by mitigation measures. Of course, having a licensee’s existing mitigation agreement revisited, typically in the form of a generally more robust National Security Agreement (“NSA”) or a frequently “lighter touch” Letter of Assurances (“LOA”), or a licensee being required to enter into such a mitigation agreement for the first time, may have serious implications for the licensee depending on its business and operations models.

The EO explains that, while it does establish certain procedures and timeframes, it does not create any rights or benefits, substantive or procedural, that applicants or licensees can enforce at law or in equity against the government or any other person. Moreover, the EO does not supersede the existing rights or discretion of any Federal agency, outside the activities of the Committee, to conduct inquiries with respect to an FCC application or license or to negotiate, enter into, impose, or enforce contractual provisions” with such applicant or licensee, which would include existing mitigation arrangements with one or more executive branch agency.

The EO Also Creates Some Uncertainty

While the EO provides some transparency in, and certainty to, the Referred Application review process, many questions remain. To mention a few of those questions:

  • What information will Referred Application applicants have to provide? Traditionally, applicants undergoing a Team Telecom review have faced fairly consistent sets of triage questions that vary by the type of application, with additional questions typically customized based on the applicant. The EO directs the Committee to develop the information requests that will be required from Referred Application applicants but it is unknown if those questions will be similar in scope and content to the triage questions or if the Committee will develop different and possibly more burdensome triage questionnaires given the elevated concerns within the government regarding the security of U.S. telecommunications and networks.
  • What compliance obligations will be included in mitigation agreements? Under the current Team Telecom review process, applicants can expect to enter into a comprehensive NSA or an often narrower and lighter LOA. These arrangements are publicly available and provided FCC license applicants with a general sense of the scope of compliance obligations. In more recent years, we have observed a convergence toward more common terms, albeit with some ability to negotiate certain aspects of the mitigation. The EO retains the use of mitigation agreements but refers to “standard” and “non-standard” mitigation agreements. It is unclear if the “standard” vs “non-standard” mitigation dichotomy refers to the difference between LOAs and NSAs or contemplates other compliance frameworks. It is possible that LOAs and NSAs will be considered standard mitigation and non-standard mitigation measures will contain even more stringent or targeted compliance obligations. Alternatively, the Committee may revise the entire mitigation measure regime, and the degree of “negotiation” the government is willing to engage in may be adjusted materially, and not necessarily for the better.
  • Exactly when will the Committee and its new measures replace the current Executive Branch review regime? The EO sets a 90 day deadline for the Committee to develop an implementation plan. It is possible that the Committee may be able to meet this deadline since the three primary member agencies already will be familiar with the review process based on their experience with the Executive Branch reviews. However, the EO does not identify a deadline for when the Committee will begin reviewing Referred Applications (or existing licenses) per the EO framework. The EO suggests that pending reviews may become subject to the EO timelines. If that’s true, will the timelines apply in full? Where the review is well under way? Will already pending reviews be placed on hold until the Committee is up and running? Similarly, will applications referred after the EO was released remain in pending status until the Committee gets things up and running?
Swift Movement to Revoke Licenses

Although not even a month has passed since the EO was released, action already is being taken to revoke the FCC license of China Telecom, and to require four other Chinese government-affiliated licensees to show cause why their FCC licenses should not be revoked. In what clearly was an already pending initiative, within five days of the EO’s release, Team Telecom recommended the FCC revoke China Telecom’s license. The recommendation, exceeding fifty pages and containing hundreds of pages of, often redacted, exhibits, details numerous concerns regarding China Telecom’s operations, which were subject to a 2007 LOA. The concerns range from the company’s failure to comply with its mitigation agreement to making inaccurate statements regarding its cybersecurity practices to providing opportunities for the Chinese government to engage in economic espionage and misroute or disrupt U.S. communications. Although China Telecom currently has only an LOA as its mitigation agreement, and presumably could be required to enter into a more comprehensive NSA, the Executive Branch explicitly rejected the transition to an NSA based on China Telecom being deemed “an untrustworthy and unwilling partner” in its current LOA. Unlike other Executive Branch license revocation recommendations which typically cited to general mitigation agreement noncompliance and, more often, apparent cessation of operations, the China Telecom revocation recommendation identifies numerous and detailed concerns and relies, in part, on information obtained under the Foreign Intelligence Surveillance Act. Similarly, on Friday the Commission issued show cause orders to China Telecom Americas, China Unicom Americas, Pacific Networks, and ComNet giving them thirty days to show cause why their FCC licenses should not be revoked. The show cause orders cite to Team Telecom’s China Telecom revocation recommendation when noting that, as entities ultimately owned or controlled by the Chinese government-owned entities, the four FCC licensees would be vulnerab[le] . . . to the exploitation, influence, and control of the Chinese government.” Although the show cause orders were issued on the Commission’s own motion, the FCC’s action undoubtedly is related to the EO’s review of existing licensees for national security and law enforcement concerns. In light of the national security concerns the Executive Branch outlined in the China Telecom recommendation, the FCC’s show cause orders to China Telecom Americas, China Unicom Americas, Pacific Networks, and ComNet, and the similar concerns regarding Huawei and ZTE equipment, we anticipate the Committee similarly will be proactive in revisiting any licensees that may raise national security concerns.

Key Takeaways

The EO provides some clarity regarding the Referred Application review process and timeframe but many uncertainties remain, including just how long the process will begin after the application is referred.

Applicants contemplating transactions or new FCC licensing that will involve a Referred Application will benefit from a clearly defined review timeframe, once triage is “complete,” but also may face different, and potentially more stringent, mitigation obligations.

