FCC’s Simpson References 911 Reliability Order in Warning for Voluntary Industry Work on Cybersecurity
The FCC is confident the communications industry will voluntarily lead commission-facilitated efforts to improve the industry’s cybersecurity risk management practices, but could look to its recent 911 annual reliability audit order as a model for regulatory action if the industry doesn’t “pull it together,” said Public Safety Bureau Chief David Simpson Wednesday. Simpson’s remarks at a Center for Strategic and International Studies event echoed the FCC’s message all year on the need for a voluntary industry-led effort on cybersecurity risk management. FCC Chairman Tom Wheeler said in June that the FCC’s vision of a “new paradigm” on cybersecurity would include readiness to act if voluntary efforts failed (CD June 13 p1).
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Representatives from other federal agencies at the CSIS event said their agencies are also seeking voluntary efforts in connection with President Barack Obama’s 2013 cybersecurity executive order, which emphasized voluntary private sector improvements in cybersecurity risk management with regulation as a backup. The FTC is continuing to press Congress for additional authority to take enforcement action on consumer data security issues in light of recent data breaches, but is confident it can also increase enforcement under its existing authority under Section 5 of the FTC Act, said Commissioner Julie Brill.
The private sector voluntarily works with the FCC 95 percent of the time to avoid regulation, and is best suited to lead on cybersecurity because they're better able to keep pace with rapid changes in technology, Simpson said. The “five percent of the time when that fails” has included carriers’ failure to follow voluntary best practices on 911 reliability, leading to widespread 911 connectivity issues for multiple days after the June 2012 derecho windstorm, he said. That led the FCC to adopt the 911 reliability order, requiring carriers to adopt industry best practices for auditing circuit diversity, to install backup power at central offices that serve 911 call centers and to provide diverse network monitoring. The order also requires carriers to notify 911 call centers within 30 minutes when outages occur (CD Dec 13 p7).
The FCC may have to consider similar accountability standards if industry fails to voluntarily organize around FCC-facilitated cybersecurity efforts through the Communications Security, Reliability & Interoperability Council’s (CSRIC) Working Group 4 and the Technological Advisory Committee (TAC), Simpson said. “CSRIC Working Group 4’s work is now shifting from identifying guidance on how the industry can incorporate the National Institute of Standards and Technology’s Cybersecurity Framework into its risk management processes toward developing metrics for measuring the effectiveness of risk management,” Simpson said. CSRIC’s Sept. 24 meeting is set to include a report on Working Group 4’s cybersecurity best practices work (CD Sept 15 p13).