FCC Buckles on Cybersecurity
Mar 20, 2013 6:00 AM PT
Internet service providers are resisting the Federal Communications Commission's recommendations for implementing security best practices, the agency has reported.
The ISP members of the Communications, Security, Reliability and Interoperability Council (CSRIC) say they believe additional evaluation is required to determine whether those best practices should apply to their industry.
"The security controls that were examined in the report are appropriate for enterprise systems," Ann Veigle, spokesperson for USTelecom, the domestic telecommunications industry trade group, told TechNewsWorld. "But they do not work well for networks and that's essentially where the conflict came in. Applying those to the networks just wasn't a good fit."
The ISPs "don't want the government dictating what they do," said Rob Enderle, principal analyst at the Enderle Group. "With the best of intentions, governments often require methods that are both expensive and relatively ineffective, and network managers, who are already overworked and under-resourced, expect that the government will simply make things worse."
The FCC did not respond to our request to comment for this story.
Verizon spokesperson Edward S. Mcfadden referred TechNewsWorld to USTelecom.
What the Fuss is About
The disagreement harks back to the cybersecurity recommendations known as the "20 Controls," , which were drawn up by a consortium including the National Security Agency, the U.S. Department of Defense, the U.S. Community Emergency Response Team and the State Department, along with commercial forensic and cybersecurity experts.
The 20 controls include recommendations on isssues such as controlling administrative privileges on networks and computers; maintaining and monitoring audit logs; continuous vulnerability assessments; and securing mobile devices.
The FCC convened Working Group 11, as the advisory panel is called, in August to determine the applicability of the 20 Controls to the communications sector. The idea was to have the group compare the Controls with existing best practices, and determine which of those might need to be attached to the 20 Controls.
The group developed a set of critical controls similar to the 20 Controls that are relevant to the communications industry.
What Working Group 11 Now Recommends
In light of the objections from the communications sector, Working Group 11 recommended that the FCC encourage continued review and improvement of cybersecurity practices for the industry. It also wants vetting of the group's recommendations by a broader cross-section of communications companies.
Other recommendations include updating, reorganizing and prioritizing the cybersecurity best practices; determining the extent to which the 20 Controls protect network infrastructure directly; and determining the application of those controls to the communications sector.
Hacking, Cybersecurity and Your Neighborhood ISP
This disagreement over cybersecurity practices is the latest in a series of confrontations between the FCC and the communications industry. Past disputes have involved how ISP's advertise download speeds, their security practices and their networks.
The telecom companies have made suggestions to the FCC over the years, often after some sparring and lobbying. When it comes to security, the ISPs agreed last year to stick to FCC guidelines on an anti-botnet code of conduct, adhere to Domain Name System (DNS) best practices, and work on the creation of an industry framework to prevent Internet route hijacking.
The communications industry's resistance to the recommendations of Working Group 11 "illustrates the debate between 'Is prescriptive regulation the way to go?' or is it more a public-private relationship? Is that the better way to go?" Jon Banks, senior vice president of USTelecom, said in a prepared statement given to TechNewsWorld.
"Even with these 20 Controls in place, the industry likely still needs a more certain way to authenticate users and stronger methods to deal proactively with criminal activities," Enderle told TechNewsWorld. "I expect it will take a cyber-9/11 to make a major change, (and that) will be much more painful and expensive."