Current FCC licensees, whether parties to mitigation agreements or not bound by such agreements, may have their communications operations reviewed for national security concerns and the licensee could be subjected to new or revised mitigation requirements.

* * *

The full impact of the EO will only become known over time. Kelley Drye continues to monitor the issues, so check back for future updates.

]]>
Podcast: IoT Security https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/podcast-iot-security https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/podcast-iot-security Tue, 26 Nov 2019 13:19:11 -0500 From smart homes and self-driving vehicles to drones and healthcare monitoring, Internet of Things (IoT) capabilities are a hot topic for both manufacturers and consumers. The most recent episode of Kelley Drye’s Full Spectrum podcast spotlights one of the key areas for everyone involved – maintaining security of IoT devices. The episode features cybersecurity developments, like the National Institute of Standards and Technology’s (NIST) baseline recommendations for securable devices. We describe how NIST has taken the lead in this area and what the current recommendations might mean for future regulation.

Click here to listen and subscribe.

]]>
Securing IoT Devices (Part 2): Inside the NIST Guidance Document for IoT Device Manufacturers https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/securing-iot-devices-part-2-inside-the-nist-guidance-document-for-iot-device-manufacturers https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/securing-iot-devices-part-2-inside-the-nist-guidance-document-for-iot-device-manufacturers Thu, 22 Aug 2019 11:27:44 -0400 At the end of July, the National Institute for Standards and Technology (“NIST”) released draft cybersecurity guidance for IoT device manufacturers. The document, titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, is intended, according to NIST, identify the cybersecurity features that IoT devices should have “to make them at least minimally securable by the individuals and organizations who acquire and use them.” The NIST document is not a rule or requirement for IoT devices, but rather is a continuation of NIST’s effort to foster the development and application of voluntary standards, guidelines, and related tools to improve the cybersecurity of connected devices.

NIST is seeking comment on the document through September 30 of this year and it held a workshop in August for interested parties to discuss the document. In a prior post, I blogged on takeaways from that workshop. Now, it’s time to take a closer look at the NIST document itself.

Overview of the Baseline

The NIST Baseline (“NISTIR 8259” in government-speak) is subtitled “A Starting Point for IoT Device Manufacturers,” and it is intended as just that. NISTIR 8259 builds upon a base document released in final form on June 27, 2019 relating to cybersecurity and privacy risks for the Internet of Things. IoT manufacturers should review NIST’s Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks before digging into the Baseline document. Considerations (also known as NISTIR 8228) identifies high-level considerations that make IoT security different than IT security and offers suggestions for mitigating cybersecurity and privacy risks. Its intended audience primarily are the users and organizations deploying IoT devices, but it has meaning for manufacturers, network operators and service providers in the space as well.

The NIST Baseline takes these considerations to the manufacturing side, offering (as NIST describes it) to help IoT device manufacturers “understand the cybersecurity risks their customers face” so IoT devices can provide the minimal features to make them securable. (For a discussion of the different meanings that “securable devices” can have in this context, see my blog post on the NIST workshop.)

Securing IoT Devices

The NIST Baseline explains that cybersecurity risks for IoT devices have two high-level risk mitigation goals: protecting device security and protecting data security. As noted in the user-focused Considerations document, the challenges in doing so stem from three features of the Internet of Things:

  1. IoT devices interact with the physical world in ways conventional IT devices usually do not. (In other words, they are, by their nature, connected devices.);
  2. Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can; and
  3. The availability, efficiency, and effectiveness of cybersecurity features are often different for IoT devices than conventional IT devices.
The NIST Baseline focuses on a generic customer to define the “core” baseline features. The draft notes that manufacturers may need to identify and implement additional features beyond the core baseline that are most appropriate for customers of their particular devices and applications, and offers information on how manufacturers can do this.

For the “core,” NIST identifies six features that IoT devices should address:

  1. Device Identification. How the IoT device can be uniquely identified, both logically and physically.
  2. Device Configuration. How the device’s software and firmware can be changed and who is authorized to make such changes.
  3. Data Protection. How the device can protect from unauthorized access and modification the data that it stores and transmits.
  4. Logical Access to Interfaces. How the device can limit (logical) access to its local and network interfaces so that only authorized users may access these elements.
  5. Software and Firmware Updates. How the device can be updated by authorized entities only, using a secure and configurable mechanism.
  6. Cybersecurity Event Logging. How the device can log cybersecurity events and make the logs accessible to authorized entities only.
For each core feature, the NIST Baseline identifies, in table form, the key elements to consider, the rationale for the feature and several reference documents that may be helpful in addressing the feature. In keeping with NIST’s limited role, the Baseline focuses on the “what” that needs to be addressed, not on the “how” manufacturers should address it.

Separate from the core features, the NIST Baseline also discusses two areas relevant to securing IoT devices. First, it discusses considerations for implementation of these features in the design and manufacturing process. Second, it discusses considerations in communicating these features and the cybersecurity risks of IoT devices to the manufacturer’s customers and users of the device (users who may not necessarily have been the ones to purchase or configure the device).

Issues for Comment

Unlike FCC or FTC notices seeking comment, the NIST Baseline does not provide specific questions or issues for comment. Instead, the Baseline simply seeks feedback from all stakeholders on the draft, in order to assist NIST in refining the document.

The NIST workshop that I attended offers some insight into the comment areas that NIST would find helpful. In the discussion group sessions, NIST first asked whether the six core features were sufficient, and whether any other considerations should be added to the list. My group spent a lot of time discussing the relationship between the Baseline and efforts to create industry-specific standards or best practices. NIST seemed very interested in determining whether the Baseline would serve as a useful starting point for those efforts.

Second, the discussion group was asked whether customer communication should be a core feature or a separate consideration (as in the draft now). This seemed to focus on the role that shared responsibility among manufacturers, users, control organizations (like a corporate IT group) and/or the government played in securing devices (or making them securable).

Finally, our discussion group was asked about two potential additions to the Baseline. First, we were asked whether considerations in protecting legacy devices in an IoT network should be added. This question raised the issue of the role a single IoT device plays in a larger network, such as a smart home configuration where multiple devices (potentially from multiple manufacturers) are controlled by a central hub device. Second, we were asked whether exterior threats to the devices, such a DDoS attack or botnet attacks, should be part of the Baseline.

Any and all of the above should be fair game for comment to NIST on the Baseline. Comments on the NIST draft may be submitted through September 30. Kelley Drye is working with device manufacturers on potential comments to NIST. If you are interested in submitting comments, please feel free to contact us.

]]>
Securing IoT Devices: Lessons from a NIST Workshop https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/securing-iot-devices-lessons-from-a-nist-workshop https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/securing-iot-devices-lessons-from-a-nist-workshop Tue, 20 Aug 2019 13:05:30 -0400 Connected devices already are making headway into business and consumer markets. “Smart” speakers, video doorbells, remote programmable thermostats and other devices are increasing in popularity in homes across the United States. Major automakers and startups are pursuing self-driving cars and the “passenger economy.” Businesses are using IoT capabilities to enhance preventive maintenance, to track assets through the production cycle and to gain insights into consumer behavior.

Now, the federal government is trying to provide resources for businesses engaged in the Internet of Things (“IoT”) economy. Building on guidelines it established for cybersecurity generally and IoT cybersecurity specifically, the National Institute for Standards and Technology (“NIST”), a division of the U.S. Department of Commerce, held a workshop for manufacturers on securing IoT devices. I attended the workshop and these are my principal takeaways from the meeting.

NIST Cybersecurity Baseline for IoT Device Manufacturers

Titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, NIST has produced a draft document for comment. The comment period for the draft document runs through September 30, and I’ll have more detail on that document in a follow up post. But, for today, I want to run through impressions from the day-long workshop held at NIST headquarters in Gaithersburg, Maryland.

First, some background. The NIST workshop was held Tuesday August 13, 2019. The crowd in the room appeared to be between 125-150 people, with an unknown number viewing via a webcast. The audience included representatives from tech companies, defense contractors, mobile carriers, research institutions and more (and even at least one lawyer!). In introductory presentations, NIST officials explained that NIST does not have rulemaking authority over private industry. It has a role in setting cybersecurity standards that federal agencies must meet, but any influence NIST has on private industry is through voluntary adoption of its frameworks and standards. More broadly, NIST’s mission is to promote innovation and competitiveness through the use of common standards and measurements. The purpose of this workshop was to receive feedback from industry on the guidance document that has been produced.

Takeaways

By far, the most informative and – judging from conversations the rest of the day, surprising – learning from the day was a presentation on a study conducted by NIST’s Information Technology Laboratory. The presentation discussed consumer perceptions of IoT security. The study consisted of 40 semi-structured interviews with consumers using IoT devices. The participants were not novices – the participants had to be using at least three IoT devices in their homes in order to qualify, and their education levels skewed higher than the U.S. as a whole. The study should re-orient the way we think about the IoT:

  • To consumers, the “Internet of Things” is not a thing. Participants did not use the terminology of “IoT” or the Internet of Things. Instead, to the extent that they saw this as a category, participants referred to the devices as “smart home” or “connected devices.” To me, this makes a lot of sense. Consumers don’t want an “IoT doorbell” or likely even know what that might mean. They focus on functionality (it’s a video doorbell, for example) and don’t really care about the labels and buzzwords dominating the policy discussions.
  • Participants expressed general concerns about privacy – but used the devices anyway. The rationalizations presented were quite interesting. One participant is quoted as saying that he/she knew the device was collecting personal data but “I like having the convenience of having these things.”
  • The participants were confused about the difference between privacy and security and didn’t really seem to understand security. Some took mitigation measures that ranged from the silly (covering cameras with tape) to the minimally effective (not placing devices in certain rooms in the house). The takeaway I had from this is that manufacturers should not expect consumers to know or understand security practices; security will involve a lot of hand-holding to accomplish.
  • On a related note, participants were cognizant of a shared responsibility to protect security, but really didn’t take much responsibility themselves. 29 of the 40 participants pointed to the manufacturer as responsible for security. Participants cited manufacturer’s greater knowledge as one factor why they bore a greater proportion of the responsibility for security.
The second revelation for me was the way in which these documents have potential to become de facto standards, despite NIST’s protestations to the contrary. The NIST program manager outlined the core principles of the Baseline draft as including (a) recognition that there is no one-size fits all approach, (b) a focus on outcomes, not requirements to get there and (c) an acceptance of risk-based principles. And, again, one should keep in mind that NIST does not have regulatory authority over anyone other than federal agencies.

Nevertheless, representatives from regulatory agencies in attendance indicated that they are looking to the NIST baseline as at least a best practice, if not a standard. In my discussion session (one of four), several participants talked about these standards becoming part of government and private industry RFPs, either as requirements or “nice to have” differentiators among bidders. Moreover, several industry groups discussed their efforts to build upon guidance such as the NIST Baseline to develop industry-specific standards. Still others saw multiple standards efforts, and stated that the focus should be on the commonalities among the various standards that are published.

Regardless of how these developments take form, it is clear that the work NIST has done will have an impact, indirect or not, outside of NIST’s limited regulatory authority. Manufacturers should carefully heed the guidance NIST provides, and should consider providing comments on the draft before the September 30 deadline.

Third, the discussion group crystallized some of the interplay among considerations that go into IoT security. Immediately before the discussion groups, a NIST official gave an overview of the draft, emphasizing the difference between a “secure” device and a “secure-able” device. Nevertheless, some in my discussion group suggested that some devices were not worth securing, distinguishing between “securable” devices and those that are not, for cost, utility or other reasons, worthwhile to secure. Others noted that IoT devices most often will operate in a network, not independently, and therefore, security might be provided by other devices in the network (much like a firewall provides security in IT systems today). Moreover, there was general agreement in my discussion group that not every device in a network needed to have all of the security capabilities, and that instead, some devices may have more or different security in order to control (or protect) less secure (or secure-able) devices in the network.

These discussions suggested to me that security is more nuanced and that the concept of “securable” devices depends on multiple factors. While NIST’s document is a starting point, use of it as a standard has pitfalls. Particularly as we are starting to see a wave of IoT security legislation (notably, SB-327 in California and several bills in the U.S. Congress), the inter-dependency of securability and IoT networks is a layer of complexity that policymakers and regulators may not fully appreciate in their oversight activities. Manufacturers and others in the IoT economy have their work cut out for them in explaining how real-world security might work.

Up next: a summary of the NIST Cybersecurity Baseline for IoT devices. Manufacturers and participants in the IoT economy should carefully review this draft and consider filing comments with NIST to inform the final document.

]]>
Communications Service Providers Asked to Adopt the FCC CSRIC Guidance on Signaling System 7 Vulnerability Reduction https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/communications-service-providers-asked-to-adopt-the-fcc-csric-guidance-on-signaling-system-7-vulnerability-reduction https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/communications-service-providers-asked-to-adopt-the-fcc-csric-guidance-on-signaling-system-7-vulnerability-reduction Sun, 27 Aug 2017 19:02:53 -0400 Last week, the FCC’s Public Safety and Homeland Security Bureau released a Public Notice (“Notice”) urging communications service providers to review and assess how they can incorporate the recommendations from Communications Security, Reliability, and Interoperability Council (“CSRIC”) V, Working Group 10 March 2017 Report to abate security signaling system 7 (“SS7”) protocol vulnerabilities(the “SS7 Report”). SS7 is a communications protocol used within telephone networks to aid call setup, routing, billing and other functions between fixed and mobile service providers.

In the Notice, the FCC notes that there have been several recent reports and research findings that “call attention to security vulnerabilities present within SS7 networks.” One such report, in April 2016, that brought significant attention to the issue involved hackers exploiting the SS7 issues to listen in on the phone calls of Rep. Ted Lieu (CA). Following that report, some members of Congress called for the FCC to examine the issue and report to Congress. Shortly thereafter, the FCC directed CSRIC, an FCC advisory committee, to review the matter and provide recommendations.

In March, Rep. Lieu and Sen. Ron Wyden (OR) sent a letter to current FCC Chairman Ajit Pai expressing concern about the state of telecommunications cybersecurity in America. They noted that the SS7 Report was an important first step, but asked that the FCC implement the Report’s recommendations and renew the CSRIC for another charter to investigate additional security matters. The Notice appears to be an effort to respond to such concerns, highlighting the Report’s findings and encouraging communications service providers to implement them.

The SS7 Report recommends that industry take the following steps to reduce vulnerability risks:

  • Monitor network interconnections used to pass traffic to and from peer networks;
  • Use signaling aggregators’ role as a point of originating network traffic to monitor and filter suspicious traffic;
  • Conduct periodic security assessments of SS7 infrastructure; and
  • Continue threat information sharing efforts with public and private partners and incorporate SS7 risk scenarios into the Department of Homeland Security’s (“DHS’s”) automated information sharing pilot program;
  • Follow the SS7 best practices from the GSM Association, including guidelines on increasing secure signaling and information sharing;
  • Participate in industry and standards forums to address emerging security risks;
  • Explore further work as it relates to the possible benefits of Circles-of-Trust, a concept involving protecting and growing trust between service providers so they can safely pass traffic; and
  • Promote the use of encryption technologies for voice and data communications, particularly for highly sensitive applications or very important persons.
In the Notice, the FCC mentions that issues involving Diameter, a newer communications protocol replacing SS7 on some networks, and 5G networks are being considered by the current CSRIC, which started its new charter in June of this year.

]]>
Connect with Kelley Drye at next Presidio Forum on IoT Security in San Francisco on June 20 https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/connect-with-kelley-drye-at-next-presidio-forum-on-iot-security-in-san-francisco-on-june-20 https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/connect-with-kelley-drye-at-next-presidio-forum-on-iot-security-in-san-francisco-on-june-20 Tue, 13 Jun 2017 10:00:54 -0400 Kelley Drye is excited to support the next Presidio Forum on “Securing (and Regulating) the Internet of Things: Policy, Innovation & Investment,” in San Francisco on June 20, 2017. The forum will present a candid discussion exploring today’s expanding IoT threat landscape, continued rise of regulatory interests and the increasing venture capital investment for IoT Security entrepreneurship. John Heitmann, chair of the Communications Group, and associate Jameson Dempsey will both be speaking. Other speakers include Marc Rogers, Head of Information Security & IT for Cloudflare, Dmitry Dain, Co-Founder Virgil Security, and Nils Puhlmann, Co-Founder of Cloud Security Alliance. To register click here. The event is free to attend. Please contact John or Jameson if you have any questions about the event.

]]>
State of the Union Preview: White House Communications Priorities for 2015 https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/state-of-the-union-preview-white-house-communications-priorities-for-2015 https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/state-of-the-union-preview-white-house-communications-priorities-for-2015 Mon, 19 Jan 2015 22:27:39 -0500 In the days leading up to Tuesday's State of the Union address, President Obama has been previewing his Administration’s communications and technology priorities for 2015, including calling for an end to state laws that restrict municipal broadband deployments and new steps to promote cybersecurity.

Broadband Proposals

With a visit to Cedar Falls, Iowa and a letter submitted to the Federal Communications Commission (FCC), the President announced several steps to help more Americans get access to fast and affordable broadband, highlighting the experiences of Cedar Falls, Iowa; Chattanooga, Tennessee; Kansas City, Missouri; and Lafayette, Louisiana—each of which have access to Internet speeds 100 times faster than the national average.

The most controversial proposal urges the FCC to “utilize its authority to address barriers inhibiting local communities from responding to the broadband needs of their citizens,” and references laws in 19 states that the Administration argues have “held back” broadband access. The proposal comes at a time when the Commission is set to consider at its February meeting petitions from Chattanooga's Electric Power Board and the City of Wilson, North Carolina that seek FCC pre-emption of state municipal broadband laws.

In response, FCC Chairman Wheeler and Democratic Commissioners Rosenworcel and Clyburn expressed support for President Obama’s proposal, while Republican Commissioners Pai and O'Rielly criticized it. Opinions on the President’s proposal also split along party lines in Congress, where Democrats touted the benefits of competition and broadband expansion while Republicans highlighted the benefits of private investment and states’ rights to limit municipal broadband.

The President’s broadband expansion plans also include:

  • Calling for the Federal Government to remove all unnecessary regulatory and policy barriers to broadband build-out and competition and establishing a new Broadband Opportunity Council of over a dozen government agencies to solicit public comment on regulatory barriers to the expansion of broadband access and to promote greater coordination with the aim of addressing barriers within its scope of permitted action.
  • Hosting a Community Broadband Summit of mayors and county commissioners from around the country at the White House to discuss broadband solutions and economic revitalization. The efforts are intended to build upon the US Ignite partnership.
  • Launching a new Commerce Department initiative—Broadband USA—to promote broadband deployment and adoption by offering online and in-person technical assistance to communities, hosting a series of regional workshops around the country, and publishing guides and tools to help communities address broadband infrastructure financing, construction, and operations.
  • Opening applications for the Department of Agriculture's Community Connect broadband grant program, and reopening a revamped broadband loan program, which finances eligible carriers that invest in rural broadband networks.
Cybersecurity Proposals

In the wake of the recent high-profile attack on Sony Pictures and government social media sites, the White House has also announced a series of proposals to update and revise our nation’s cybersecurity laws. The President’s cybersecurity legislative package contains three primary components: (1) resurrected cybersecurity information-sharing legislation; (2) updated cybercrime legislation; and (3) a national data breach reporting law.

The first proposal encourages cyber-threat information sharing between government agencies and private sector-developed and operated Information Sharing and Analysis Organizations (ISAOs)—which will enjoy liability protections. The National Cybersecurity and Communications Integration Center (NCCIC) within the Department of Homeland Security (DHS) will serve as the nexus for this information-sharing effort. The proposal requires ISAOs to meet certain privacy and data security standards in order to qualify for information sharing privileges with NCCIC, including removing unnecessary personal information before sharing threat information and safeguarding information that is retained. The plan requires DHS and the Attorney General to develop government guidelines for the retention and use of information.

The second proposal updates law enforcement’s tools for prosecuting cybercriminals. The proposal would allow prosecution for the sale of botnets; criminalize overseas sales of stolen US financial information; expand law enforcement’s authority to deter the sale of spyware; permit courts to shutdown botnets engaged in criminal activity; expand the Computer Fraud and Abuse Act (CFAA) to clarify that it can be used against organization insiders; and expand the Racketeering Influenced and Corrupt Organizations Act (RICO) to apply to cybercrimes.

The third proposal would enact a national data breach reporting requirement to simplify and standardize the existing patchwork of 46 state/territorial data breach laws.

While legislators on both sides of the aisle are generally supportive of the President’s proposals, public interest groups have criticized the proposals for not going far enough to protect citizens’ privacy. Ultimately, these bills have a greater chance of passage than past, unsuccessful efforts to enact robust cybersecurity and data security legislation, but it’s unclear at this time what any final legislation will look like. The attorneys at Kelley Drye are tracking developments in this area and will update this blog with any major announcements.

* * *

President Obama’s recent announcements on broadband and cybersecurity, when coupled with his call for Title II reclassification of broadband Internet access services last November, demonstrate a strong 2015 focus on technology and communications issues. Companies and individuals affected by these laws should continue to watch for developments, as we expect this to be an active year for technology policy in Washington.

]]>
Federal Communications Commission Announces Membership in Global Privacy Enforcement Network https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/federal-communications-commission-announces-membership-in-global-privacy-enforcement-network https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/federal-communications-commission-announces-membership-in-global-privacy-enforcement-network Mon, 03 Nov 2014 19:32:31 -0500 On October 28, 2014, the Federal Communications Commission (“FCC” or the “Commission”) announced that it had joined the Global Privacy Enforcement Network (“GPEN”), a network of privacy enforcement and regulatory bodies from around the world that engages in collaboration and coordination on cross-border privacy enforcement actions.

The FCC’s announcement represents the latest step in its headlong march into privacy and data security matters. This past June, the FCC launched a brand new cybersecurity initiative, “The New Paradigm,” which will include a private-sector-driven effort to improve cyber-readiness in the communications industry. In September, the FCC reached a $7.4 million settlement with Verizon over alleged violations of the Customer Proprietary Network Information (“CPNI”) rules. And just two weeks ago, the FCC released a Notice of Apparent Liability (“NAL”) proposing multi-million dollar fines against two wireless providers, YourTel and TerraCom, based on a novel and expansive reading of Sections 222(a) and 201(b) of the Communications Act of 1934, as amended.

These recent actions demonstrate that Chairman Tom Wheeler and Enforcement Bureau Chief Travis LeBlanc are serious about expanding the FCC’s role as a privacy and security cop. As a result, communications companies – particularly those that fall within the Federal Trade Commission’s “common carrier exemption” – should take this opportunity to review all of their privacy and data security practices to ensure compliance with an evolving set of FCC privacy and security requirements.

]]>
FCC Proposes $10 Million in Fines for Privacy and Data Security Violations https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-proposes-10-million-in-fines-for-terracom-and-yourtel-privacy-and-data-security-violations https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-proposes-10-million-in-fines-for-terracom-and-yourtel-privacy-and-data-security-violations Tue, 28 Oct 2014 16:19:13 -0400 On October 24, the FCC, over the dissent of its two Republican commissioners, issued a Notice of Apparent Liability (NAL) proposing a fine of $10 million to Lifeline eligible telecommunications carriers (“ETCs”) TerraCom, Inc. and YourTel America, Inc. for violations of laws protecting “phone customers’ personal information.”

This is the agency’s first data security case and the largest privacy action in the Commission’s history. See News Release. Friday’s decision follows through on numerous public statements made by FCC Enforcement Bureau Chief Travis LeBlanc indicating that privacy and security is a high enforcement priority for the Commission and that the agency would begin to use a Communications Act provision barring unjust and unreasonable practices as a privacy and security enforcement tool.

According to the NAL, the Enforcement Bureau investigation found that both TerraCom and YourTel “collected names, addresses, Social Security numbers, driver’s licenses and other proprietary information” gathered through the Lifeline eligibility approval process “and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.” The NAL states that the TerraCom and YourTel violations exposed more than 300,000 customers’ personal information to unauthorized access as well as heightened risk of fraud and identity theft. CPNI Violation. The NAL first alleges that the companies failed to properly protect the confidentiality of consumers’ proprietary information collected from applicants for wireless and wired Lifeline services in violation of Section 222(a) of the Communications Act, which requires that carriers protect the confidentiality of the “proprietary information” of their customers. The FCC proposes a forfeiture of $8.5 million for this violation based on precedent for base forfeitures of $29,000 for previous CPNI violations. Applying the base forfeitures to the alleged over 300,000 violations would have resulted in a proposed penalty of close to $9 billion, but the FCC settled on $8.5 million as “sufficient.”

Unjust and Unreasonable Practices. The NAL next alleges several violations of Section 201(b) of the Communications Act, which prohibits unjust and unreasonable practices, but only proposes a penalty for one such violation. The NAL proposes a $1.5 million penalty against the companies for making false representations in their website privacy policies regarding protecting customers’ sensitive personal information. The FCC alleges that the companies’ failure to follow their own privacy policies was an unjust and unreasonable practice. This forfeiture is based on precedent for a $40,000 base forfeiture for Section 201(b) violations related to deceptive marketing to consumers.

Further, the NAL alleges that by failing to employ reasonable data security practices (such as password protection or encryption) and failing to notify all potentially affected customers of the security breach, the companies apparently violated Section 201(b). However, the agency declined to propose a forfeiture for those two alleged violations because this is the first case in which it makes such findings. The NAL states that carriers are now on notice regarding these potential violations.

The Commission’s use of its authority to police “unjust and unreasonable” practices by telecommunications providers appears to represent a significant expansion of the Commission’s enforcement authority over privacy-related matters and appears to mirror the Federal Trade Commission’s privacy and data security actions under a similar statutory provision in the Federal Trade Commission Act Section 5 barring unfair and deceptive trade practices. The expansion of authority is the reason that Commissioners Pai (R) and O’Reilly (R) dissented. Both Commissioners contended that the FCC had not given fair notice of what data security practices are required. Commissioner O’Reilly also questioned the majority’s interpretation of the CPNI provisions of Section 222. While the $10 million proposed penalty is the largest privacy action in the Commission’s history and its first foray into data security enforcement, it is not likely to be its last. We expect that the FCC will continue to investigate and take enforcement action against lax data security and other practices that compromise the privacy of consumers’ personal information.

In light of the FCC’s action, all carriers, including especially Lifeline providers, should review their security and privacy practices related to customer eligibility documentation and other personal information, as well as their privacy statements and CPNI policies to ensure that consumer data is adequately safeguarded in a manner that comports not only with the FCC’s CPNI rules but also with federal and state privacy frameworks that will inform the Commission’s determination of what is “unjust and unreasonable” in this area.

]]>
NIST Requests Industry Feedback on Cyber Framework 1.0 https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/nist-requests-industry-feedback-on-cyber-framework-1-0 https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/nist-requests-industry-feedback-on-cyber-framework-1-0 Wed, 03 Sep 2014 12:55:30 -0400 The National Institute of Standards and Technology (NIST) released a Request for Information (RFI), “Experience with the Framework For Improving Critical Infrastructure Cybersecurity”, this week requesting industry feedback on the Cybersecurity Framework published in February 2014. Framework 1.0 was developed by NIST in response to the Obama Administration’s February 2013 Cybersecurity Executive Order aimed at improving cyber defenses for critical industries impacting U.S. national security. The Framework is a series of standards, methodologies, procedures, and processes developed to help organizations address cyber risks.

Since releasing the Framework, NIST has focused its efforts on raising awareness and educating public and private organizations on the importance of managing cyber risks. Now that the Framework has been publicly available for over 6 months, NIST is reaching out to the critical infrastructure community to find out whether organizations are choosing to voluntarily implement the Framework and track progress across the various industries.

Critical infrastructure industries, including communications, transportation, energy, and healthcare companies, are encouraged to weigh in on initial experiences in implementing the Framework, how it is being used, and the successes and challenges of using the Framework to develop cyber programs. While the RFI focuses heavily on responses from critical infrastructure owners and operators, Federal agencies, state, local and tribal governments, and other industry and consumer stakeholders are also invited to comment on any topic that may impact the awareness or voluntary use of the Framework.

The RFI asks the industry to report on a series of questions. Some of the interesting questions include:

  • How have organizations learned about the Framework?
  • If your sector is regulated, do you think your regulator is aware of the Framework, and do you think it has taken any visible actions reflecting such awareness?
  • What benefits have been realized by early experiences with the Framework?
  • Have organizations that are using the Framework integrated it with their broader enterprise risk management program?
  • Are organizations changing their cybersecurity governance as a result of the Framework?
  • What about the Framework is most helpful and why? What is least helpful and why?
From the initial discussions in developing Framework 1.0, NIST has stressed that it is in fact a “process” and that the Framework is expected to be a “living document” that will continue to change and develop as it is used and the cyber landscape changes. The comments will be used as a baseline for discussions at an upcoming workshop, scheduled for Oct. 29-30 at the University of South Florida in Tampa. To that end, the RFI comments highlighting challenges or issues could very well spark discussions for a Framework 2.0.

NIST also stated the responses will impact the Critical Infrastructure Cyber Community C3 Voluntary Program - the DHS incentives program focused on encouraging voluntary adoption of the Framework across industry sectors. Additionally, the RFI may influence the FCC’s cybersecurity policies and CSRIC’s approach to developing cybersecurity best practices for the communications industry (see our earlier blog post for background on the FCC’s cybersecurity policies).

Comments are due October 10, 2014, and companies are encouraged to participate. All responses will be posted and publicly available on NIST’s website.

]]>
FCC Seeks Comment on Cybersecurity Best Practices for ISPs https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-seeks-comment-on-cybersecurity-best-practices-for-isps https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/fcc-seeks-comment-on-cybersecurity-best-practices-for-isps Mon, 28 Jul 2014 19:16:48 -0400 Late last week, the FCC released a Public Notice requesting comment on existing best practices for Internet Service Providers (ISPs) to combat cybersecurity threats. The inquiry is a follow up to the FCC’s New Cybersecurity Initiative focused on developing a voluntary, private-sector driven approach to cyber risk management. Comments from this inquiry will support and inform the work of Communications, Security, Reliability and Interoperability Council IV (CSRIC IV) to create cybersecurity best practices that align with the National Institute of Standards and Technology (NIST) framework across the broader communications sector.

The inquiry is focused on what steps the industry has taken voluntarily to combat certain cyber threats. However, the FCC acknowledged that the vulnerabilities addressed by these recommendations remain active threats and sought comment on how to address these concerns and create cyber assurances across the industry. As Chairman Wheeler noted in his June 12 speech, the FCC is open to considering other options if a voluntary, market-driven approach fails to yield measurable, accountable results. The existing best practices were adopted March 2012 by the FCC’s CSRIC III, predecessor of CSRIC IV, to address critical cybersecurity threats, specifically botnets, attacks on the Domain Name Systems (DNS) and Internet route hijacking. CSRIC III also recommended that ISPs implement source-address filtering to prevent attackers from spoofing IP addresses to launch distributed denial of service (DDoS) attacks. In connection with the adoption of the best practices in 2012, several of the largest ISPs participating in CSRIC III committed to voluntarily implementing the recommendations.

Two and a half years later, the FCC’s Public Safety and Homeland Security Bureau is looking to the Internet community, ISPs, consumer organizations and the broader public community for feedback on implementation of the best practices and their overall effectiveness. Stakeholders are encouraged to weigh in on the progress of and any barriers to implementation, discuss any success stories or breakthroughs, evaluate how effective the current recommendations are at mitigating cyber risk, and identify any new alternatives or technologies that could be more effective going forward.

Comments must be submitted to the FCC’s Public Safety and Homeland Security Bureau by September 26, 2014.

]]>
Could 2014 be the year for Cybersecurity Information Sharing Legislation? https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/could-2014-be-the-year-for-cybersecurity-information-sharing-legislation https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/could-2014-be-the-year-for-cybersecurity-information-sharing-legislation Thu, 10 Jul 2014 11:31:45 -0400 The Senate is one step closer to a floor vote on cybersecurity legislation that would address information sharing between the private sector and the government. On July 8, the Senate Select Committee on Intelligence approved a contentious cybersecurity bill known as the Cyber Information Sharing Act (CISA).

The proposed legislation would remove legal barriers to allow private companies to share information regarding cyber-attacks “in real time” with other private companies and the government. Companies sharing information for cybersecurity purposes would be shielded from lawsuits by individuals against the company for sharing that data, regardless of terms of service contracts that may prevent such actions without a customer’s consent. In order to receive the liability protection, private entities would be required to submit information directly to the Department of Homeland Security, which could then share the information with other federal agencies as necessary to address the threat. Additionally, CISA would direct the federal government to share classified and unclassified information with the private sector.

CISA also includes several provisions to protect privacy, such as requiring that companies sharing information remove all personally identifiable data (e.g. names, addresses, and Social Security numbers). The Attorney General would be directed to write procedures to limit government use of cyber information received to "appropriate cyber purposes" and ensure that privacy protections are in place. A full synopsis from the Senate Committee Chair and co-sponsor of CISA, Dianne Feinstein (D-CA), is available here. Adequate privacy protections have been a continuing sticking point for successful cybersecurity information sharing legislation. The Cyber Intelligence Sharing and Protection Act (CISPA) – the information sharing bill counterpart in the House of Representatives – faced strong privacy objections from civil liberties and public interest groups. When CISPA passed the House in 2013, the White House threated to veto the bill unless it included additional privacy protections.

Even with CISA’s added protections, many privacy groups oppose the bill. Similar to CISPA, these groups remain anxious that the legislation could encourage a company, such as Google, to turn over huge amounts of emails or other private data to the government in the name of cybersecurity. The groups fear that the National Security Agency and other government agencies could gain access to even more personal information through this legislation. Moreover, because CISA provides liability protections to companies sharing information, individuals would have little recourse in the event of abuse.

Whether CISA becomes law in 2014 will depend not only on how quickly it can pass a floor vote but also how easily the Senate bill can be reconciled with CISPA, the House counterpart passed last year. Though CISA passed the Senate committee with bi-partisan support, Senate Democrats are already wavering on support due to concerns of insufficient privacy protections. If CISA manages to pass the Senate, there is a chance the House and Senate can agree to a reconciled bill. Representative Mike Rogers (R., Mich.), chairman of the House Intelligence Committee and co-sponsor of CISPA, stated publicly that the committees were close to agreement on harmonizing their respective cyber threat information-sharing bills, and had narrowed down their difference to a few, discrete issues. However, with less than 15 legislative days before the August recess and all eyes focused on the upcoming mid-term elections in November, if this cybersecurity legislation has any hope of moving forward Congress will need to do something it rarely does: act quickly.

]]>
What to Watch For With The FCC's New Cybersecurity Initiative https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/what-to-watch-for-with-the-fccs-new-cybersecurity-initiative https://www.kelleydrye.com/viewpoints/blogs/commlaw-monitor/what-to-watch-for-with-the-fccs-new-cybersecurity-initiative Fri, 27 Jun 2014 12:34:58 -0400 In the wake of a number of high-profile cybersecurity events -- from the Heartbleed bug to the Target breach -- cybersecurity has become a red-hot issue in Washington, D.C. Earlier this month, in a major address delivered at the American Enterprise Institute, Federal Communications Commission Chairman Tom Wheeler announced a new cybersecurity initiative to create a “new paradigm for cyber readiness” in the communications sector.

As described by Wheeler, the FCC’s cybersecurity initiative will be led by the private sector, with the Commission serving as a monitor and backstop in the event that the market-led approach fails. In particular, the FCC will “identify public goals, work with the affected stakeholders in the communications industry to achieve those goals, and let that experience inform whether there is any need for next steps.” Chairman Wheeler stressed that the new paradigm must be dynamic, more than simply new rules, and the Commission will rely on innovation by the private sector.

The Commission's efforts will be guided by four principles, including commitments to:

  1. preserving the qualities that have made the Internet an unprecedented platform for innovation and free expression, so that Internet freedom and openness is not sacrificed in the name of enhanced security;
  2. privacy, i.e., enabling personal control of one’s own data and networks;
  3. cross-sector coordination, e.g., among regulatory agencies; and
  4. the multi-stakeholder approach to global Internet governance and an opposition to any efforts by international groups to impose Internet regulations that could restrict the free flow of information in the name of security.
Expect FCC staff actions to be organized around the following elements:

(1) Information Sharing and Situational Awareness. The Commission is looking into legal and practical barriers to effective sharing of information about cyber threats and vulnerabilities in the communications space. Specifically, the Chairman noted that “companies large and small within the Communications communications sector must implement privacy-protective mechanisms to report cyber threats to each other, and, where necessary, to government authorities.” Moreover, where a cyberattack causes degradations of service or outages, the Chairman stated that “the FCC and communications providers must develop efficient methods to communicate and address th[e] risks.” To that end, the Chairman noted that the FCC is actively engaged with private sector Information Sharing and Analysis Organizations, and with other federal agencies, to improve threat information sharing and situational awareness.

(2) Cybersecurity Risk Management and Best Practices. Noting the work of the Communications Security, Reliability and Interoperability Council (CSRIC) in developing voluntary cybersecurity standards, Chairman Wheeler called upon communications providers to work with the Commission to set the course for years to come regarding how companies in that sector communicate and manage risk internally, with their customers and business partners, and with the government. In addition, the Commission will be seeking information to measure the implementation and impact of the CSRIC standards.

(3) Investment in Innovation and Professional Development. Chairman Wheeler has asked the FCC Technological Advisory Council (“TAC”) to explore specific opportunities where “R&D activity beyond a single company might result in positive cybersecurity benefit for the entire industry.” Specifically, the FCC will “identify incentives, impediments, and opportunities for security innovations in the market for communications hardware, firmware and software.” Further, the FCC will work with NIST and academia to “understand the current state of professional standard and accountability,” as well as “where the FCC might positively contribute toward further professionalization of the workforce.”

This initiative could have significant impact on telecommunications and technology companies. Cybersecurity already is a top priority for CSRIC. A new working group was established within CSRIC and work is underway to update the industry's cybersecurity best practices. The primary goal is to align the industry's cybersecurity activities with the National Institute of Standards and Technology's (NIST) Cybersecurity Framework Version 1.0 released in February 2014. Industry members are encouraged to participate in the process. Based on the current timeline, CSRIC will vote to approve the new best practices in March 2015.

Kelley Drye & Warren's attorneys recently presented a webinar discussing cybersecurity updates and considerations for the telecommunications and technology industries. To listen to a recording of The Cybersecurity Review webinar, please click here.

]]>